"We strongly disagree with the ‘one size fits all’ approach" taken by a proposed regulation that would require institutions regulated by the New York State Department of Financial Services to establish and maintain a cybersecurity program, states a letter from the Independent Bankers Association of New York State and the Independent Community Bankers of America. Their letter to the DFS stresses that limited resources are a concern for community banks. The organizations contend that the DFS proposal does not reflect that those banks set their risk parameters and determine how best to allocate resources to combat cyber threats in accordance with their own risk assessment.
DFS proposal. The proposed regulation would require New York banks, insurance companies, and other financial services
institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity
program designed to protect consumers and ensure the safety and soundness of the state’s financial services
industry. In a press release announcing the proposal, Governor Andrew M Cuomo called it a "first-in-the-nation"
regulation that would protect New York State from the ever-growing threat of cyber-attacks.
Groups' response. The organizations object to the proposal’s application of a "uniform and unequal application of risk mitigation tactics" to community banks, some of which "may go beyond the risk profile of the institutions." They urge the DFS to allow community banks to adopt a reasonable risk assessment tool that would be used by the DFS in conducting an examination for compliance with the cybersecurity regulations.
In addition, the letter states, the DFS proposal does not recognize that community banks may participate in shared resource arrangements to achieve compliance and economies of scale. The organizations believe that the DFS should encourage information sharing through the existing channels, such as those promoted by the federal Cybersecurity Information Sharing Act of 2015, rather than mandating excessive reporting requirements.
The groups conclude by requesting that the DFS not issue a final rule but, instead, issue a revised proposal incorporating their comments and requesting additional comments from the industry.
For more information about cybersecurity for financial institutions, subscribe to the Banking and Finance Law Daily.