Banks Unsure Ahead of N.Y. Cybersecurity Compliance Deadline

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Banks are uneasy over unclear compliance standards and possible enforcement of New York financial services cybersecurity standards they must meet by Aug. 28, data security attorneys and cybersecurity professionals told Bloomberg BNA.

Banks and financial service companies should make a good faith best effort to meet the compliance deadline regardless of any uncertainty because the New York State Department of Financial Services (NYDFS) is taking seriously its cybersecurity oversight role.

Aug. 28 marks the end of a 180-day transitional period for covered banks and financial institutions to create and maintain a cybersecurity program approved by their boards or a senior corporate official, appoint a chief information security officer (CISO), limit access privileges to nonpublic data and periodically review the process, and implement guidelines to notify the state regulator within 72 hours of cybersecurity or data security incidents.

NYDFS Superintendent Maria T. Vullo told Bloomberg BNA Aug. 25 that the deadline “marks a significant milestone in protecting the financial services industry and the consumers” from rising cyberthreats. Because there is no “comprehensive federal cybersecurity policy” in the financial services industry, “New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems.”

The NYDFS cybersecurity regulations cover nearly every large U.S. bank, including JPMorgan Chase Co., Citigroup Inc., and Bank of New York Mellon Corp. Hundreds of other banks and financial institutions also fall under the regulations’ purview. The regulator set minimum cybersecurity standards for covered banks and financial institutions that aren’t “overly prescriptive,” so that companies can “match the relevant risks and keep pace with technological advances,” the rules say.

However, data security attorneys and cybersecurity professionals told Bloomberg BNA that the rules are vague and lack clear compliance guidance, so they may actually hamper banks and financial institutions rather than help boost their security protections.

Mike Stiglianese, financial services industry lead at consulting company BDO National Technology & Cybersecurity in New York, told Bloomberg BNA Aug. 25 that a lack of clarity in compliance standards, including in the data breach notice and CISO provisions, “is slowing down the entire process.” Banks and financial institutions, especially small- and medium-sized ones, currently don’t know how New York will enforce the rules in the event of noncompliance, he said. “Will the penalties be strict financial fines or small slaps on the wrist?”

But the rules could also “institutionalize best practices” for bank cybersecurity and data security programs, Ojas Rege, chief strategy officer at software company MobileIron Inc. in Mountain View, Calif., told Bloomberg BNA Aug. 25. If a covered organization has a “robust cybersecurity program in place, which most do, it will be able to meet the regulatory hurdle without major program changes.” For those that don’t have an enhanced cybersecurity program, it will help set baseline protections to guard against rising financial services cyberattack risks, he said.

Bank Size Matters

Mark Krotoski, cybersecurity and privacy partner at Morgan, Lewis & Bockius in Palo Alto, Calif., told Bloomberg BNA Aug. 25 that the rules are “very prescriptive and mandate specific requirements.” Many financial companies have been adopting cybersecurity solutions tailored to their specific needs that may not be the same as the mandates of the New York rules, and that will bring “high costs to comply,” he said.

Tom Kellermann, CEO of cybersecurity investment strategy company Strategic Cyber Ventures in Washington and former member of the Commission on Cybersecurity under former President Barack Obama, told Bloomberg BNA Aug. 24 that the cybersecurity rules treat all banks the same even though “not all institutions are equal when it comes to their” cybersecurity protections. Banks such as “Citi and Bank of America” are “more digital and proactive” in their cybersecurity efforts and need less regulatory oversight, he said. But for other financial institutions, the rules might not be sufficiently proactive, he said.

Lawrence R. Hamilton, banking and finance partner at Mayer Brown in Chicago and a member of the firm’s cybersecurity and data privacy practice, told Bloomberg BNA Aug. 25 that companies that are in compliance with the rules “will be in much stronger legal position if they ever get hacked, because they will be able to show they measured up to an objective cybersecurity standard.”

Stiglianese said small- and medium-sized banks and financial institutions see some provisions of the rules, such as the dedicated CISO requirements, as burdensome. Where they may have considered that role as an additional duty for an information technology professional, they must now understand that the CISO “is responsible for designing cybersecurity programs that are sufficient and enforceable,” he said.

Enforcement

Hamilton, who leads Mayer Brown’s insurance regulatory practice, said the rules have given banks and financial institutions “a yardstick to show that they took reasonable steps to manage their cyber risks — and reduce their chances of being hit with regulatory sanctions or big verdicts in private lawsuits.”

Banks and financial institutions “need to take the NYDFS cybersecurity regulations seriously, because the NYDFS is taking it seriously,” Hamilton said. There will be growing pains, “but everyone needs to be making a serious, good faith effort” to comply, he said.

Krotoski said financial institutions are “hopeful” that the NYDFS will issue enforcement guidance. Noncomplying banks can generally expect to face “fines, compliance program reviews, reporting requirements, and sometimes injunctive relief,” he said.

Stiglianese said the NYDFS may look favorably on “management awareness” and “conscious business decisions” regarding cybersecurity. Companies that prepare may face enforcement actions “that are less severe,” he said.

Companies face a Feb. 15, 2018, deadline to certify to the NYDFS their compliance with the cybersecurity rule.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Text of the NYDFS cybersecurity rules is available at http://src.bna.com/r0w.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security