N.Y. Rule Could Be Model for Cyber-Collaboration(1)

By Richard Hill

New York financial regulators’ outreach efforts while developing new cybersecurity rules could serve as a model for harmonizing existing regulations elsewhere.

Conformity is key, cyber lawyers say, because the volume of cybersecurity edicts issued in the last two years by more than a dozen regulators worldwide is causing compliance fatigue at financial services firms and may be compromising their security.

Many entities are diverting crucial resources to comply with myriad requirements—sometimes inconsistent, sometimes duplicative—at the expense of keeping themselves and their customers safe from cyberattack, cyber lawyers say.

“The landscape is littered with different standards,” said Nathan Taylor, a Washington-based partner at Morrison & Foerster LLP who specializes in cybersecurity matters. “There are layers and layers and layers of standards.”

Regulatory Convergence

The New York Department of Financial Services sent letters to 19 other financial regulators asking for cooperation in the hopes of reaching “regulatory convergence” before drafting its cybersecurity rules in 2015.

The final rules, which went into effect March 1, still duplicate some existing requirements, but lawyers, industry groups and others praised the department for at least considering the burdens that come with regulatory overlap.

“It seems like they did take more of a consultative approach and tried to make sure it had some melding with the guidance that’s already out there,” Megan Gordon, a Clifford Chance partner in Washington who has written on the New York rule, told Bloomberg BNA. “It does seem like they did build off the back of some of the existing practices and that they did reach out to other regulators as they were [drafting] their rules.”

Joseph Vitale, a partner at Schulte Roth & Zabel LLP, New York, who represents banks and other regulated financial institutions, agreed that the New York rule shows the department’s attempt “to be somewhat consistent with the principles set forth by other authorities,” including federal banking regulators and the National Institute of Standards and Technology’s cybersecurity framework.

Big Push

Cybersecurity has gained urgency as businesses and governments increasingly have been victims of malicious computer hacking. Large investment banks are spending upwards of $500 million a year on cybersecurity efforts.

U.S. regulators including the Commodity Futures Trading Commission, the Federal Reserve Board and state agencies and their foreign counterparts have adopted or proposed rules and guidance in the last 18-24 months on how banks, exchanges, clearinghouses, data repositories and other critical financial entities should protect themselves from cyberattacks.

The edicts include requirements for cybersecurity procedures and information security officers, identifying vulnerabilities, making reports, monitoring and testing and managing third-party vendors.

The Securities and Exchange Commission went first in late 2014. Since then, new requirements have followed around the world on nearly a monthly basis, said Tom Wagner, managing director for financial services operations at the Securities Industry and Financial Markets Association.

“We’re at the point that it’s really starting to create a risk because we’re having to pull key cyber-resources off the front lines—people who should be building cyber-defenses—and having them juggle regulatory demands,” Wagner said.

Multiple Guidance `a Challenge.’

With more than a dozen authorities with differing perspectives issuing regulations, “the guidance tends to differ,” said Stephen Scharf, chief security officer for Depository Trust and Clearing Corp. “Sometimes it does create a challenge.”

“If a regulator calls in a financial institution to talk cybersecurity today, the first thing out of the financial institution’s mouth is undoubtedly going to be,`We’re dying here,’” Taylor said. They say it becomes about “compliance and fatigue. We’re spending more time trying to demonstrate compliance than we are critically thinking about” cyber-defense.

Financial services firms spend approximately 40 percent of their cybersecurity efforts on compliance as opposed to security, according to figures cited by SIFMA and the American Bankers Association. SIFMA and the ABA said in a February letter to prudential banking regulators about proposed cybersecurity rules that “substantial resources are already being invested in complying with regulatory requirements rather than directly targeting security risks.”

Overlapping regulations from a dozen or more regulators require banks “to spend more time complying with the law in a manner that might not actually be efficient in terms of trying to mitigate cybersecurity threats,” said Douglas Johnson, ABA senior vice president for cybersecurity policy. Harmonization would allow institutions to spend less on compliance and more on “really understanding the threats they face,” he said.

DTCC, ABA, SIFMA and others have been communicating their concerns to regulators around the world, and authorities might be hearing the message. The Fed, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. were praised for proposing rules jointly in December.

“It shows three banking regulators putting their heads together to come up with a consistent approach,” Joseph Facciponti, special counsel at Cadwalader Wickersham & Taft LLP, New York, said in an interview.

Is Harmonization Realistic?

Global harmonization, however, may not be realistic—or even desirable, Taylor said. “It might run the risk of watering things down,” he told Bloomberg BNA, saying compromise could result in very general requirements of limited utility.

“It’s important to be aware of what other regulators are doing, but you’re going to make your own decision about what you think is appropriate. Just because Singapore or The Netherlands make one choice, you might not agree with that choice,” Taylor said.

Rules’ Common Themes

Facciponti said that while there may not be global harmonization, rules often have “common themes.” For instance, most regulators require entities to have a senior-level cyber point-person, but will use different nomenclature to describe them.

Other common themes include requiring written policies and procedures, mandating internal and external risk-assessments, and taking a hard look at threats posed by outside vendors, he said.

Hartford, Conn.-based Michelle DeBarge, who co-chairs the cybersecurity and privacy group at Wiggin and Dana LLP and specializes in health-care law, said that while there are common themes, regulators are becoming more “granular”—more specific and less flexible—in their requirements.

“When you start getting more prescriptive, this issue about balancing the complexities and the differences in the regulations becomes harder,” DeBarge told Bloomberg BNA. “When you get to that point, sometimes you have organizations that say,`it’s just not practical to make all this jibe, so we have to do the best we can.’ ”

To contact the reporter on this story: Richard Hill in Washington at rhill@bna.com

To contact the editors responsible for this story: Phyllis Diamond at pdiamond@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.