Small Financial Companies Struggle With N.Y. Cybersecurity Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Small financial institutions in New York must comply with the state’s first-in-the-nation cybersecurity rules, but some have missed the chance to apply for exemptions in the more than one year since the rules took effect.

Others are short on the resources, know-how and financial muscle to take advantage of the exemptions or to fully comply with the financial industry cybersecurity rules.

Still, the New York Department of Financial Services requires compliance with the cybersecurity rules, which govern financial institutions, including banks, insurance companies, and other businesses.

The rules were created to enhance the protection of consumer information held by banks and other financial institutions and to boost the overall cybersecurity of the financial ecosystem. They require covered entities to implement security safeguards, protect consumer data privacy, provide oversight of information technology operations, and assess cybersecurity vulnerabilities on an ongoing basis, among other requirements.

Smaller financial institutions are immune from some requirements if they fall under specific exemptions, such as having fewer than 10 employees, less than $5 million in gross annual revenue over the past three fiscal years in New York, or less than $10 million in end-of-year assets. Such financial companies don’t have to appoint a chief information security officer, maintain security systems for an audit trail, or have a preparedness plan for secure development of in-house applications, among other things.

However, these financial companies, such as small banks and insurers, have to file a notice with the NYDFS within 30 days after the company determines it meets one of the limited exemptions. Many have been unaware of the exemption rules or lack the financial resources and human capital to meet the requirement, attorneys said.

Many financial institutions that could have filed an exemption notice didn’t and would be on the hook to comply with the state agency’s rules. They “will continue to struggle” with whether they have to comply with various New York cybersecurity rules, Theodore P. Augustinos, co-chair of the privacy and cybersecurity practice group at Locke Lord LLP in Hartford, Conn., told Bloomberg Law.

The NYDFS and larger financial institutions can help smaller companies through webinars, best practices, regulatory alerts, and continuing education, he said. The NYDFS says Superintendent Maria T. Vullo will enforce the rules “under any applicable laws.” There have been no formal enforcement actions under the NYDFS cybersecurity rules.

Small Banks: Take Reasonable Action

For smaller financial institutions, “the cost of compliance becomes an issue,” Mark Krotoski, cybersecurity partner at Morgan, Lewis & Bockius LLP in Palo Alto, Calif., told Bloomberg Law. NYDFS should consider expanding the scope of the exemptions to help small financial entities follow the regulations and improve their cybersecurity protections, he said.

Smaller institutions have been left questioning how to use limited funds and employee resources to satisfy the various cybersecurity regulations, Krotoski said.

For any financial institution, following a reasonableness standard, even when it may violate a rule, may help limit or even halt New York enforcement action, attorneys said.

“Regulators wants to see reasonable steps taken and a committed strategy” to follow the financial sector cybersecurity rules, Krotoski said. The NYDFS will be much more sympathetic if a financial institution took a measured and “tailored approach to promote stronger cybersecurity,” he said.

“DFS’s cybersecurity regulation, the first comprehensive, risk-based cyber security regulation in the nation, addresses key risks to the integrity of New York’s financial system and the safety of consumers’ private data,” Vullo told Bloomberg Law in an email.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Barbara Yuill at byuill@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security