Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Small financial institutions in New York must comply with the state’s first-in-the-nation cybersecurity rules, but some have missed the chance to apply for exemptions in the more than one year since the rules took effect.
Others are short on the resources, know-how and financial muscle to take advantage of the exemptions or to fully comply with the financial industry cybersecurity rules.
Still, the New York Department of Financial Services requires compliance with the cybersecurity rules, which govern financial institutions, including banks, insurance companies, and other businesses.
The rules were created to enhance the protection of consumer information held by banks and other financial institutions and to boost the overall cybersecurity of the financial ecosystem. They require covered entities to implement security safeguards, protect consumer data privacy, provide oversight of information technology operations, and assess cybersecurity vulnerabilities on an ongoing basis, among other requirements.
Smaller financial institutions are immune from some requirements if they fall under specific exemptions, such as having fewer than 10 employees, less than $5 million in gross annual revenue over the past three fiscal years in New York, or less than $10 million in end-of-year assets. Such financial companies don’t have to appoint a chief information security officer, maintain security systems for an audit trail, or have a preparedness plan for secure development of in-house applications, among other things.
However, these financial companies, such as small banks and insurers, have to file a notice with the NYDFS within 30 days after the company determines it meets one of the limited exemptions. Many have been unaware of the exemption rules or lack the financial resources and human capital to meet the requirement, attorneys said.
Many financial institutions that could have filed an exemption notice didn’t and would be on the hook to comply with the state agency’s rules. They “will continue to struggle” with whether they have to comply with various New York cybersecurity rules, Theodore P. Augustinos, co-chair of the privacy and cybersecurity practice group at Locke Lord LLP in Hartford, Conn., told Bloomberg Law.
The NYDFS and larger financial institutions can help smaller companies through webinars, best practices, regulatory alerts, and continuing education, he said. The NYDFS says Superintendent Maria T. Vullo will enforce the rules “under any applicable laws.” There have been no formal enforcement actions under the NYDFS cybersecurity rules.
For smaller financial institutions, “the cost of compliance becomes an issue,” Mark Krotoski, cybersecurity partner at Morgan, Lewis & Bockius LLP in Palo Alto, Calif., told Bloomberg Law. NYDFS should consider expanding the scope of the exemptions to help small financial entities follow the regulations and improve their cybersecurity protections, he said.
Smaller institutions have been left questioning how to use limited funds and employee resources to satisfy the various cybersecurity regulations, Krotoski said.
For any financial institution, following a reasonableness standard, even when it may violate a rule, may help limit or even halt New York enforcement action, attorneys said.
“Regulators wants to see reasonable steps taken and a committed strategy” to follow the financial sector cybersecurity rules, Krotoski said. The NYDFS will be much more sympathetic if a financial institution took a measured and “tailored approach to promote stronger cybersecurity,” he said.
“DFS’s cybersecurity regulation, the first comprehensive, risk-based cyber security regulation in the nation, addresses key risks to the integrity of New York’s financial system and the safety of consumers’ private data,” Vullo told Bloomberg Law in an email.
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Barbara Yuill at email@example.com
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)