Bank/Thrift Supervision   |    Capital    |    CFPB    |    Deposit Insurance    |    Interchange    |    Mortgage Finance
Municipal Advisors   |    OCC-OTS Merger   |    Preemption    |    QM - QRM    |    Swaps   |    Volcker Rule    |    Full Topics List
Qualified Mortgage - Qualified Residential Mortgage
Consumer Financial Protection Bureau - CFPB
Bank/Thrift Holding Company Supervision
Deposit Insurance
Mortgage Finance
Municipal Advisors
OCC-OTS Merger
Volcker Rule
Corporate Governance
Financial Stability Oversight Council (FSOC)
Office of Financial Research (OFR)
Systemic Risk
Supervision and Oversight
Payment, Clearing and Settlement
Prudential Supervision
Trust & Securities
Asset-Backed Securities
Resolution Authority

Friday, November 18, 2016

Trades Call for Changes to New York’s Proposed Cyber Regs

In a joint letter with twelve other financial and insurance groups, ABA raised concerns about a new set of cybersecurity regulations proposed by the New York Department of Financial Services. The proposed rules require New York-chartered financial institutions to establish a cybersecurity program with written policies and procedures, designate a chief information security officer and meet a number of additional requirements including annual penetration testing, periodic reviews of access privileges and annual risk assessments. The proposal is the first of its kind from a state-level regulator and could set precedents for other states.

The groups took issue with the NYDFS’ “one-size-fits-all” approach, noting that the requirements fail to account for variations in the business models, IT system structures or risk profiles of the institutions they affect. They further pointed out that the rules impose unclear and unworkable requirements, and that the over-broad nature of the proposal could lead to reporting requirements being triggered too easily, adding a significant operational burden.

Among other things, the groups urged NYDFS to take a more risk-based approach that would provide institutions with greater flexibility, and include a materiality standard and harm trigger in its definition of “cybersecurity event.” They also called for an extension of the compliance date from 180 days to two years.

Read the letter.

No comments:

Post a Comment

Please read our comment policy before making a comment.