Regulators in New York State are proposing tough new restrictions on banks that could require them to spend millions of dollars on cyber security protection. We recommend you keep an eye on this proposed legislation in case it becomes a model for other states and industries.
Among the measures in the proposed regulations, which are open for public comment until Nov. 13, are requirements that banks hire a chief information security officer and implement technology to detect cyber intrusions and protect customer data. The proposal contains required minimum standards and allows companies to assess their own risks to some degree. One thing that will get the attention of top executives is that board officers or senior compliance officers will be required to certify the controls are adequate, implying that they may be personally liable if they aren’t.
The proposed regulation by the New York State Department of Financial Services (DOFS) doesn’t say how the rules would be enforced or what the penalties would be, but it notes that regulated entities “will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.” The annual re-certification rule indicates that regulators are taking this initiative seriously.
Why should you care, particularly if you aren’t a New York-based financial firm? There are several reasons:
- The DOFS is responsible for more than 1,000 New York-based banks, insurance companies and other financial services companies, including some of the largest financial firms in the world. It also regulates several large foreign banks, including Deutsche Bank and Barclays. Some of these companies are global in scope, and it’s a safe bet that the security policies they adopt at the corporate level will trickle down to subsidiaries in other regions and industries.
- By making board-level officers directly accountable for security practices, New York regulators are attempting to raise security awareness to the highest levels of the organization. What happens in banking will impact other industries as well, particularly since many directors serve on multiple boards.
-
The DOFS didn’t create this proposal in a vacuum. Regulators took pains to point out that they solicited input from more than 200 regulated banking institutions and insurance companies. It also met with a cross-section of those companies, as well as cyber security experts, to determine the most effective course of action. Three reports resulted, which you can find here.
Not everyone is thrilled with this proposal, and there’s no guarantee it will survive in its current form. But the task of implementing substantive change in the way corporations secure customer data has to begin somewhere, and lower Manhattan is a pretty good start. If these regulations are effective in reducing the incidence of breaches at financial institutions, it’s like other industries will take note as well.