NY To Feds: Get Serious About Cyber Security
NY’s Department of Financial Services yesterday sent out a unique letter to key state and federal regulators, including the NCUA, urging them to start implementing a more rigorous and robust cyber security framework and implicitly warning them that New York will go ahead with efforts to strengthen oversight of cyber security with or without their help.
According to Anthony J. Albanese, Acting Superintendent of Financial Services, “[t]here is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions. The Department believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” The letter is intended to “help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions.”
This is usually the type of memo circulated behind closed doors. My translation of the Department’s action is that it is frustrated by what it believes is insufficient federal action to address cyber security. New York is willing to coordinate its efforts but is ultimately moving forward with or without the feds.
The letter explains the steps that New York is considering taking, including imposing increased requirements on institutions for cyber security policies and procedures; oversight of data held by third parties; multi-factor authentication requirements for consumers and employees who have access to sensitive data; a requirement for institutions to have a chief information security officer; the adoption of standards reasonably designed to ensure the security of all applications utilized by an institution; and quarterly audits and protocols for providing regulators notice of cyber security breaches.
The letter doesn’t spell out precisely what entities would be subject to this framework, but by calling on a public dialogue the Department clearly wants it to apply to both state and federal institutions among the widest possible scope of industries. The proposals aren’t surprising since the Department has consistently expressed concern in recent years that too little is being done to monitor cyber security in general and third party oversight in particular.
What surprises me so much about the letter is that it amounts to a public rebuke of federal regulators. After all, the purpose of the Federal Financial Institutions Examination Council (FFIEC ) is to coordinate regulatory oversight of these issues. In fact, it recently issued a guidance on detecting cyber security threats.
Where the dialogue ends up is anybody’s guess. It will be interesting to see just how long New York waits before implementing a more rigorous security framework with or without the blessing of federal regulators.
Speaking of the FFEIC, two days ago it issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The handbook has been updated to incorporate cyber security concepts as part of information security. See more at: http://www.ncua.gov/newsroom/Pages/news-2015-nov-revised-management-booklet.aspx#sthash.7NLsdTx7.dpuf.