NY To Feds: Get Serious About Cyber Security

November 12, 2015 at 8:50 am 2 comments

NY’s Department of Financial Services yesterday sent out a unique letter to key state and federal regulators, including the NCUA, urging them to start implementing a more rigorous and robust cyber security framework and implicitly warning them that New York will go ahead with efforts to strengthen oversight of cyber security with or without their help.

According to Anthony J. Albanese, Acting Superintendent of Financial Services, “[t]here is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions. The Department believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” The letter is intended to “help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions.”

This is usually the type of memo circulated behind closed doors. My translation of the Department’s action is that it is frustrated by what it believes is insufficient federal action to address cyber security. New York is willing to coordinate its efforts but is ultimately moving forward with or without the feds.

The letter explains the steps that New York is considering taking, including imposing increased requirements on institutions for cyber security policies and procedures; oversight of data held by third parties; multi-factor authentication requirements for consumers and employees who have access to sensitive data; a requirement for institutions to have a chief information security officer; the adoption of standards reasonably designed to ensure the security of all applications utilized by an institution; and quarterly audits and protocols for providing regulators notice of cyber security breaches.

The letter doesn’t spell out precisely what entities would be subject to this framework, but by calling on a public dialogue the Department clearly wants it to apply to both state and federal institutions among the widest possible scope of industries. The proposals aren’t surprising since the Department has consistently expressed concern in recent years that too little is being done to monitor cyber security in general and third party oversight in particular.

What surprises me so much about the letter is that it amounts to a public rebuke of federal regulators. After all, the purpose of the Federal Financial Institutions Examination Council (FFIEC ) is to coordinate regulatory oversight of these issues.  In fact, it recently issued a guidance on detecting cyber security threats.

Where the dialogue ends up is anybody’s guess. It will be interesting to see just how long New York waits before implementing a more rigorous security framework with or without the blessing of federal regulators.

Speaking of the FFEIC, two days ago it issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook (IT Handbook).  The handbook has been updated to incorporate cyber security concepts as part of information security. See more at: http://www.ncua.gov/newsroom/Pages/news-2015-nov-revised-management-booklet.aspx#sthash.7NLsdTx7.dpuf.

Entry filed under: Compliance, New York State, Regulatory, technology. Tags: , , .

Just Who Is The Borrower Anyway? NY To Feds: Get Serious About Cyber Security

2 Comments Add your own

  • 1. Lynn Gray  |  November 12, 2015 at 9:20 am

    If all your large banks and government and federal agencies can be hacked into, good luck with this one. What they don’t realize yet is that all the young people coming up have much more of a handle on this situation than they do. As fast as you write the code they have found the errors in it and are able to gain access. I don’t know what the answer to this is, do away with computers and go back to passbooks and hand written ledgers, let me think were they any safer.

    Just being a little facetious but there is a point in there, I am not sure that any of these agencies really have a handle on the seriousness of this problem and how it may just be impossible to stop these breaches happening, they bypass the passwords so no matter how many times we change them, make it harder to use them, it just makes it harder for us, but does not stop the hackers gaining access to everyone’s information.

    • 2. Henry Meier  |  November 12, 2015 at 9:43 am

      To me this can’t be viewed as a private sector issue but as a public protection responsibility. Only the Government has the resources to deter cyber theft on an ongoing basis. Thanks for commenting Lynn


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 503 other followers