NY To Feds: Get Serious About Cyber Security

November 12, 2015 at 9:51 am 1 comment

(For those of you who received this morning’s post, by EMail as you can see there was a glitch with the headline)

NY’s Department of Financial Services yesterday sent out a unique letter to key state and federal regulators, including the NCUA, urging them to start implementing a more rigorous and robust cyber security framework and implicitly warning them that New York will go ahead with efforts to strengthen oversight of cyber security with or without their help.

According to Anthony J. Albanese, Acting Superintendent of Financial Services, “[t]here is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions. The Department believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” The letter is intended to “help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions.”

This is usually the type of memo circulated behind closed doors. My translation of the Department’s action is that it is frustrated by what it believes is insufficient federal action to address cyber security. New York is willing to coordinate its efforts but is ultimately moving forward with or without the feds.

The letter explains the steps that New York is considering taking, including imposing increased requirements on institutions for cyber security policies and procedures; oversight of data held by third parties; multi-factor authentication requirements for consumers and employees who have access to sensitive data; a requirement for institutions to have a chief information security officer; the adoption of standards reasonably designed to ensure the security of all applications utilized by an institution; and quarterly audits and protocols for providing regulators notice of cyber security breaches.

The letter doesn’t spell out precisely what entities would be subject to this framework, but by calling on a public dialogue the Department clearly wants it to apply to both state and federal institutions among the widest possible scope of industries. The proposals aren’t surprising since the Department has consistently expressed concern in recent years that too little is being done to monitor cyber security in general and third party oversight in particular.

What surprises me so much about the letter is that it amounts to a public rebuke of federal regulators. After all, the purpose of the Federal Financial Institutions Examination Council (FFIEC ) is to coordinate regulatory oversight of these issues.  In fact, it recently issued a guidance on detecting cyber security threats.

Where the dialogue ends up is anybody’s guess. It will be interesting to see just how long New York waits before implementing a more rigorous security framework with or without the blessing of federal regulators.

Speaking of the FFEIC, two days ago it issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook (IT Handbook).  The handbook has been updated to incorporate cyber security concepts as part of information security. See more at: http://www.ncua.gov/newsroom/Pages/news-2015-nov-revised-management-booklet.aspx#sthash.7NLsdTx7.dpuf

Entry filed under: General.

NY To Feds: Get Serious About Cyber Security Delay Announced In Radical Accounting Changes

1 Comment Add your own

  • 1. Joan Laduke  |  November 13, 2015 at 7:31 am

    Good job Henry! You keep me up to date on important issues. Best regards, Joan LaDuke, formerly Covera.

    Sent from my iPhone Joan



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 511 other followers