Critics Blast New York's Proposed Cybersecurity RegulationMandates for CISOs, Breach Notification Are Too Prescriptive, Some Argue
In January, banks and other financial services companies based in New York may have to comply with tough new cybersecurity requirements outlined in what Gov. Andrew Cuomo says would be the nation's first state regulation designed to help thwart cyberattacks against the financial sector.
"This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible," Gov. Cuomo says of the New York State Department of Financial Services' proposal, announced last month.
But some critics contend that New York's regulatory proposal is far too prescriptive, making it challenging for banking institutions, especially smaller ones, to comply.
"Banks continue to use limited resources to keep up with regulations that bring us no closer to actual results," says Ted Tomita, CTO of Catskill Hudson Bank in Monticello, N.Y. "For smaller institutions, these regulations make it very difficult to operate. Meanwhile, larger institutions absorb this as a minor inconvenience."
New York's proposed new regulation, if left unchanged, will require that every New York banking institution, regardless of size, hire or designate a "qualified" CISO to oversee the institution's cybersecurity program. It also will require institutions to notify the state within 72 hours of any cybersecurity event that could impact business or consumer privacy.
Other requirements in the new regulation - including mandatory multifactor authentication for all employees, contractors and others who've been granted privileged access to internal systems as well as encryption of all nonpublic information that is stored or transmitted - are listed on the state department's website.
The state is accepting comments on the proposed regulation until the end of October, after which it could make refinements before the regulation is finalized.
Far Different Approach Than FFIEC
Unlike New York, the Federal Financial Institutions Examination Council has taken a less prescriptive approach to cybersecurity, focusing on outlining best practices instead (see FFIEC Plans Cybersecurity Assessments, FFIEC Issues Cyber Assessment Tool and FFIEC Issues Cyber-Resilience Guidance).
Rather than mandating, for instance, that all institutions have a CISO, the FFIEC recommends that institutions ensure that all executives and staff have "clearly defined roles and responsibilities" that carry with them assigned accountability "to identify, assess and manage cybersecurity risks."
By comparison, the state of New York is coming across like a micromanager, argues Avivah Litan, a financial fraud expert who's an analyst at the consultancy Gartner.
"The FFIEC has been at this much longer than New York state and has taken a more seasoned risk-based approach that reflects a deeper and more practical understanding of the different profiles of the wide range of banks - small and large - that they regulate," she says. "I don't think the FFIEC will move backwards and demand banks appoint CISOs, especially when they are not staffed for such functions. The banks that need CISOs -generally the larger banks - already have them. And some have multiple CISOs for different areas."
The proposed New York regulation, Litan argues, "reads more like a checklist of compliance requirements that reminds me of the PCI standard, which is a step backwards from the FFIEC's cybersecurity assessment guidelines. The FFIEC guidelines, which rightfully leverage NIST standards, demand a comprehensive, risk-based approach and assessment."
CISO Requirement Criticized
Tomita of Catskill Hudson Bank argues that requiring banks to designate a "qualified" CISO won't improve cybersecurity.
"At the end of the day, it's simply a title and 'qualified' is open to interpretation," he says. "Financial institutions are facing new challenges every day. Having someone who can understand the unique risks of their institution and implement the proper tools to address those risks is critical to having an effective security program."
Austin Berglas, head of cyber defense at cyberthreat intelligence firm K2 Intelligence, predicts the state will receive many questions during the comment period about the proposed requirement for institutions to designate a qualified CISO.
"The role of a CISO can mean different things to different organizations depending on size, internal structure and needs," he says. "The CISO role is commonly described as a senior-level position responsible for establishing and maintaining the organization's strategy and program to ensure assets are properly protected. Depending on the size and sophistication, some organizations may view this role as a more strategic versus technical role."
Cybersecurity attorney Luke Dembosky, a litigation partner at the Washington law firm Debevoise & Plimpton, contends the proposed New York regulation's provision for breach notification is unrealistic.
"The 72-hour notice period is both short and broad," he says. "Victims of an 'actual or potential' incident rarely have many facts at that point, and if NYDFS [New York Department of Financial Services] really wants to hear about every potential unauthorized access, they will need a hotline."
The regulation also contains a built-in "tripwire," Dembosky notes. Any call to another government agency, such as law enforcement, automatically requires notice to NYDFS. "That may chill some calls to law enforcement and will not help the existing tension between the company being treated as a hacking victim on the one hand and being treated by regulators as negligent for losing customer data on the other," he says.