AFSA Comments on New York Proposed Cybersecurity Regulation

On November 14, AFSA submitted comments to the New York Department of Financial Services (NYDFS) regarding its proposed cybersecurity regulation for financial services companies ––the first of its kind from a state regulator. The proposal would impose new, extensive, cybersecurity requirements on financial institutions in a variety of different areas.

In its letter, AFSA expressed tremendous concern with the proposed regulation’s requirements, which are so prescriptive and extensive that institutions will be hard-pressed not to run afoul of the requirements even if they are leaders in thwarting cyberattacks. AFSA pointed out how the requirements are not tied to the level of risk, which could result in many expensive controls being implemented and maintained that provide little or no additional protective value to institution or consumers.

AFSA urged the NYDFS to take a risk-based approach that can adapt to and account for changes in technology, differences across firms, marketplace differences, and the cybersecurity threat landscape; reframe the proposal as guidance with a consistent set of best practices standards; explicitly include a safe harbor from civil or criminal liability for certifications of compliance conducted in a reasonable manner; and allow time for responsible compliance over an extended, rolling implementation period, among others.

AFSA also signed on to a joint letter to the NYDFS with seven industry trade groups raising concerns about the proposed regulation.