AFSA Continues Push for Clarity in NY Cybersecurity Regs

Last week, Newsbriefs reported on a survey conducted by the Ponemon Institute which found that a majority – 71 percent – of the financial institutions that will be required to comply with New York’s new cybersecurity legislation would not be able to meet next February’s deadline. Just 13 percent of the institutions surveyed reported that they would be able to say, “with certainty” that they would be in full compliance by next year.

New York’s Department of Financial Services (NYDFS) proposed the new regulations, which affect more than 3,000 financial institutions and insurers from large, multi-national conglomerates to small, single-location financial institutions. The NYDFS regulations require compliance with a detailed set of security requirements.

AFSA’s State Government Affairs department has been actively engaged with NYDFS on cybersecurity since the first draft of the regulation was proposed in September 2016. Throughout the course of the regulatory process AFSA has submitted three comment letters on the first draft of the proposed rules and the subsequent revision —two on its own and the other as a joint effort with several other trade associations. AFSA has also worked with officials in a variety of other capacities on this regulation.

In all of its communications, AFSA stressed industry’s strong support for the spirit of the NYDFS regulations, noting that strong cybersecurity is in everyone’s best interest and critical to ensuring that consumers feel comfortable doing business with financial institutions.

Since the proposal’s inception in 2016, AFSA has emphasized the need for risk-based cybersecurity solutions, rather than a one-size-fits-all approach. AFSA’s work has borne fruit, as the NYDFS revised several key areas that the association highlighted to give financial institutions more flexibility in establishing cybersecurity programs and somewhat limit the scope of the rules.

These revisions represented steps in the right direction. However, the rules still present numerous compliance challenges, as is evident from the Ponemon Institute survey results. AFSA has continued to request an extended effective date and transition period to allow companies appropriate time to comply.

AFSA will continue to monitor the New York regulations for delays and amendments and is committed to exploring more deeply the compliance challenges companies face, including a future white paper on the issue.