NYS Cyber Regulation Gets Drubbing by Industry Groups in Albany
Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.
At a public hearing of the New York Assembly Standing Committee on Banks in Albany, industry representatives harped on the fact that the proposed regulation – currently slated to go into effect on January 1st – applied the same “one size fits all” requirements to institutions of disparate sizes regardless of the institution’s own risk profile.
“Why spend a million dollars to protect against a hundred dollar risk?” asked one of the speakers.
The New York Department of Financial Services – DFS – proposed its cyber regulation back in September and has faced a steady stream of criticism and pressure by the banking and insurance industry to delay implementation of the new requirements. Whether DFS will decide to do so remains an open question.
The hearing opened with Assemblyman James Tedisco calling cybersecurity an “important issue nationally” as well as in New York but stressed that it was important to “take into consideration the concerns of our business and our industry and … [to] do this in a way which doesn’t place an assault on their activities ….”
Community bank groups were especially vocal. Laura Mazzara, Senior Vice President and Chief Risk Officer for Pioneer Bank expressed support for the objectives of the regulation but said a “one size fits all approach” doesn’t take into consideration the operations of most smaller financial institutions. She also noted her concern that the regulation places community banks at a competitive disadvantage.
“We’re concerned that this regulation will create a disparity between the standard that we’re expected to meet on the federal side and the standard in this new proposed regulation,” she said.
Pioneer Bank’s associate counsel, James M. Whalen, also noted that the regulation’s trigger for notifying DFS of a data security incident was too tight and could result in numerous reports of insignificant incidences.
James Bobb, Association Officer and Legislative Committee Chairman of the New York Mortgage Bankers Association called for regulatory uniformity and noted that the current proposal should be “more closely aligned with federal regulations.”