SIFMA Encourages NYDFS to Amend its Pre-Proposal For Financial Institution Cybersecurity Requirements
Previously, we reported that the New York State Department of Financial Services (“NYFDS”) requested public comment on proposed amendments to its cybersecurity requirements for financial services companies, the Cybersecurity Requirements for Financial Services Companies (“Part 500”).
On August 17, 2022, the Securities Industry and Financial Markets Association (“SIFMA”) issued a comment[1] on the proposed changes it believes the NYFDS should implement prior to release of the official rule proposal.
The key proposed considerations include, but are not limited to:
Expansion of Covered Entities. The definition of “Covered Entity” should be expanded to include “entities that are also regulated by other government entities,” so that entities who the NYDFS does not license do not experience confusion.
Classification and Obligations for “Class A” Companies. The inclusion of a Class A company should be removed as “the NYDFS should defer such categorizations and related regulation to other agencies’ well-established classifications (e.g., Cybersecurity and Infrastructure Security Agency and the designation of critical infrastructure firms.).” Additionally, the requirements specific to Class A companies should be removed as they “have little to no apparent benefit for consumers but that will impose significant costs as drafted.” This includes the requirements relating to risk assessments and controls, which SIFMA states should be based solely on “sensitivity/risk level of data rather than corporate headcount revenue.”
Senior Governing Body and Board Reporting. The requirement that the board of directors engage in active involvement, rather than oversight, of cybersecurity policies and procedures should be removed as it is “not practicable or reasonable and should be limited to a notification requirement for significant cyber events and not day-to-day processes.”
Operational Resilience. The requirement that a covered entity’s Chief Executive Officer (“CEO”) be personally involved in the periodic tests of the company’s incident response plan” should be removed as it is “unnecessary, as most plans involve the CEO and other C-suite employees on a limited basis.”
Notifications. As the reporting requirements may be considered duplicative, the SIFMA recommends including an “option to provide a preliminary notification of a cyber-event by phone with subsequent, additional, information provided through the electronic form after the investigation, similar to what is required by federal prudential regulators.”
Notice of Compliance. The requirement that covered entities include notice of noncompliance and identification of “all areas, systems, and processes that require material improvement, updating, or redesign” should be amended to limit the review to the appropriate personnel and the identification of noncompliance areas, as opposed to a “detailing application of compensating controls.”
Extortion Payments. The required notification to the NYDFS within 24 hours of an extortion payment being made should be removed as “the prescriptive requirements seem punitive by adding burden and pressure to the attacked target experiencing strain.” However, if the reporting requirement remains, this information should be maintained “as strictly confidential and [the NYDFS should clarify that it] will not publicly disclose such information given potential, unwarranted reputational risk to disclosing firms.”
Violations & Penalties. The 24-hour period for compliance with the amendments should be amended as it does not permit for “good-faith” compliance or proper incident response.
Implementation Period. The 180-day implementation period should be extended to “at least two years.”
The NYDFS is still currently considering comments and the official proposed amendments to Part 500 are still forthcoming.