BPI and SIFMA Respond to NYDFS Proposal on Cybersecurity Requirements for Financial Services Companies

Dear Sir or Madam:

The Securities Industry and Financial Markets Association (“SIFMA”)[1] and the Bank Policy Institute (“BPI”)[2] (together, “the Associations”) appreciate the opportunity to comment on the New York Department of Financial Services’ (“NYDFS” or the “Department”) proposed second amendment to 23 NYCRR 500 (“Proposed Amendments”). The Associations are deeply committed to the NYDFS’ objectives to enhance governance around cybersecurity that the Proposed Amendments are intended to advance. Like NYDFS, our members recognize the critical role cybersecurity plays in building public confidence in financial institutions.

The Associations acknowledge the 2017 effort of the Department to be the first state agency to issue cybersecurity rules for financial services companies and the Department’s activities to strengthen the financial services sectors for the benefit of New York State residents. In general, the Proposed Amendments represent an improvement over the pre-proposal by changing the Class A definition, reducing some of the prescriptiveness, and lengthening the timeframe for compliance. Notwithstanding this progress, we believe that certain elements of the Proposed Amendments can be enhanced to further align with the Department’s goals to create a risk-based regulatory framework to ensure and improve the safety and resiliency of the New York financial services industry’s digital infrastructure. We respectfully offer the following recommendations for further revision with these objectives in mind.

To read the full comment letter, please click here, or click on the download button below.

[1]The Securities Industry and Financial Markets Association (“SIFMA”) is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”). For more information, visit http://www.sifma.org.

[2] BPI is a nonpartisan group representing the nation’s leading banks. BPI members include universal banks, regional banks, and the major foreign banks doing business in the United States. Collectively, BPI members hold $10.7 trillion in deposits in the United States; make 68% of all loans, including trillions of dollars in funding for small businesses and household mortgages, credit cards, and auto loans; employ nearly two million Americans and serve as a principal engine for the nation’s financial innovation and economic growth. Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector.