BPI Comments on NYDFS Proposal on Cybersecurity Requirements for Financial Services Companies

Ladies and Gentlemen:

The Bank Policy Institute welcomes the request to contribute comments to the New York Department of Financial Services (“NYDFS”) pre-proposed outreach on amendments to the cybersecurity regulations contained within 23 NYCRR 500. As with previous iterations of the Part 500 cybersecurity regulations, we look forward to a productive and collaborative engagement with the NYDFS as the amendments are further developed and finalized.

There are four areas we believe the NYDFS should review and update prior to publishing the formal proposal for 23 NYCRR 500.

I. Harmonization

As cybersecurity incident reporting requirements continue to proliferate, it is critical that regulators coordinate and harmonize the increasing number of incident reporting requirements to minimize the regulatory burden placed on financial institutions addressing significant cybersecurity incidents, as well as to harmonize the proposed reporting timelines with existing definitions and notification standards. Harmonization of reporting requirements is central to achieving an appropriate balance between the benefits of incident reporting and the accompanying risks, harms, and operational burdens, particularly during a crisis when restoring and ensuring the security of services to customers is paramount. For example, the proposed amendments require a notice to NYDFS of a ransomware or extortion payment made within 24-hours of the payment. In parallel, the recently enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) legislation contains a similar provision requiring a separate notice to the Cybersecurity and Infrastructure Security Agency (“CISA”) in the event of a ransomware payment made as the result of a ransomware attack. Therefore, we urge the NYDFS to survey the incident notification and reporting landscape to ensure its proposed requirements reasonably enable firms to balance the need to report with the ability to maintain security and a robust response and recovery capability.

Additionally, we have hailed the creation of the Cyber Incident Reporting Council (CIRC), also pursuant to enactment of CIRCIA. This law vests the newly created CIRC with the authority to “coordinate, deconflict, and harmonize” cyber incident reporting requirements to relieve covered entities of the burden of submitting multiple reports while working to investigate and remediate a significant incident. While the CIRC is aimed at enabling federal agencies to coordinate, deconflict, and harmonize federal incident reporting requirements, we encourage the NYDFS to take note of CIRC meetings and work product, and where appropriate consider ways to reflect the findings of CIRC recommendations in pursuit of streamlined and coordinated incident reporting.

II. Adherence to Risk-Based Approaches

The pre-proposal contains many instances where the NYDFS’ proposed requirements are overly prescriptive and do not provide an opportunity for covered entities to apply a risk-based approach. The financial sector has long been a target of malicious cyber actors, and accordingly has invested in robust and ever-evolving measures to prevent, detect, and respond to cyber threats. We are leaders in the private sector in developing, maintaining, and enhancing cyber defenses, but there is no one silver bullet. The industry invests billions of dollars each year in cybersecurity, shares cyber threat intelligence through a pioneering model that has been replicated across industries, and employs thousands of cybersecurity professionals in its efforts to protect its customers’ sensitive data and financial assets.

To consistently maintain this high level of threat prevention, detection, and response, firms need the flexibility to implement and comply with new requirements, especially those that increase costs, or require substantial interruption and time to implement. As the NYDFS continues to develop its proposed amendments to Part 500, we hope it will consider revising the language around several of its prescriptive security and risk management requirements, including as a non-exhaustive list, those aimed at data management practices (Section 500.13), access controls (500.7 and 500.12), pen-testing (500.5), encryption (500.15), business continuity requirements (500.16), and multifactor authentication (500.12).

III. Senior Governing Body/Board Governance

In its oversight role, the board of directors – or equivalent senior governing body – should receive sufficient information from applicable management or management committees or other sources to assess whether current approaches to address risks (including cyber), including mitigating steps to address process weaknesses, are appropriate in the board’s view. In general, however, it should not be necessary – and, indeed, may be counterproductive – for the board to perform management-like responsibilities (e.g., such as formally “approving,” or developing, day-to-day policies and procedures, planning activities, strategies or mitigating steps to address planning process weaknesses, or carrying out other risk-management and planning-related activities undertaken in the ordinary course of business) in order to provide effective oversight
of the planning/ risk-management process.[1]

To read the full comment letter, click here, or click on the download button below.

[1] See Bank Policy Institute’s ”Guiding Principles for Enhancing U.S. Banking Organization Corporate Governance,” (2021).