TCH Responds to NYDFS’s Revised Cyber Proposal for Financial Institutions
The Clearing House (TCH) filed a comment letter with the NYDFS responding to its revised proposal which would establish cybersecurity requirements for financial services companies that are authorized to do business in New York under the New York banking, insurance and/or financial services laws. New York Governor Andrew Cuomo described the proposal as a first-in-the-nation state regulation designed to protect New York State from the ever-growing threat of cyber-attacks including protecting consumer data and financial systems from terrorist organizations and other criminal enterprises.
TCH’s comment letter notes that while several changes made by the NYDFS to make the requirements more risk-based represent a substantial improvement over the NYDFS’ original proposal (released in September 2016), there are several elements of the revised proposal that should be modified and/or clarified before the final version of the regulation becomes effective in March 2017. Recommendations made by TCH include: (i) clarification that the scope of the regulation applies only to entities principally regulated by the NYDFS rather than to any financial firm that is authorized to conduct business with New York customers, (ii) closer alignment with certain U.S. federal standards designed to protect customer information, and (iii) clarification that covered firms may employ information security procedures or controls that are not prescribed in the regulation so long as a firm’s CISO (Chief Information Security Officer) determines that such superseding controls are equally or more effective.