Clicky

mobile btn
Tuesday, March 19th, 2024

ABA: New York’s proposed cyber security regulations would create consistency

New York’s proposed cyber security regulations for banks and insurance companies – the first such policy in the nation – would create some uniformity between state and federal rules, but the American Bankers Association (ABA) said that it is seeking clarification on certain provisions.

“We have some questions about certain aspects of it, but by and large I think the provisions are fairly consistent with what our responsibilities are at the federal regulatory level,” Doug Johnson, senior vice president of payments and cybersecurity policy at ABA, said in a recent interview with Homeland Preparedness News.

Under the proposed rules, regulated financial institutions in New York would be required to establish a cybersecurity program and adopt a written cybersecurity policy. Companies would need to designate a chief information security officer responsible for overseeing the new program and policy.

In addition, banks, insurance companies and other entities would need to have policies in place to ensure the security of information systems and non-public information accessible to third-parties. Any material data breaches would need to be reported to the New York State Department of Financial Services within 72 hours.

Banks would need to submit a certification of compliance to the department beginning January 2018.

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” New York Gov. Andrew Cuomo said when the proposed regulations were unveiled earlier this month.

The ABA plans to submit comments during the 45-day public comment period on the proposed regulations before their final issuance.

One issue the ABA is examining with its banking members is the implications of the proposed regulation’s certification of compliance provision.

“The familiarity we have with certification is financial certification,” Johnson said. “Of course, certifying financial records is a little bit different animal than certifying cybersecurity compliance.”

The ABA is also seeking clarity on what the repercussions are in cases where the Department of Financial Services determines a bank is not compliant with reporting a data breach.

“Is there any additional implication other than you might be found out of compliance and might have to do some level of remediation to satisfy the examiners so you are back in compliance?” Johnson said.

The proposed regulation’s requirements on multi-factor authentication, used for remote access to banking systems, are another area where the ABA is seeking clarity.

“We want to ensure that there is still the ability of financial institutions on a risk-based basis to make determinations on what the most effective level of authentication is for a particular account and for the protection of internal systems and that is not clear,” Johnson said.

The ABA has been working with the Department of Financial Services on a larger effort to harmonize various cybersecurity efforts in the states, as well as nationally and internationally.

The laws that financial services institutions must follow on data breach notification, Johnson said, are inconsistent and vary by state, leading the ABA to argue that one national law is needed.

Additionally, banks spend hundreds of millions of dollars a year trying to prevent cybercrimes.

“Intrusions occur, not just daily, but consistently on a more than hourly basis depending upon the size of the institution,” Johnson said.

Cybersecurity programs in place at financial institutions work to prevent or detect fraud quickly, with more than $11 billion in potential losses from fraud prevented in the last four years, the ABA said.

One of the ways banks are able to thwart the majority of attacks is by sharing information across institutions. The Financial Services Information and Sharing Analysis Center, with more than 7,000 financial institution members, actively share threat and vulnerability information.

Other ways financial institutions are preventing and detecting fraud include microchip-based payment cards, tokenization and mobile alert programs so customers can identify fraud more quickly.