On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks. As we covered when Governor Andrew Cuomo announced this first-in-the-nation regulation, the proposed rule imposes numerous obligations on a broad range of institutions regulated by DFS, including persons or entities operating under New York’s banking, insurance, or financial services laws.
At the hearing, representatives of a variety of impacted businesses and industries reacted to the proposed regulation and offered suggestions for improvement. Generally, the witnesses recognized the importance of cybersecurity and the need for government action—especially in light of recent high-profile hacking incidents. However, multiple commentators expressed concern over what they saw as overly broad, prescriptive requirements. Laura Mazzara, for example, Senior Vice President and Chief Risk Officer at Pioneer Bank, explained how the proposed regulation adopted a one-size-fits-all standard, when a more tailored, risk-based approach might be more effective in managing cyber risk. Along similar lines, multiple witnesses noted the costs that the proposed rule would impose on small or medium-sized businesses in New York, and how those costs might trickle down to consumers or impact New York’s ability to attract and maintain small businesses.