The Hacking Economy

Critics are skeptical of New York's proposed financial cybersecurity rules

Andrew Cuomo, governor of New York.
Daniel Acker | Bloomberg | Getty Images

New York state is proposing regulations aimed at protecting your money from criminal hackers, and the initiative is already drawing criticism from Wall Street.

Critics say the proposal is unlikely to improve security at Wall Street giants. They say big firms are already forced to comply with any number of federal cybersecurity laws and largely adhere to industry-wide guidelines. The proposed regulations, they say, will simply result in more paperwork tying up valuable time that could be spent on more serious problems.

"All the legwork that's required to comply with all these different regulations takes on a life of its own," said Steven Grossman, an executive at cyber risk analytics firm Bay Dynamics.

"It would be great to get a consolidation of requirements and reporting across the different governing bodies," said Grossman, whose company makes software that automates the reporting process and alleviates this pain point.

The view is widely shared across the banking industry.

"We recognize that individual organizations that regulate financial services are going to put in some level of cybersecurity regulation," said Doug Johnson, senior vice president of payments and cybersecurity policy at the American Bankers Association. "We just want to have them as similar as possible."

Regardless, New York Gov. Andrew Cuomo wants to show the world that the Empire State is taking cyberthreats seriously and to reassure consumers that the industry is prepared to head off attacks from wherever they come.

"This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible," Cuomo said in a statement.

The proposal, if it passes, would cover any business regulated by the NYS Department of Financial Services, which means giant institutions like Deutsche Bank down to the smallest check cashier in Coney Island. It's subject to a 45 day public comment period starting Wednesday.

The Cambridge Cyber Summit Preview: Walter Isaacson

The proposal, constructed over several years with feedback from more than 200 banking and insurance companies, aims to avoid dictating exactly how companies secure their businesses but is still more prescriptive than federal regulation, raising the dangerous possibility companies will prioritize compliance over what actually works, said Grossman.

It's not completely clear when companies would be required to report a data breach, and what the punishment would be if companies fell out of compliance, Johnson said.

"It is structured both as a protective measure, for the companies to which it applies, and also a punitive set of regulations, enforcing the protection of customer data," legal experts Marcel Bucsescu and Matthew Waxman wrote on the Lawfare blog. "There is an inherent tension in that framing, where the victim (the hacked company) also is treated as the culprit (for failing to protect customer private information)."

Big banks may view the new rule simply as an additional reporting burden, but they aren't necessarily the main taget of the legislation. Most smaller financial services companies — and the law firms, accountants and marketing firms that support the giants — will need to step up investment in cybersecurity protections if the proposed rule is adopted. That by itself is a good thing, said industry experts.

"It's always good to make sure that everybody's marching to the same drummer and following the same guidelines and has a minimal set of guidelines to measure themselves against," said Grossman.

Many smaller companies have some, but not all, of the required measures in place, said Vikas Bhatia whose Kalki Consulting firm provides cybersecurity services to companies without the resources for an in-house team. Bhatia has worked with top 10 credit unions and insurance companies, among others, that have had nowhere near the level of cybersecurity protection the new rules would require.

"If a financial services institution is on the Fortune 250, they definitely will have this in place. When you go from the Fortune 250 to the Fortune 500, you are on shaky ground," said Bhatia.

Bhatia would like to see more guidance on the qualifications managed service providers must retain before offering security services to prevent unqualified companies from holding themselves out as experts.

Of course, the proposed rule is, for now, just that, and is subject to change following the public comment period, which ends in mid-November.