SIFMA Recommends NYDFS Revise Cybersecurity Proposal

SIFMA urged the New York State Department of Financial Services ("NYDFS") to consider changes to its "prescriptive" pre-proposal to impose new cybersecurity requirements on financial services companies.

In a Comment Letter, SIFMA expressed concern that the proposed requirements (i) involve significant multi-year investments in cybersecurity and (ii) do not provide flexibility for members in implementing additional technologies to support cybersecurity programs. SIFMA asserted that "cybersecurity is not just a regulatory obligation but a critical component of any financial institution's business strategy[,]" and the prescriptive nature of the proposed requirements may have little to no benefit to consumers while imposing significant cost to financial services companies.

SIFMA urged NYDFS to publish its own internal data security practices which would provide assurances that its own internal data security practices are robust enough to protect the highly sensitive and proprietary information that NYDFS is requesting from covered entities under the proposed requirements. To help alleviate some of the obstacles of compliance, SIFMA suggested that NYDFS (i) replace granular requirements with outcome-based requirements, (ii) allow flexibility of implementation of requirements that would impose a significant burden on the firm and (iii) clarify proposed requirements to avoid ambiguity. Additionally, SIFMA included a list of non-exhaustive areas that NYDFS should thoroughly scrutinize prior to release of a final rule (see pp. 3-8).