The October 19 joint advance notice of proposed rulemaking (ANPR) issued by the Board of Governors of the Federal Reserve System ( Fed), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC), together “the agencies,” is the second indication in as many months that regulators are preparing to intensify regulatory oversight of the financial service industry’s management and protection of the vast quantities of electronic data at the core of the industry’s operations. What is included in these two regulatory initiatives has been the subject of detailed analyses by a multitude of commentators, but relatively little has been written regarding the impact on the management of financial institutions’ operations once the final regulations are in place.
There is a subtle but important distinction in the focus of the two regulatory proposals. The New York Department of Financial Institutions issued a proposal in September that focused on protecting actual data in the system and particularly the private information of consumers, while the federal agencies’ proposal emphasizes operational resilience of the individual companies and reduction of the impact on the overall financial system in case of a cyber event. In effect, the New York regulatory scheme is designed to prevent data being hacked, while the federal agencies accept that cyber breaches will occur and want to establish systems to minimize damage and promote post-breach recovery.
An obvious issue is the need to manage cyber risk governance within two separate and overlapping regulatory structures. While internal processes necessary to satisfy the federal regulations may cover most of what New York requires, and vice versa, there are distinct provisions in the New York regulations that will require additional systems and standards that would not be satisfied completely by compliance with the federal rules. Virtually all the largest financial institutions operating in the U.S. will be subject to the New York regulations, and will have to devise systems that satisfy both. This is complicated by the fact that the New York regulations go into effect on January 1, 2017, while the federal action is only a notice of rulemaking designed to solicit input and the actual regulations will not be finalized for some time. This is compounded by the fact that there are other federal regulators that are not part of “the agencies” issuing the ANPR, and they, too, have sets of standards for financial institutions’ handling of cyber security.
While New York is a financial services industry epicenter, with a particularly active regulator, there is nothing to prevent other states from adopting similar regulations to “protect” their consumers. The proliferation of local regulations would create an extremely difficult management problem for institutions operating in multiple jurisdictions.
A related issue is the application of the New York regulations to much smaller institutions than the federal regulations. The New York regulation says it requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion, holding out the hope smaller institutions will be subject to less burdensome requirements. Nonetheless, New York specifically states only “limited” exemptions for covered entities with (1) fewer than 1,000 customers, (2) less than $5,000,000 in gross annual revenue, and (3) less than $10,000,000 in year-end total assets. While the
federal ANPR requests input on how to establish the applicability of the new rules, it suggests that the agencies are considering applying the enhanced standards to certain entities with total consolidated assets of $50 billion or more on an enterprise-wide basis. Complying with the New York standards will be costly and difficult for smaller institutions. Just the requirement for the appointment of a “Chief Information Security Officer,” a qualified individual to be “responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy,” will impose a significant burden on smaller institutions.
Enforcement of these rules will also be an ongoing issue. New York in particular has enforcement traps for the unwary. Three examples of these include:
- Policies and procedures for the timely destruction of any nonpublic Information that is no longer necessary for the provision of the products or services for which such information was provided to the Covered Entity;
- Encryption of all nonpublic Information held or transmitted by the Covered Entity both in transit and at rest.
- Notification of the superintendent as promptly as possible, but in no event later than 72 hours after becoming aware of such a Cybersecurity Event of any Cybersecurity Event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects nonpublic Information.
One element of both the New York and the federal proposals that is abundantly evident is the mandate that cyber risk management strategy be incorporated in the overall business strategy and risk management operations of individual firms. It is also clear that this entire responsibility is being elevated to the Board of Directors level. While the seriousness of the cyber threat may justify this attention at the most senior levels of a firm, it will further exacerbate the problems arising from the competition for board members’ time and attention. The Bank Director Magazine 2015 Compensation Survey asked directors to select up to three issues on which the board expended the most time. The top three were Lending – 56%, Regulatory Compliance – 50%, and Risk – 39%. These new cyber regulations will inevitably increase the time board members spend on activities not directly related to the institution’s core function of providing financial services to consumers..
Regardless of the size or complexity of financial institutions, prudent boards and senior managers will be well-advised to study these regulatory actions and prepare for yet another compliance responsibility. Every institution should also prepare a response to the ANPR and attempt to influence the final rule to address any concerns on how it will affect its own operations.