Community bank groups and other financial industry associations expressed deep concern Monday with new cybersecurity regulations proposed by the New York State Department of Financial Services, telling a committee of state lawmakers that they were inconsistent with federal rules and put an unfair burden on smaller institutions.
“There’s a bit of a one-size-fits-all approach” in the rule, said Laura Mazzara, senior vice president and chief risk officer for Pioneer Bank. She gave evidence on behalf of the Independent Bankers Association of New York State to a hearing of the Standing Committee on Banks considering the new regulations.
The association believes that the proposed regulation doesn’t take into account the different circumstances and risk profile of smaller community banks, she said.
“We are completely in support of the underlying objectives,” she said, “We hold … information security … in very very high regard … it really is a cornerstone of what we do to ensure trust from our customers.”
The rules, released for public comment in September, are scheduled to go into effect Jan 1. They will be the first effort by any state’s bank regulators to produce rules setting minimum cybersecurity standards, but being in New York, will have outsized national and international effects. The state is home to outposts of — and therefore can regulate — every major financial institution in the world.
“We also have some concerns that center around competitive disadvantage for New York State-chartered community banks,” she added.
She said Pioneer was also regulated at the federal level by the Federal Deposit Insurance Corporation. “We’re concerned that this regulation will create a disparity between the standard that we’re expected to meet on the federal side and the standard in this new proposed regulation,” she said.
Some observers said they believed the criticism was so severe that the state Department of Financial Services should reconsider the planned rules.
“The takeaway from today’s hearing was loud and clear — the DFS cyber regulation is not ready for prime time,” said Craig Newman, head of the privacy and data security practice at law form Patterson Belknap. “Industry groups expressed major concerns about the proposed regulation, calling it over-broad, inflexible and bad for business in New York, especially as it impacts smaller institutions and those with limited resources.”
Newman said DFS should “take a step back and consider a delay in implementation.”
“No regulation is going to get the support of each and every industry player,” he said, “but the sentiment voiced has been overwhelmingly negative. A slight delay in the effective date would provide a bit of breathing room for the industry and DFS to at least attempt to reach more common ground.”