Removing Barriers Blog

CUNA, New York League Respond to Burdensome Cybersecurity Proposal
Posted November 15, 2016 by CUNA Advocacy

Yesterday, CUNA and the New York Credit Union Association filed a joint comment letter in response to a New York proposed regulation mandating banks and credit unions, insurance companies and financial service providers establish cybersecurity programs to protect nonpublic electronic information.

In the letter we argue that the proposal will lead to confusion and conflicting cybersecurity requirements for financial services companies. We further argue that a single state issuing cybersecurity regulations could adversely impact the robust national standards that already exist.  Credit unions and other financial institutions are subject to extensive cybersecurity regulations and requirements as prescribed by the CFPB, SEC, FDIC, Fed, FTC, NCUA, and OCC.

In our comment we also assert that financial institutions should be permitted to show that they already comply with comparable federal requirements in order to prevent duplicative regulations. Credit unions invest time, money, and manpower to detect and deter cyber threats. However, the regulation, as drafted, does not explicitly allow institutions to satisfy its mandates by demonstrating how existing programs and protocols satisfy the requirements.

We also note objections to other aspects of the proposal, including: intrusive staffing requirements, limited and small exemptions, an ambiguous jurisdictional scope, unrealistic vendor requirements and an unclear definition of “nonpublic information.” 

The proposed rule, as it stands, is counterproductive to its objective of enhancing the safety and soundness of New York’s financial institutions.