By Allissa Kline, originally published in Buffalo Business First on May 31, 2017, 6:41pm EDT.
Call it a case of good timing.
About a year ago, Evans Bancorp Inc. conducted an internal review of its cybersecurity policies. The process revealed areas in need of improvement.
So when the New York State Department of Financial Services announced a proposed series of groundbreaking cybersecurity regulations last fall, Evans found itself in a good position.
“Maybe we had good luck or dumb luck, but most of the regulations were areas we’d already identified or areas we’d already started to improve,” said Howard Martin Jr., senior vice president and chief information officer at the Angola-based financial company. “So we were in pretty good shape.”
But that’s not the case for everyone. Attorneys and other business consultants said some banks, insurance agencies and other financial institutions regulated by New York state are scrambling to understand and comply with the new rules.
The law has been in place since March 1 but there is a 180-day transitional period that ends Aug. 28. Then
the first wave of regulations takes effect.
And it’s not just financial institutions themselves that must comply. Eventually, third-party vendors that work for the financial institutions must show that they, too, meet guidelines.
Buffalo attorney Jennifer Beckage leads the data security and privacy team at Phillips Lytle LLP. She was part of a recent panel on the new rules.
Beckage said companies should act quickly to put some kind of cybersecurity policy in place. That’s one of the first requirements to be met in August.
“Unfortunately for smaller organizations, they may not have policies in place yet,” Beckage said. “But you can always amend or perfect them later.”
The new regulations are intended to protect the financial services industry and consumers, according to Gov. Andrew Cuomo. In February, he hailed the rules as the first such cybersecurity guidelines in the nation.
Larry Ponemon, founder of the Ponemon Institute in Michigan, is an expert in privacy, data protection and information security practices. He participated in the same panel at which Beckage spoke, presenting survey results about how prepared the state’s financial institutions think they are in terms of complying with the new regulations.
The bottom line: Companies think the requirements will be hard to follow.
Among the various guidelines, formal incident-response plans are required. Evans is working on that and expects its plan to cover the banking subsidiary Evans Bank N.A. and its insurance business, The Evans Agency LLC.
Martin anticipates challenges when it comes to making sure third-party vendors are compliant. He said the company works with 20 to 25 vendors. Expense-wise, Martin said Evans is likely to spend more in 2018 and 2019 to make sure it meets the requirements. He did not offer specifics about the anticipated costs.
He’s mainly frustrated with having to comply with different sets of rules, saying, “There’s no real downside to these regulations, and I get where DFS is coming from. I just wish state regulators and federal regulators would work in conjunction so that we don’t have to navigate different sets of rules.”