By Allissa Kline, originally published in Buffalo Business First on 1/12/17.

Financial institutions prepping for new rules

More than 3,000 banks, insurance companies and other financial services institutions regulated by New York state will soon have to comply with new cyber security rules.

But what those rules will ultimately mandate remains to be seen. That’s because the state Department of Financial Services is finalizing the regulations, which would be the first such rules in any state.

“There are a lot of people interested in this and very concerned about this,” said Michael Wimer, president and CEO of Cattaraugus County Bank in Little Valley. “Nobody feels like this stuff doesn’t matter … but the concern is how we go about it and what we’re required to do.”

It’s been four months since DFS released a series of proposed regulations to protect consumers from the ongoing threat of cyber attacks. Among the highlights: Banks, insurance companies and other financial services institutions would be required to adopt written cyber security policies; designate a chief information security officer to enforce the policies; and periodically test and assess their data information systems.

The proposal drew criticism from industry groups. During a 45-day comment period that ended Nov. 14, DFS received complaints ranging from compliance costs and the length of time by which entities must report incidents to the fact that entities already have to abide by certain federal and international cyber security rules, which don’t necessarily match the state’s draft rules.

The Independent Banks Association of New York State Inc., in conjunction with the Independent Community Bankers of America, spoke out against the regulations. In a comment letter, IBANYS took issue with the additional regulatory burden that community banks would face.

“Without coordination with federal regulatory agencies, this places community banks in the difficult situation of being examined based on different requirements,” the association said in the letter.

Buffalo attorney Jennifer Beckage, a former technology business owner, expected DFS to revise the proposal.

And it did, issuing an updated version just days before it was scheduled to take effect Jan. 1. The latest draft is now in the midst of a 30-day comment period. Unless there is a third revision, the rules will take effect March 1.

Beckage, who leads the data security and privacy team at Buffalo-based Phillips Lytle LLP, said there are notable changes in the language, though some requirements are still onerous, including the rule that entities must alert DFS to cyber breaches no later than 72 hours after discovering a breach.

“(DFS) definitely listened to some of the comments and took action in some of those (areas),” she said. “Overall, they put less emphasis on very specific technical requirements and gave covered entities a little more decision-making on what would be appropriate for that business.”

Wimer is encouraged by the revision but said he and various associations are still digesting the latest proposal.

“My expectation is that there will be additional new comments made, but those comments will be fewer and less far-reaching than the first round,” he said.