New York MBA Urges State to Work with Feds on Cybersecurity Regs
The New York Mortgage Bankers Association, in testimony yesterday before the New York State Assembly Committee on Banks, said the state’s Department of Financial Services should work with federal regulators in creating regulations dealing with cyber threats, rather than perpetuate a patchwork of potentially conflicting state regulations.
James Bopp, National Correspondent Sales Manager with Platinum Home Mortgage Corp., testified on behalf of NYMBA. He said NYMBA members share concerns about cybersecurity threats and have invested “millions” of dollars to defend against cybercriminals. But he noted that the proposed rule places an unnecessary burden on financial institutions.
“What I would respectfully then ask the members of the Committee to consider is who those criminals are,” Bopp said. “We need only skim headlines of this week’s newspapers to be reminded of the answer: foreign governments, organized crime syndicates and even terrorist organizations. The growing pervasiveness of these groups is matched only by their growing boldness.”
In September, the New York Department of Financial Services proposed first-in-the-nation regulations on cybersecurity threats to financial institutions (http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf). The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
“This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible,” said Gov. Andrew Cuomo (D).
With national security at stake, Bopp said in his testimony, “then we need a national response to fight this war. Respectfully, what we do not need is a regulation that places the burden on financial institutions to defend our nation. This is especially so when that burden is disproportionately felt by New York’s small and medium sized independent mortgage lenders. Additionally, we believe it is misguided to direct these companies–which are already struggling to comply with profound regulatory obligations and costs–to execute these new, extensive and prescriptive protocols in just a few short weeks.”
Bopp said while lenders consider the government to be an ally in our efforts, it disagrees that “prescriptive, potentially conflicting regulations issued by each state as well as the federal government will protect lenders and the residents of New York.
“Cybersecurity regulations issued by only one state this year, will surely lead to additional and potentially divergent cybersecurity regulations issued in a few more states early next year,” Bopp said. “That pattern will continue and it will create a patchwork of state requirements. Our elected officials should encourage efforts to converge and coordinate with existing cybersecurity requirements. Please help us to balance important consumer protections with this reality. Unilateral action will ultimately lead to multiple standards which have the potential to conflict with each other and produce expensive and divergent results.”
Bopp added that this will also, unfortunately, create misalignment of cybersecurity operations within the industry. “That would be unfortunate given that the mortgage industry, as I have mentioned, is already spending millions of dollars to prevent cybercrime. No doubt, this rule will require the spending of millions more. Rest assured, those expenses will raise the cost of credit to New York’s credit worthy borrowers immediately, as we attempt to make the necessary operational and technology investments to comply. It will also increase costs in the months to come, when other states emulate New York and our member companies try to compete outside the state.”
The Mortgage Bankers Association supports the NYMBA position. In a comment letter earlier this year (http://mba-pc.informz.net/mba-pc/data/images/AdvocacyDocuments/11 2016 SIFMA Response to NY DFS Proposed Cyber Requirements.pdf), MBA and a broad coalition of industry trade groups asked that any regulations that address cybersecurity threats to financial services companies be complementary and consistent with existing cybersecurity requirements and embody a risk-based approach.
More specifically, the letter urged that the final rule from DFS conform to the National Institute of Standards and Technology Cybersecurity Framework, which has served as a model of collaboration between government and industry in developing a comprehensive risk-based cybersecurity framework widely used across financial firms and more broadly across other critical sectors. Additionally, the letter suggested other points of consideration for DFS, including the need for a much longer implementation period than the January 2017 effective date currently being contemplated.
“We believe this approach would best enable the financial industry and regulators to continue their coordinated efforts to mitigate cybersecurity risks,” the letter said. “Cybersecurity regulations issued by only one state–or by several states–without an effort to converge and coordinate with existing cybersecurity requirements will lead to confusion, additional costs and a misalignment of cybersecurity operations within the industry.”
Bopp further urged DFS to slow the process down, given that the federal government is also considering a proposed rule that would have sweeping national applications. Three federal agencies-the Federal Reserve, the Office of Comptroller of the Currency and the Federal Deposit Insurance Corp.–issued a notice of proposed rulemaking on a set of enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities. “I urge the members of the Committee at the very least to encourage the New York Department of Financial Services to pause its rulemaking to await the results of this interagency effort currently underway,” he said. “The federal proposal appears to move in the direction of the second major theme of the industry’s letter to the Department: that any final rule take a risk-based approach. That is because these new threats to New York mortgage lenders and others are constantly evolving. Our companies can best serve consumers if they are permitted to address these threats within a framework that is flexible and can evolve and adapt over time to the latest tactics and weapons.”
