In September 2016, the New York State Department of Financial Services (NYDFS) announced its plan for a first-in-the-nation cybersecurity regulation to help protect the state’s financial institutions and the consumers they serve. Then, three months later, after receiving feedback from financial institutions, industry representatives and other parties, the NYDFS scaled back its proposed regulation.
It’s understandable that the NYDFS put forth a plan to help protect financial services firms and their clients in the wake of a rapidly growing cybersecurity threat. It’s also reasonable that banking associations and other financial services industry organizations would lobby the NYDFS to loosen any potential rules so that they are less expensive and onerous for the firms they represent.
The proposed rules announced in September would have required banks, insurance companies and other financial institutions regulated by the NYDFS to:
…establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.
The revisions announced in December still require financial firms to set up cybersecurity programs, but their scope is narrower. Also, institutions would still need to establish responsibilities for a Chief Information Security Officer role, but they wouldn’t have to designate one person in their company to be in charge of cybersecurity.
A spokesman for NYDFS told The New York Post: “I wouldn’t term it ‘watered down.’ We want to have something these institutions can comply with and comply with well, so that it’s actually effective.”
The same article also quoted the co-chair of a law firm’s healthcare practice, who said: “The bad guys are always better at breaking in than we are at keeping out. And part of that is because the people who are charged with doing these things under these regulations actually have to run a business.”
But implementing tougher cybersecurity measures doesn’t have to take a lot of money, time and resources away from running a business.
Don’t Discount the Cloud
Many of the financial services professionals I speak with don’t think of the cloud as a way to protect and store client data, but the cloud offers a cost-effective option for securing account information as well as automating business workflows—protecting companies from cyber-attacks while also making them more operationally efficient.
In fact, the cloud is central to the Financial Industry Regulatory Authority’s (FINRA) efforts to protect investors. On its website, FINRA states, “We invest in innovative technology—like cloud computing—in order to build sophisticated surveillance systems, process extraordinary amounts of data, and work with cutting-edge applications, programs and hardware.”
The regulator also states, “The combination of cloud computing and big data software allows us to shift our computing power between FINRA’s applications so that we can quickly respond to changing regulatory demands in a cost-effective way.”
In much the same way, our own cloud-based solution, workplace wealth_, aggregates all of a financial services company’s IT, apps and data so employees can securely control them with single-sign-on access, enabling them to work both smarter and safer. By delivering the workplace wealth_ solution to advisors via a software overlay, RIAs and broker-dealers ensure we can seamlessly update the platform’s built-in cybersecurity and compliance features as new threats, and new technologies, develop.
In short, cloud solutions available to financial institutions today enable them to make their client data and information systems more secure, and seamlessly meet cybersecurity requirements from multiple regulators, without taking too much money, personnel and resources away from running their business.