Re: Rulemaking on the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies
Dear Ms. Lentchner:
On behalf of the close to 200 members of Business Roundtable, an association comprised of chief executive officers of leading U.S. companies, representing all sectors of the economy, I write to convey our views on the Department of Financial Services’ (DFS) proposed rulemaking on Cybersecurity Requirements for Financial Services Companies (Proposal). We commend DFS for its prioritization of cybersecurity, and we share DFS’s concern about escalating cybersecurity threats. We believe, however, that the Proposal, as written, will have broader impacts than intended on all sectors of the economy.
Business Roundtable members have prioritized cybersecurity and supported federal efforts to create voluntary, flexible and agile cybersecurity approaches. In 2013, President Obama directed the creation of “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”1 The resulting National Institute of Standards and Technology (NIST) Cybersecurity Framework has been heralded by both industry and government, and Business Roundtable members believe that a voluntary and flexible risk-based approach premised on the NIST Cybersecurity Framework is the approach most capable of managing cybersecurity threats as they evolve.
The Proposal diverges from the NIST Cybersecurity Framework in at least the following areas:
- First, the Proposal is not premised on a risk-based approach. Companies operate in dynamic digital environments and their cybersecurity programs must be designed to accommodate this reality. The Proposal’s one-size-fits-all approach does not provide companies with the flexibility needed to respond to the pace of technological change and the evolution of cybersecurity threats. Furthermore, the Proposal’s requirement that the board of directors or senior officer must certify that the company is in compliance with the Proposal would require companies to adopt a static, compliance-based approach to cybersecurity that is ill-suited for the dynamic environment in which companies operate.
- Second, the Proposal overlaps with existing cybersecurity requirements and guidance. Business Roundtable members are increasingly concerned about the lack of coordination and misalignment of cybersecurity requirements among and within federal and state governments. At the state level, members are concerned that the cybersecurity regulatory environment is on course to embody the data breach regulatory environment which is defined by 48 individual state laws and requirements. The proliferation of misaligned cybersecurity requirements at the federal and state levels forces companies to prioritize compliance with individual requirements over developing more holistic programs matched to their individual risk profiles.
- Third, the Proposal includes precedent-setting technical requirements. The Proposal would divert cybersecurity resources away from protection of the most valuable information that a company possesses by requiring companies to use encryption, maintain access controls, and utilize multi- factor authentication for nearly all information that a company possesses. These requirements differ from risk-based approaches that direct companies to evaluate the information that a company possesses and apply enhanced cybersecurity measures, including encryption, to protect the most valuable information.
We believe that flexible and risk-based frameworks are the most effective approaches for strengthening cybersecurity for all sectors of the economy. Frameworks should be intentionally designed to enable companies to customize their cybersecurity programs to their individual risk profiles. We encourage DFS to bring the Proposal in-line with a risk-based approach and thereby create a model for other states to follow.
We appreciate DFS’s consideration of our concerns. Business Roundtable would be delighted to expand on our concerns upon DFS’s request.
Group Chief Executive - North America
Chair, Technology, Internet and Innovation Committee