CUNA and the New York Credit Union Association (NYCUA) wrote to the New York State Department of Financial Services (DFS) Monday to express concerns over a proposed New York regulation mandating that credit unions, among other entities, establish cybersecurity programs to protect nonpublic electronic information. CUNA and the NYCUA believe the proposal will lead to confusion and conflicting cybersecurity requirements.
“The Department of Financial Services (“DFS”) needs to consider the national impact of cybersecurity regulations issued by only one state when robust national standards exist that could be adopted by the DFS. Credit unions and other financial institutions are already subject to many similar requirements and would welcome all industries having to provide cybersecurity protections.
CUNA and the NYCUA are concerned that the DFS proposal is too prescriptive, in that is fails to give state-chartered institutions the flexibility needed to satisfy the proposed requirements by demonstrating comparable measures they have already taken.
“It would implement a one-size-fits-all approach to cybersecurity that does not clearly allow credit unions to develop and implement cybersecurity policies, devise plans, and allocate resources in a way that reflects their unique cybersecurity profile, and fails to appropriately delineate those institutions that would be subject to its mandates,” the letter reads. “Ultimately, it makes little sense for a $19 million asset credit union with six employees--the median size of New York credit unions--to be subject to the same baseline requirements as the world’s largest financial institutions; but that is exactly what New York State proposes.”
The letter further points out that existing cybersecurity requirements for the financial industry are robust, including 7 different federal agencies that provide regulations, requirements and guidance.