Amid a global spike in hacks of corporate computer systems, New York on Wednesday introduced drastically watered-down cybersecurity measures for banks.
The revised cyber regulations no longer require banks to put a single executive in charge of cybersecurity — nor do they force companies to have a “program designed to ensure the confidentiality, integrity and availability of [their] information systems,” as the original proposals, announced in September, maintained.
Instead, the state watchdog will only require companies to have programs to be “reasonably designed to protect” that data.
“The regulations have been substantially watered down,” Michael J. Gottlieb, a partner at Boies, Schiller & Flexner, where he leads the privacy, cybersecurity and technology practice, told The Post.
He said the state buckled under pressure from banking groups.
The loosened banking regulations were introduced by Maria T. Vullo, the head of the state Department of Financial Services.
The revised regulations, which can be further molded over a 30-day comment period, require financial companies in the state to designate the duties of a chief information security officer, or CISO, but aren’t required to have “an individual exclusively dedicated” to the job.
The DFS received more than 150 comment letters during the initial 45-day comment period — many of them lambasting the law for being too vague.
One, from the New York Bankers Association, the industry lobbying group, spoke out against the stronger regulations, saying they “could create unsustainable economic stress for banks, while having the unintended consequence of a bank’s spending more time on compliance paperwork than on actual prevention and security.”
The proposal, which is slated to go into effect on March 1, is “something that strikes the right balance,” Richard Loconte, DFS spokesman, told The Post.
“I wouldn’t term it ‘watered down.’ We want to have something these institutions can comply with and comply with well, so that it’s actually effective,” Loconte added.
“What you’re trying to do is reduce risk,” Kirk Nahra, partner and co-chair of the health care practice at Wiley Rein, told The Post.
“The bad guys are always better at breaking in than we are at keeping out. And part of that is because the people who are charged with doing these things under these regulations actually have to run a business,” Nahra said.
When the initial proposal was first announced, Gov. Cuomo trumpeted it as holding the financial services industry responsible “to the fullest extent possible” for preventing cyberattacks.
But Cuomo’s name was absent from Wednesday’s four-paragraph press release, which announced that there were changes made — but didn’t detail what they were.
“New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” Vullo said in a statement.
A spokesman for Cuomo’s office didn’t return a request for comment.