SIFMA provided comments to the Municipal Securities Rulemaking Board (MSRB) on their Request for Information on Impacts of MSRB Rules…
January 27, 2017
Deputy Superintendent for Compliance
New York State Department of Financial Services
One State Street
New York, NY 10004-1511
Re: New York Department of Financial Services’ Proposed Rulemaking on Cybersecurity Requirements for Financial Services Companies, I.D. No. DFS-39-16-00008-RP
Dear Ms. Lentchner:
On behalf of the Securities Industry and Financial Markets Association (“SIFMA”),1 the American Bankers Association (“ABA”), the Financial Services Roundtable (“FSR/BITS”), and the Financial Services Sector Coordinating Council (“FSSCC”) we appreciate the opportunity to comment on the New York State Department of Financial Services (“DFS”) revised proposed rulemaking on Cybersecurity Requirements for Financial Services Companies (the “Proposal”).2 We thank DFS for considering our comments, submitted on November 14, 2016 (the “Letter”)3 as well as the comments of other associations and industry stakeholders regarding the initial proposed rule. We once again commend DFS in its efforts to strengthen and improve cybersecurity in the financial sector.
It is evident based on a reading of the Proposal that DFS seriously considered the numerous comments received. We believe the Proposal as revised now better represents a rule which satisfies DFS’ regulatory mandate, and minimizes many of the unintentionally onerous requirements of the initial proposed rule. However, we respectfully request your consideration of the following essential revisions to: (1) application of the Proposal to foreign entities; (2) the Proposal’s Risk Assessment requirements; and (3) implementation impracticalities and unintended consequences stemming from the Proposal, including the Proposal’s current considerations regarding encryption. Our detailed recommendations follow.
* * *
A. The New York Branch of Foreign Financial Services Companies
1. Covered Entity – Section 500.01(c)
Although we appreciate the candor of DFS personnel in adopting our recommendations, it appears that certain institutions, which we believe should not be subject to the remit of the Proposal, remain in scope. Specifically, the Proposal appears to apply to foreign banking organizations with branches located in New York. We do not believe it is the intent of DFS to place foreign institutions in scope. However, this is the effect of a plain reading of the Proposal. A Covered Entity is currently defined as “a Person operating under or required to operate under a license…under the Banking Law, the Insurance Law or the Financial Services Law.”4 Under New York’s Banking Law, the foreign institution itself applies for, and operates under a license, not the New York branch of said foreign entity. 5 While the term “branch” was added to the term “Person” (so that “Person” means…any non-governmental entity, including but not limited to any…branch), this does not resolve the issue because, while the branch can be viewed as a “Person” operating under a license, the foreign banking organization (which is also a “Person”) is also in scope under a plain reading of the regulation, as is the “Person” required to obtain the license to operate in New York through a branch. Thus, under a plain reading of the Proposal, the foreign home office of an institution is subject to the Proposal, rather than the New York branch only.
The result of such a construction would be that the foreign banking organization would not only be required to satisfy the regulation’s requirements with respect to extra-territorial systems that are not used for the New York branch, but DFS would receive Cybersecurity Event notifications regarding Nonpublic Information that are irrelevant to the New York branch as well as annual certifications from the Foreign Banking Organization itself regarding systems beyond the scope of the New York branch. We believe DFS intended the Proposal to apply solely to the New York branch in this circumstance, similar to DFS’ intention with respect to the DFS’ Banking Transaction Monitoring Rule, where the definition of “Bank Regulated Institutions” makes clear that the foreign banking organization is out of scope.
1 SIFMA is the voice of the U.S. securities industry, representing the broker-dealers, banks and asset managers whose 889,000 employees provide access to the capital markets, raising over $2.4 trillion for businesses and municipalities in the U.S., serving clients with over $16 trillion in assets and managing more than $62 trillion in assets for individual and institutional clients including mutual funds and retirement plans. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). For more information, visit http://www.sifma.org.
2 See “23 NYCRR 500. New York Department of Financial Services Proposed Cybersecurity Requirements For Financial Services Companies.” (DFS Proposal) http://www.dfs.ny.gov/about/press/pr1612281.htm
3 See “SIFMA Response to NY DFS Proposed Cyber Requirements,” November 14, 2016. (“SIFMA Letter to DFS”). The SIFMA Letter to DFS was submitted in a joint effort with the American Bankers Association, the Financial Services Roundtable, the Financial Services Sector Coordinating Council, the Mortgage Bankers Association, the American Financial Services Association, the American Land Title Association, and the New York Mortgage Bankers Association.
4 Id at 2.
5 See New York Banking Law Article V-B. License for a Foreign Banking Corporation to Maintain a Representative.