Page 21 - GS170301
P. 21
Views
the interconnectedness of businesses Mastercard agreed. The card brand stated the rules as articulated in the ANPR
in the digital age. This is especially would apply only to the largest financial institutions, and few third-party firms
true in financial services, where are "interconnected" with these large players in ways that are systemically
there is so much personal financial critical. In a nutshell, "the effect of the ANPR is to equate the cybersecurity
information flowing across so many risks associated with providing a service to a single business line of a covered
networks and into and out of so many entity to operating the entire covered entity as a whole," Mastercard wrote.
corporate databases.
For now, however, all eyes should be on implementation of New York's new
Lawmakers addressed this initially cybersecurity law. New York is considered a bellwether of consumer protection
with the passage of the Gramm- trends and financial transaction laws.
Leach-Bliley Act in 1999, requiring
financial institutions to bind service "Given the significant number of financial institutions that will be required to
providers to security standards by comply, other regulators, clients, customers and counterparties may begin to
contract. Now federal regulators want review these new requirements as a baseline standard for cybersecurity in the
to turn up the heat. In late 2016, they financial industry," the law firm Baker & Hostetler LLP stated in a recent post
signaled with an advanced notice of on its website. California, another bellwether state, set in motion a wave of state
proposed rulemaking (the first step and federal initiatives after it was first to enact a data breach notification law
in what often pans out as a protracted for businesses operating there back in 2002.
rulemaking process).
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the
The October 2016 advance notice founder of InsideMicrofinance.com. Email her at patti@greensheet.com.
of proposed rulemaking (ANPR),
published by the Federal Reserve
and other federal bank regulators
seeks input on "enhanced cyber
risk management standards … for
large and interconnected entities
under their supervision and those
entities' service providers." The
agencies said they want to apply the
rules to banking organizations with
consolidated assets of $50 billion
or more and are calling for a tiered
approach with "an additional set of
higher standards for systems that
provide key functionality to the
financial sector."
Scores of letters from banks and
others were submitted during the
ANPR public comment period, which
ended in February 2017. Several took
issue with the proposed third-party
oversight requirements and warned
against any broad-stroke approach
to defining third parties. "As you are
aware, third-party service providers
perform a wide variety of functions
and services for banks, each with
different types and levels of risk.
Blanketly directing banks to apply the
enhanced cybersecurity standards
to all third-party providers does the
financial services industry and its
customers a disservice," the payment
processing firm Stripe Inc. wrote.
21
