Ms. Cassandra Lentchner
Deputy Superintendent for Compliance
New York State Department of Financial Services One State Street
New York, NY 10004-1511
Re: Rulemaking on the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies
Dear Ms. Lentchner:
On behalf of the close to 200 members of Business Roundtable, an association comprised of chief executive officers of leading U.S. companies, representing all sectors of the economy, I write to convey our views on the Department of Financial Services’ (DFS) proposed rulemaking on Cybersecurity Requirements for Financial Services Companies (Proposal). We commend DFS for its prioritization of cybersecurity, and we share DFS’s concern about escalating cybersecurity threats. We believe, however, that the Proposal, as written, will have broader impacts than intended on all sectors of the economy.
Business Roundtable members have prioritized cybersecurity and supported federal efforts to create voluntary, flexible and agile cybersecurity approaches. In 2013, President Obama directed the creation of “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”1 The resulting National Institute of Standards and Technology (NIST) Cybersecurity Framework has been heralded by both industry and government, and Business Roundtable members believe that a voluntary and flexible risk-based approach premised on the NIST Cybersecurity Framework is the approach most capable of managing cybersecurity threats as they evolve.
The Proposal diverges from the NIST Cybersecurity Framework in at least the following areas:
We believe that flexible and risk-based frameworks are the most effective approaches for strengthening cybersecurity for all sectors of the economy. Frameworks should be intentionally designed to enable companies to customize their cybersecurity programs to their individual risk profiles. We encourage DFS to bring the Proposal in-line with a risk-based approach and thereby create a model for other states to follow.
We appreciate DFS’s consideration of our concerns. Business Roundtable would be delighted to expand on our concerns upon DFS’s request.
Sincerely,
Julie Sweet
Group Chief Executive - North America
Accenture
Chair, Technology, Internet and Innovation Committee
Business Roundtable
JS/lg