Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

Want to save this page for later?


Press Release

NY CPAs Support Proposed Cybersecurity Rules for New York’s Financial Institutions — But With Revisions

Michael Moi
Published Date:
Nov 17, 2016

The New York State Society of CPAs (NYSSCPA) supports the New York State Department of Financial Services’ proposed cybersecurity requirements for the state’s financial services companies; however, the Society warned against using current language in the proposal that could potentially undermine their effectiveness or result in unintended consequences. Some of the Society’s suggestions would provide impacted organizations with flexibility to comply with the new DFS regulations.

An abridged list of NYSSCPA observations:

  • Many financial services companies currently comply with federal and state regulatory requirements but the proposed legislation differs with or is inconsistent with certain practices. Inconsistent requirements may result in organizations devoting more and in some cases unneeded resources to the administration of cybersecurity practices rather than protecting organization and consumer assets.
  • The Society recommends that the DFS provide guiding principles as to whether financial institutions utilizing effectively designed and operating cybersecurity risk management practices that align with the existing best practice or regulatory guidance could satisfy compliance with the DFS’ proposed regulation. This would also include specifying which risk assessment methodologies will be acceptable to the DFS and the nature of evidence with the proposed regulation to be maintained to demonstrate compliance with the regulation.
  • The proposed legislation cites specific controls as examples or explicitly requires the use of specific controls to achieve the risk management objectives of the legislation. Given the pace of change in technology, the inclusion of specific technology control requirements may result in influencing or requiring companies to establish ineffective or outdated controls. 

NYSSCPA full comments to the Department of Financial Services proposed new regulations can be found HERE.

Matthew T. Clohessy, chair of the NYSSCPA Technology Assurance Committee, says the proposal seems to reflect current federal regulatory requirements, “While many of the proposed requirements resonate with the existing requirements that financial institutions adhere to, the proposed NYSDFS requirements get very specific in some areas, which may necessitate changes to an organization’s existing risk management and control practices in order to comply with the proposed regulation.”

“The NYSSCPA recommends annexing a less prescriptive control design requirements and fewer specific control examples to explanatory supplemental guidance appended to the regulation, with more reliance on specific company circumstances and its own risk management protocols, said NYSSCPA Technology Assurance Committee Member, Yigal Rechtman. “Additionally, it would therefore be helpful, as is done with other cybersecurity standards, to have a “cross-walk reference” to allow interested parties to see how the proposed requirements align with existing frameworks and provide more specificity to requirements.” 

About the NYSSCPA
Founded in 1897, the New York State Society of CPAs is the premiere professional membership association representing the interests of a membership of more than 26,000 licensed CPAs and other financial professionals practicing in New York State, and encompassing all areas of practice including in government, education, technology, nonprofit, real estate, healthcare and industry.