Abstract

Cybersecurity regulations have proliferated over the past few years as the
significance of the threat has drawn more attention. With breaches making
headlines, the public and their representatives are imposing requirements on
those that hold sensitive data with renewed vigor. As high-value targets that
hold large amounts of sensitive data, financial institutions are among the
most heavily regulated. Regulations are necessary. However, regulations
also come with costs that impact both large and small companies, their
customers, and local, national, and international economies. As the
regulations have proliferated so have those costs. The regulations will
inevitably and justifiably diverge where different governments view the needs
of their citizens differently. However, that should not prevent regulators
from recognizing areas of agreement.

This Note examines the regulatory regimes governing the data and
cybersecurity practices of financial institutions implemented by the
Securities and Exchange Commission, the New York Department of
Financial Services, and the General Data Protection Regulations of the
European Union to identify areas where requirements overlap, with the goal
of suggesting implementations that promote consistency, clarity, and cost
reduction.