New York DFS Announces New Cybersecurity Assessment Process for Banks

December 10, 2014

New York’s Financial Services Superintendent Benjamin Lawsky today issued an industry guidance letter to all New York Department of Financial Services (DFS)-regulated banks announcing the department’s new, targeted cybersecurity preparedness assessments.

Lawsky said that in an effort to promote greater cybersecurity across the financial services industry, the DFS plans to expand its information technology examination procedures to focus more attention on cybersecurity.

The new cybersecurity assessments will become regular, ongoing parts of all DFS bank examinations moving forward. DFS said taking this step will help encourage stronger cybersecurity practices at banks since regulatory examination ratings can have significant impacts on the operations of financial institutions, including their ability to enter new business lines or make acquisitions.

A DFS spokesman also told Insurance Journal today that the department is considering extending similar cybersecurity assessments to the insurance industry.

Lawsky’s industry guidance letter to DFS-regulated banks outlines specific issues and factors on which those banking institutions will be examined. The letter said the DFS-regulated banks will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cybersecurity; their defenses against breaches, including multi-factor authentication; the security of their third-party vendors, and a number of other issues.

The assessments will also look at the banks’ cybersecurity insurance coverage and other third-party protections.

“The Department encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology,” said Lawsky.

“It is our hope that integrating a targeted cybersecurity assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators,” he said.

“Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks,” said Lawsky.

The industry guidance letter Lawsky sent today represents the formal commencement of the new cybersecurity assessment process. As part of this cybersecurity assessment, DFS has incorporated into its examination process a series of new questions and topics, including but not limited to:

• Management of cybersecurity issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
• Resources devoted to information security and overall risk management;
• The risks posed by shared infrastructure;
• Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
• Information security testing and monitoring, including penetration testing;
• Incident detection and response processes, including monitoring;
• Training of information security professionals as well as all other personnel;
• Management of third-party service providers;
• Integration of information security into business continuity and disaster recovery policies and procedures; and
• Cybersecurity insurance coverage and other third-party protections.

Source: New York State Department of Financial Services

The following is a copy of the industry guidance letter that was sent to all New York DFS-regulated banks.

https://www.scribd.com/doc/249776265/New-York-DFS-New-Cyber-Security-Examination-Process