On December 10, 2014, the New York State Department of Financial Services (the “Department”) announced that it issued an industry guidance letter to all Department-regulated banking institutions that formally introduces the Department’s new cybersecurity preparedness assessment process. The letter announces the Department’s plans to expand its information technology examination procedures to increase focus on cybersecurity, which will become a regular, ongoing part of the Department’s bank examination process.
The guidance letter provides a list of topics that will be addressed in the Department’s cybersecurity examination process. The topics include:
- Corporate governance issues related to cybersecurity;
- Management of cybersecurity issues;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion;
- Information security testing and monitoring;
- Incident detection and response processes;
- Training of information of personnel;
- Management of third party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cybersecurity insurance coverage and other third party protections.
The letter encourages all Department-regulated banks to view cybersecurity as an integral aspect of their overall risk management strategy. According to the Superintendent of Financial Services, Benjamin Lawsky, “[i]t is [the Department’s] hope that integrating a targeted cyber security assessment directly into [its] examination process will help encourage a laser-like focus on this issue by both banks and regulators…It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.”
The Department plans to schedule the cybersecurity examinations based on a comprehensive risk assessment of each New York State-chartered or licensed banking institution. In connection with this assessment, the Department will be sending a series of questions to banks requesting information on their current cybersecurity practices and management.