The Conference of State Bank Supervisors (the “CSBS”) and the New York Department of Financial Services (the “NYDFS”) recently issued valuable guidance for financial institutions regarding cyber security. On December 10, 2014, the NYDFS issued a guidance letter to all NYDFS-regulated banks outlining the issues and factors on which banks will be evaluated during new, targeted cyber security preparedness assessments as part of routine information technology examinations (the “Guidance Letter”). On December 17, 2014, the CSBS issued “Cybersecurity 101: A Resource Guide for Bank Executives,” a non-technical resource guide designed for chief executive officers, senior executives and board members (the “CSBS Resource Guide”).
New York Examination Guidance
The Guidance Letter is the latest regulatory development in the rapidly evolving area of cyber security for financial institutions and will likely impact the policies of other state and federal banking agencies as they continue to develop cyber security guidance.
The Guidance Letter specifically mentions 11 factors examiners will consider during the new assessments:
- Corporate governance, including organization and reporting structure for cyber security related issues;
- Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion, including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cyber security insurance coverage and other third-party protections.
In addition, the Guidance Letter stated that the NYDFS will seek responses to 12 cyber security-related questions in advance of a scheduled information technology examination. These questions will function as a cyber-specific first day letter that will assist the NYDFS in expediting its review of a bank’s cyber security preparedness.
CSBS Guidance for Officers and Directors
The CSBS Resource Guide is designed to aid chief executive officers, senior executives and board members in their understanding, oversight and implementation of effective cyber security programs. The CSBS Resource Guide is a compilation of available cyber security resources and is organized according to the Commerce Department’s National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity. The CSBS Resource Guide provides questions that chief executive officers should ask specific to each core cyber security function, and offers training guidance, mobile banking security recommendations, and a checklist to follow in the event a bank experiences a data breach.
All banks, New York State-chartered and otherwise, should review the Guidance Letter and CSBS Resource Guide when developing or evaluating their cyber security programs, procedures, training, and insurance policies.