Why it matters
Adding to the banks’ compliance obligations, effective immediately, banks chartered or licensed in New York will now face an updated cybersecurity examination process, Superintendent of the Department of Financial Services (DFS) Benjamin M. Lawsky announced in a memorandum. “The Department encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology,” Lawsky wrote. Additions to regulatory examinations will cover areas ranging from protections against intrusion and the configuration of servers and databases to the organization and reporting structure for cyber security issues. “It is our hope that integrating a targeted cybersecurity assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators,” Lawsky said in a statement. “Cyberhacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.” Given this development, it is essential for affected banks to make cybersecurity exams a priority, and the focus of attention from the board level on down.
To promote greater cybersecurity across the financial services industry, the DFS said that information technology (IT) examinations will include a host of new topics related to cybersecurity.
Included in the list: corporate governance, including organization and reporting structure for cybersecurity-related issues; the management of cybersecurity issues (such as the interaction between information security and core business functions, written information security policies and procedures, and periodic reevaluations in light of changing risks); and review of the resources devoted to information security and overall risk management.
The risks posed by infrastructure and protections against intrusion as well as information security testing and monitoring and incident detection and response processes will also be lines of inquiry by the Department.
Has information security been integrated into the business continuity and disaster recovery policies and procedures? The DFS will ask financial institutions this question, and check the training of information security professionals, the management of third-party service providers, and consider the use of any cybersecurity insurance coverage or other third-party protections.
In addition to broadening the scope of exams, the memorandum also put New York banks on notice of a change in the process with, an IT/cybersecurity exam following the comprehensive risk assessment of each institution.
As part of the exam, the DFS will request the CV and job description of the bank’s Chief Information Security Officer or the information security point person, complete with a description of the individual’s training and experience, documenting all reporting lines for that person along with an organization chart for the institution.
All policies and procedures related to information security must be provided as part of the exam, along with a description of how data classification is integrated into the information risk management policies and procedures. The bank’s vulnerability management program (as applicable to servers, endpoints, mobile devices, network devices, systems, and applications) as well as the patch management program should also be detailed for the DFS.
Banks also will be required to explain the due diligence process in place for “vetting, selecting, and monitoring third-party service providers,” as well as provide a copy of the organization’s incident response program with steps for how an incident is reported, escalated, and remediated.
Finally, the regulator will request any “significant changes” to the institution’s IT portfolio over the last 24 months as a result of a merger, acquisition, or new business line.
To read Superintendent Lawsky’s memorandum, click here.