On December 10, 2014, the New York Department of Financial Services ( the “NYDFS”) issued a guidance letter to all NYDFS-regulated banks outlining the issues and factors on which banks will be evaluated during new, targeted cyber security preparedness assessments as part of routine information technology examinations (the “Guidance Letter”). The Guidance Letter is the latest regulatory development in the rapidly evolving area of cyber security for financial institutions and will likely impact the policies of other state and federal banking agencies as they continue to develop cyber security guidance.
The Guidance Letter specifically mentions 11 factors examiners will consider during the new assessments:
- Corporate governance, including organization and reporting structure for cyber security related issues;
- Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion, including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cyber security insurance coverage and other third-party protections.
In addition, the Guidance Letter stated that the NYDFS will seek responses to 12 cyber security-related questions in advance of a scheduled information technology examination. These questions will function as a cyber-specific first day letter that will assist the NYDFS in expediting its review of a bank’s cyber security preparedness.
All banks, New York State-chartered and otherwise, should review the Guidance Letter and consider its examination factors when developing or evaluating their cyber security programs, procedures, training and insurance policies.
To view a printer-friendly version, please click here.