On December 10, the DFS issued an industry guidance letter to all New York DFS-regulated banks announcing new targeted DFS cyber security preparedness assessments. The new cyber security assessments will become part of all DFS bank examinations moving forward. The financial institutions will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cyber security; their defenses against breaches, including multi-factor authentication; the security of their third-party vendors, and a number of other issues.
Superintendent of Financial Services, Benjamin M. Lawsky, said, “It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators. Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.”
The guidance letter pinpointed the following topics that will become a regular part of the Department’s new IT/cyber security examinations:
- Corporate governance, including organization and reporting structure for cyber security related issues;
- Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cyber security insurance coverage and other third-party protections.
DFS also provided information to financial institutions regarding its new examination process, including a procedure for assessing and scheduling IT/cyber security examinations. Moving forward the DFS will schedule an IT/cyber security examination following a comprehensive risk assessment of each institution.