Having weathered the cybersecurity turbulence of 2014, the financial services sector can look forward to increased regulatory attention from federal, state and non-governmental regulators in 2015. First, in the wake of data breaches at major banks and financial institutions, and drawing upon its mid-2014 "Report on Cyber Security in the Banking Sector,"1 the New York Department of Financial Services (the "NYDFS" or the "Department") has announced a New Cybersecurity Examination Process for the banks under its regulatory jurisdiction (the "Examination Letter"). Additionally, the Chairman of the federal Commodity Futures Trading Commission ("CFTC") has testified before a Senate committee that the CFTC will increase its attention to cybersecurity during its upcoming examinations of clearinghouses and exchanges. Also, the Conference of State Bank Supervisors ("CSBS") has issued a resource guide for bank executives on cybersecurity that community bank CEOs, senior executives and board members are being strongly encouraged to use to address cybersecurity threats at their banks.
These latest regulatory developments impacting financial institutions will likely affect the cybersecurity policies of other regulators, including enforcement actions against regulated entities that fail to implement adequate cybersecurity programs. Thus, even if your organization is not a financial institution regulated by the NYDFS, CFTC or a state banking regulator, the key takeaways discussed below will provide insight into the types of questions regulators will pose, and offer practical guidance for developing a compliant privacy and data security program to mitigate cybersecurity risks. The December 2014 ruling that retailer Target had an affirmative duty to protect its customers' personal and financial information illustrates that these pronouncements provide important guidance not just to regulated entities, but to companies generally.
NYDFS's Examination Letter
On December 10, 2014, the NYDFS issued the Examination Letter to all New York chartered and licensed banking institutions announcing the Department's new, targeted cybersecurity preparedness assessment. In an effort to promote greater cybersecurity across the financial services industry, the NYDFS warned that it will expand its routine information technology examinations to include cybersecurity. However, as noted in an article in American Banker2, the Examination Letter provides no indication that the examinations will differentiate among banks by size, meaning a smaller community bank may be subject to the same cybersecurity requirements as multinational banks with significantly more resources.
The new examination procedures are designed to encourage "all financial institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than as a subset of information technology." According to Benjamin M. Lawsky, Superintendent of the NYDFS, new procedures are also intended to promote a "laser-like focus on this issue by both banks and regulators" given that regulatory examination rankings can have a significant impact on the operations of financial institutions, including their ability to enter into new business lines or make acquisitions.
The Examination Letter notes that the NYDFS will be incorporating the following new security-oriented topics into its pre-examination "First Day Letters" to assist in expediting the Department's review of financial institutions’ cybersecurity preparedness:3
- Corporate governance, including written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Cybersecurity incident detection, monitoring and reporting processes;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion, including multifactor or adaptive authentication, and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Training of information security professionals as well as all other personnel;
- Vetting and management of third-party service providers; and
- Cybersecurity insurance coverage and other third-party protections.
In addition to the information requested in the First Day Letter, the NYDFS stated that it will schedule IT/cybersecurity examinations following the risk assessments of each financial institution. The new IT/cybersecurity examinations will take a deeper look into the financial institution's ability to prevent, detect and respond to data breaches and other cyber attacks by requesting:
- The qualifications of the institution's Chief Information Security Officer, or the individual otherwise responsible for information security;
- Copies of the institution's information security policies and procedures;
- The institution's data classification approaches and data access management controls;
- The institution's vulnerability management programs, including its consideration of applications, servers, endpoints, mobile, network and other devices;
- The institution's patch management program, including how updates, patches and fixes are obtained and disseminated;
- The institution's due diligence process regarding information security practices used to vet, select and monitor third-party service providers;
- Application development standards used by the institution, including the extent to which security and privacy requirements are incorporated into application development processes;
- The institution's incident response program, including how incidents are reported, escalated and remediated; and
- The relationship between information security and the organization's business continuity program.
The NYDFS's Examination Letter is essentially a "take-home test" for any New York chartered or licensed banking institution or regulated firm preparing for an NYDFS examination or conducting its own internal audit to strengthen its cybersecurity practices and incident response preparedness. Additionally, although the new examination procedures do not impose cybersecurity requirements on regulated entities per se, the NYDFS is essentially announcing the standards and practices it expects to be adopted in any compliant cybersecurity program. For now, the new cybersecurity examination procedures are limited to banks, but it is likely that the NYDFS will extend these same types of procedures to the other financial services firms it regulates, such as insurance companies and investment companies.
CFTC's Increased Focus on Cybersecurity
On December 10, 2014, CFTC Chairman Timothy Massad testified before a Senate Agriculture Committee hearing that cybersecurity is "perhaps the single most important new risk to financial stability." As a result, cybersecurity will become an increasingly important aspect of the CFTC's oversight for futures and swaps markets.
Chairman Massad testified that the CFTC requires clearinghouses, swap execution facilities, designated contract markets and other market infrastructures to implement system safeguards, which must include four elements: (1) a program of risk analysis and oversight to identify and minimize sources of cyber and operational risks; (2) automated systems that are reliable, secure and scalable; (3) emergency procedures, backup facilities and a business continuity/disaster recovery plan; and (4) regular, objective, independent testing to verify that the system safeguards are sufficient. Each CFTC-regulated entity must also have a risk management program that addresses seven key elements, including information security, systems development, quality assurance and governance. Furthermore, these entities must notify the CFTC promptly of cybersecurity incidents.
Although the CFTC does not conduct independent testing of its cybersecurity requirements, it reviews evidence provided for satisfaction of the requirements. Chairman Massad testified that the CFTC's upcoming examinations will focus on the following areas:
- Governance—Are the board of directors and top management devoting sufficient attention to cybersecurity?
- Resources—Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?
- Policies and Procedures—Are adequate plans and policies in place to address information security, physical security, system operations and other critical areas? Is the regulated entity actually following its plans and policies, and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?
- Vigilance and Responsiveness to Identified Weaknesses and Problems—If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?4
CSBS Guidance for Financial Services Officers and Directors
On December 17, 2014, the CSBS issued "Cybersecurity 101: A Resource Guide for Bank Executives" (the "CSBS Resource Guide"), which is designed to aid chief executive officers, senior executives and board members in their understanding, oversight and implementation of effective cybersecurity programs. The CSBS Resource Guide is organized according to the five core cybersecurity functions of the Commerce Department's National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity: (1) identify internal and external cybersecurity risks; (2) protect organizational systems, assets and data; (3) detect systems intrusions, data breaches and unauthorized access; (4) respond to a potential cybersecurity event; and (5) recover from a cybersecurity event by restoring normal operations and services. For each of these core functions, the CSBS Resource Guide provides questions that chief executive officers should ask, as well as training guidance and a model checklist to follow in the event of a data breach.
In light of these developments, banks and other financial institutions should consider undertaking the following steps and customizing them to their specific circumstances and risks:
1. Conducting Periodic Cybersecurity Risk Assessments
- Identify potential cybersecurity threats (including physical security threats) to security, confidentiality and integrity of personal and other sensitive information (both customer and internal) and related systems;
- Evaluate effectiveness of current controls in light of identified risks;
- Prioritize resources, assets and systems corresponding to the nature and level of threats and vulnerabilities, and revise procedures and controls, as necessary and appropriate, to address and mitigate areas of risk; and
- Determine whether existing insurance policies will cover the threats identified in the risk assessment, and determine whether separate cyber coverage is needed.
2. Evaluating Potential Third-Party Vendor Risks
- Review due diligence procedures for selecting vendors and procedures for approval/monitoring of vendor access to networks, customer data or other sensitive information;
- Obtain copies of vendors' written information security plans or certifications of compliance with applicable standards; and
- Determine whether contracts with vendors include appropriate security measures, including incident response notification procedures and cyber insurance coverage.
3. Developing and Periodically Testing a Comprehensive Incident Response Plan
- Implement a comprehensive, written incident response plan to respond proactively to actual or suspected cybersecurity events; and
- Conduct periodic "table top" exercises of mock cybersecurity events with IT, legal, compliance, human resources and other business stakeholders.