The New York Department of Financial Services (“DFS”) has joined the growing chorus of financial regulators expressing heightened concern for bank cybersecurity preparedness. On May 6, 2014 New York’s Governor Andrew M. Cuomo released a 13 page “horizontal perspective” entitled Report on Cyber Security in the Banking Sector. The document is co-endorsed by Benjamin M. Lawsky, New York State’s Superintendent of Financial Services. The report illustrates the growing risk and sophistication of cyber-attacks facing New York banks of all sizes and directs the DFS to regularly conduct targeted cybersecurity infrastructure assessments on the 154 banking entities within its purview. The report summarizes findings from a year-long survey of the same constituents.
Most significant to this group, DFS will institute metrics for bank cybersecurity preparedness as part of the regular examination process. The revised procedures include additional questions in the areas of IT management and governance, incident response, event management, access controls, network security, vendor management, and disaster recovery. DFS will now also recommend New York state-chartered depository institutions to become members of the Financial Services-Information Sharing and Analysis Center (“FS-ISAC”).
Further, the report indicates cybersecurity governance issues primarily center on IT, with general counsel and corporate insurance highlighted as key underrepresented segments. Notably, only 29 percent of respondents indicated that general counsels are involved in their organization’s cybersecurity governance structure. The report recommends the inclusion of general counsel in order to advise on potential legal liabilities arising from a cyber-event, as well as any indemnifications of potential litigants following a breach. Only 22 percent of the 154 institutions surveyed included “corporate insurance” in their corporate security governance structure. The report specifically advises that “Corporate Insurance should evaluate the need for (or adequacy of an institution's) cyber risk coverage, or alternatively, determine the extent to which Directors and Officers liability policies might apply in the absence of a cyber-specific policy.”
Industry observers also point to the importance of a strengthened line of communication to the Board of Directors and the requirement that third-party vendor security programs are consistent with Federal and State cybersecurity regulatory guidance. Vendor adherence to the same must be contractually enforceable as well. This was made vividly apparent by Target Corporation’s December 2013 security breach potentially affecting 70 million+ customers.
The New York state report is yet another example of state regulators taking a position on the oversight of financial institutions in the post Dodd-Frank environment. The initiative follows previous public statements and cybersecurity issues raised by other financial regulators, such as the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) Cybersecurity Initiative Risk Alert and the series of cybersecurity guidance bulletins issued by the Federal Financial Institutions Examination Council (“FFIEC”). Most recently, the FFIEC presented a cybersecurity preparedness webinar outlining actions community-based financial institutions should take to “identify and mitigate cybersecurity risks.” The May 7, 2014 presentation to nearly 5,000 leaders of community financial institutions was intended to provide guidance tailored to smaller organizations without the infrastructure and resources more common among larger peers (click here for presentation).
The FFIEC recommended the following high-level goals:
- Company leadership sets the tone for a culture of security.
- Identify, measure, mitigate, and monitor risks.
- Risk management processes scaled to risks and complexity of the individual institution.
- Align cybersecurity strategy with current and future business strategy.
- Create a governance process that ensures ongoing awareness and accountability.
- Timely reports to senior management that include the institution’s vulnerability to cyber-risks.
This presentation is part of the FFIEC’s larger “cyber security awareness initiative” that includes the Cybersecurity and Critical Infrastructure Working Group. Founded in June 2013, the Working Group’s mission is to assist banks identify vulnerabilities and respond to the increasing risks posed by cyber-attacks.
The U.S. Comptroller of the Currency, Thomas J. Curry, stated in testimony February 6, 2014 before the U.S. Senate that the increasing risk of cyber-attacks was a top agency concern, and the FFIEC working group he currently chairs (two-year term) is considering viable next steps “to ensure that institutions of all sizes have the ability to safeguard their systems.” Thus, an increased focus on cybersecurity guidance and regulation is certain.
The latest guidance provided by New York state sends a clear signal that financial institutions, regardless of size, provide entry points into the system. Each must tender vigilant implementation of cybersecurity programs appropriate to their size and risk. More details about the timing and content of DFS cybersecurity procedures are expected in the coming weeks.