The New York State Department of Financial Service’s Banking Division supervises nearly 1,900 banking and other financial institutions with assets of more than $2.9 trillion.

On December 10th, Benjamin Lawsky, the Department Superintendent released a guidance letter outlining the Department’s plan to expand cybersecurity examination procedures of regulated institutions to focus more attention on cybersecurity.

The new plan includes three phases: a comprehensive risk assessment of each institution, a pre-examination First Day Letter, and a cybersecurity examination of the institution.

Comprehensive Risk Assessment: The Department’s guidance letter states that it will be conducting a “comprehensive risk assessment” of each institution before examination, and to aid in the assessment it will be sending the institution a questionnaire.  The questionnaire will be seeking information in at least twelve areas, including:

  • the CV and job description of the Chief Information Security Officer;
  • the institution’s information security policies and procedures;
  • the due diligence used to vet, select and monitor third-party service providers; and
  • a copy or description of the institution’s incident response program.

“First Day Letter”: After the comprehensive risk assessment, a First Day Letter (pre-examination letter) will be sent to the institution at the time it is actually scheduled for examination.  The First Day Letter sets out the materials and information to be made available to the Department for examination and will now include new questions and topics related to cybersecurity. Presumably these questions and topics will be in line with the comprehensive risk assessment questions above and topics for the examination discussed below.

IT/Cybersecurity Examinations: The examination will occur following the comprehensive risk assessment and First Day Letter. The Department’s guidance letter indicates that the new IT/Cybersecurity examinations will cover at least eleven additional topics that touch on issues such as:

  • corporate governance, including organization for reporting cybersecurity incidents;
  • resources devoted to cybersecurity;
  • incident detection and response processes; and
  • management of third-party service providers.

The Department’s new assessment plans and similar plans have continued to increase the focus on cybersecurity in banking, retail and other sectors with the goal of reducing the number of incidents and intrusions.

To view a full copy of Superintendent Lawsky’s guidance letter see the link above or visit the link here.