NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
New York’s new cyber security examination process for financial institutions

On December 10, 2014, the New York Department of Financial Services (the “DFS”) announced the widely awaited (and in some quarters, feared) expansion of its examination program to, in DFS Superintendent Benjamin Lawsky’s words, encourage a “laser-like focus on [cybersecurity] by both banks and regulators.”

In its December 10 letter to all New York-chartered or licensed banking institutions, entitled the “New Cyber Security Examination Process,“ (the “New Cyber Security Letter”) the DFS set forth (a) a non-exhaustive list of 11 topics it will include in its IT/cybersecurity examinations and (b) 12 questions it will be posing to each institution in individualized risk assessments of each institution, as part of its updated examination process. By Superintendent Lawsky’s count in a December 11 Bloomberg TV interview, the DFS will be examining 96 cybersecurity issues in its forthcoming examinations.

These 96 issues cover a range of topics that those regulated by the DFS should study carefully. From his position as perhaps the nation’s most aggressive financial regulator, Superintendent Lawsky is seeking to ensure that cybersecurity is a C-suite corporate governance issue and a significant component of risk management, one that is “an integral aspect of [financial institutions’] overall risk management strategy, rather than solely . . . a subset of information technology.” Here are four of the issues that demand that “laser-like focus.”

1.       Corporate Governance

What is a financial institution’s “organization and reporting structure for cyber security issues”? Large banks are likely to have already successfully addressed this. On the other hand, smaller firms that have yet to establish and delineate the role and responsibilities of such an organization and its reporting structure should make this a priority.

Firms will also be asked to describe the training and experience of their Chief Information Security Officer (“CISO”) or person in an equivalent role, along with the CISO’s CV, job description and reporting lines. In a May 7, 2014, interview, Superintendent Lawsky acknowledged the financial realities that many smaller financial institutions face and observed that he did not expect every institution to have personnel dedicated solely to cybersecurity.

2.       Vulnerability Management

Firms will be asked to describe their vulnerability management program as to “servers, endpoints, mobile devices, network devices, systems and applications.” Critically, the firewall is only a first line of defense. With today’s cyber threats, robust security applications are layered so that if a firewall is breached, an institution’s remaining security layers limit the reach of intruders, hackers and viruses.

3.       Patch Management

Firms will be asked to describe how they obtain and disseminate patches and updates, patch frequency and whether patch processes are manual or automated. Patching across all systems and databases is challenging for many organizations, as shown by one U.S. government study outlining the SEC’s own failures in this area.

4.       Third-Party Providers

What due diligence are institutions performing on third-party providers? Are they monitoring those providers once they have vetted and selected them? Financial institutions were already reminded of the DFS’s focus on third-party provider cybersecurity in an October 21, 2014, letter signed by Maria Filipakis, the DFS’s Executive Deputy Superintendent of Capital Markets. There, the DFS disclosed that it was considering requiring financial institutions to obtain representations and warranties from their third-party providers as to their cybersecurity standards and policies. This is an issue firms and third-party providers such as accounting firms and law firms are watching closely.

The DFS New Cyber Security Letter guidance is the latest in a series of steps financial institutions face across a rapidly expanding cybersecurity landscape. This follows the DFS’s May 6, 2014, “Report on Cyber Security in the Banking Sector” as well as efforts by other regulators such as FINRA’s January 2014 Cybersecurity Sweeps Letter, and the SEC’s April 15, 2014, OCIE Cybersecurity Initiative. Like the DFS, the SEC and FINRA have recently surveyed those they regulate to learn about cybersecurity programs and challenges.

At this time, regulators appear to be examining, evaluating and educating. While Superintendent Lawsky has recognized that financial institutions are taking cybersecurity seriously, in the coming months and years, for those that fail to do so in regulators’ eyes, attention is likely to shift from examination to enforcement.
The DFS New Cyber Security Letter is the latest regulatory chapter. It is unlikely to remain so for long.


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
* indicates a required field


Body *

Date *


Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Sort by AttachmentsParentCategory