On December 10, 2014, Superintendent Benjamin Lawsky of the New York Department of Financial Services (the “DFS”) announced a “New Cyber Security Examination Process” (the “New Examination Process”) for New York-chartered and licensed banking institutions (“Regulated Entities”). Pursuant to the New Examination Process, the DFS will expand its information technology (“IT”) examination procedures to focus more attention to cybersecurity, and will schedule these IT/cybersecurity examinations following each institution’s comprehensive risk assessment. Even if you are not a financial institution regulated by the DFS, the key takeaways discussed below provide insight into the types of questions regulators are asking with respect to cybersecurity practices and offer practical guidance for assessing the framework of a cybersecurity compliance regime.
The New Examination Process includes both sample examination topics and information requests that the DFS will use in future examinations. A review of these topics and information requests provides understanding of the DFS’ cybersecurity expectations for Regulated Entities, as well as practical cybersecurity considerations for financial institutions not regulated by DFS. Below we discuss five key takeaways related to the New Examination Process.
1. The New Examination Process imposes back-door practice requirements.
The New Examination Process does not impose substantive cybersecurity requirements upon Regulated Entities per se. However, the DFS intends to examine, among other items:
-
Protections against intrusion, including multi-factor or adaptive authentication and server and database configurations (e.g., requiring persons to provide more than one password or answer an additional security question before entering a network and/or locking a person out after a certain number of unsuccessful login attempts);
-
Integration of information security into business continuity and disaster recovery policies and procedures; and
-
Cybersecurity insurance coverage and other third-party protections.
Through use of these (and other) examination topics, the DFS is essentially informing Regulated Entities of the practices that it expects to be considered for inclusion in a reasonable information security program. For instance, if a Regulated Entity does not currently employ multi-factor identification mechanisms, it may want to consider adopting them. We expect, over time, that the DFS may expand its list of “back door” practice requirements, essentially trying to create industry standards through examination (and enforcement) mechanisms.
2. The DFS considers cybersecurity management as a core enterprise responsibility.
As articulated in the New Examination Process, the DFS “encourages all institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely a subset of information technology.” Accordingly, the DFS will examine
-
Corporate governance, including organization and reporting structure for cybersecurity related issues; and
-
Management of cybersecurity issues, including the interaction between information security and core business functions; written information security policies and procedures; and the periodic reevaluation of such policies and procedures in light of changing risks.
In addition, the NY DFS will request the resume and background information pertaining to the company’s Chief Information Officer (or individual responsible for cybersecurity), as well as a description of all reporting lines for that individual, including committees and managers. In light of these examination topics, boards of directors and senior managers may want to pay close attention to how their institutions’ cybersecurity functions are coordinated at an enterprise-wide level.
3. Process matters.
Many of the examination topics and sample information requests do not spell out specific practice requirements, but instead seek to inquire how well a Regulated Entity has thought through its cybersecurity protections. For instance, one sample information request states: “describe your institution's vulnerability management program as applicable to servers, endpoints, mobile devices, network devices, systems, and applications.” Other examination topics include: “[t]raining of information security professionals as well as all other personnel”; and “incident detection and responses processes, including monitoring.” In light of these (and other) examination prompts, Regulated Entities may want to focus on whether their cybersecurity processes are comprehensive and well documented rather than ad-hoc and informal.
4. Third party oversight must account for information security.
In the course of cybersecurity examinations, the DFS plans to request information pertaining to an “institution's due diligence process regarding information security practices that [are] used in vetting, selecting, and monitoring third-party service providers.” Consequently, if a Regulated Entity does not already have formal mechanisms for diligencing and monitoring third party service providers’ information security practices, it may want to consider developing them.
5. Pay special attention during business combinations.
A Regulated Entity must have mechanisms in place to keep track of any information security issues that arise from a business combination. The DFS will ask companies to describe any significant changes to the institution’s information technology portfolio over the last 24 months arising from mergers, acquisitions, or the addition of a new business line.
Conclusion
If there is one essential lesson to be gleaned from the New Examination Process, it is: Regulated Entities, if they have not already done so, should put pen to paper regarding their information security policies and procedures. The New Examination Process includes eleven specific examination topics and twelve sample information requests. Regulated Entities can employ the 23 data points in the guidance to assess whether their information security programs are sufficiently thought-out, adequately memorialized, and properly implemented.
