New NY Department of Financial Services Cybersecurity Examination Process

On December 10, 2014, New York State Department of Financial Services (DFS) Superintendent Benjamin M. Lawsky issued an industry guidance letter to all New York State chartered or licensed banking institutions announcing that DFS was expanding its examination procedures to increase its emphasis on cybersecurity and urging all institutions to make cybersecurity an “integral aspect of their overall risk management strategy.” DFS information technology (IT) and cybersecurity examinations will cover a wide range of topics, including corporate governance, management of cybersecurity issues, the amount and kinds of resources devoted to information security and overall risk management, the risks posed by shared infrastructure, the bank’s protections against intrusion, information security testing and monitoring, training of information security professionals, management of third-party service providers, integration of information security into business continuity and disaster recovery policies and procedures, and cyber security insurance coverage. These examinations will be scheduled after the comprehensive risk assessment of each institution.

DFS will also ask institutions, by separate request, questions about qualifications and job description of the current individual responsible for information security; the extent to which information security policies and procedures focus on confidentiality, integrity, and availability; data classification integration into information risk management policies and procedures; their vulnerability management program; their patch management program; their use of multi-factor authentication; their third-party service provider information security due diligence process; application development standards; the incident response program; how information security is incorporated into the organization’s business continuity/data recovery plan, and any significant changes to the institution’s IT portfolio over the last 24 months resulting from mergers, acquisitions or the addition of a new line of business.

The December 2014 guidance letter represents a dramatic increase in the scope and intensity of the DFS cyber exams. Other large financial institutions licensed in the state of New York, such as insurers and broker-dealers, may be subject to similar new examination procedures focused on how cybersecurity is integrated into the organization’s risk management strategy.