New York Department of Financial Services Releases Cybersecurity Bank Examination Guidelines

Dec 19, 2014 | Blog

Banks will face a new series of inquiries during their 2015 New York Department of Financial Services (“NYDFS”) examinations.  The upcoming bank examinations will focus on the existence and implementation of financial information security safeguards and processes to prevent, detect and report to affected customers on cyber attacks.  If banks in New York had been putting off updating their cybersecurity safeguards, they would be advised to expedite the process.

Benjamin M. Lawsky, Superintendent of Financial Services released a memorandum entitled “New Cybersecurity Examination Process” on December 10, 2014. In the introduction to the document, Superintendent Lawsky, perhaps reacting to the recent spate of data breaches, many of which included financial services organizations, stated that “The Department encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology”(the memorandum is available here).

The memorandum describes the inquiries that have been incorporated into the examination process for 2015. Banks, the document states, should be prepared to answer pre-examination questions, known as First Day Letters, about their cybersecurity infrastructure, information security testing procedures, the existence of cyber risk insurance, incident detection and response and “management of cybersecurity issues, including. . . written information security policies and procedures and the periodic reevaluation of such policies and procedures.” The Department will also inquire about training of a bank’s workforce with regard to information security protocols and will undoubtedly ask to see documentation of that training in the First Day Letters.

The examinations themselves will be a deeper dive into the bank’s information safeguards, including processes and protocols many banks may not have or have not updated in many years.  These include provision to the Department of current information security policies and “current use of multi-factor authentication for any systems or applications,” written security incident response plan with indications of reporting and remediation procedures and due diligence processes “regarding information security utilized in vetting and selecting third-party service providers,” including law firms and accounting firms. If you are interested in attending cybersecurity workshops to learn more about properly safeguarding your data and regulatory examination preparedness, please click here.

If you have questions about how to prepare for these new cybersecurity bank examinations or how to ascertain whether your organization’s safeguards meet compliance requirements, please contact Kenneth N. Rashbaum.