Add the New York Department of Financial Services to the growing list list of regulators (such as the SEC and FINRA) who will be scrutinizing the cybersecurity practices of Wall Street banks and financial institutions.
On Wednesday, Benjamin Lawsky, New York's Superintendant of Financial Services, stated in a letter to all chartered or licensed banking institutions in New York State that his Department will be expanding its information technology examination procedures to focus on cybersecurity. This will make New York the first state to conduct its own cybersecurity exams on banks, according to the American Banker.
Lawsky encouraged institutions to "view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology." He stated that "cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers."
Lawsky specified that going forward, his Department's IT/cybersecurity examinations will now include a lengthy list of cybersecurity-related items such as an institution's organization and reporting structure for cybersecurity-related issues; resources devoted; the risks posed by shared infrastructure; testing and monitoring procedures; incident response processes; training; cybersecurity insurance coverage; and much more.
Lawsky also advised New York banking institutions that his Department will schedule these cybersecurity examinations following a "comprehensive risk assessment" of the institution. Lawsky laid out 12 separate requests for information that the Department will seeking from each institution to aid in this assessment, which cover areas such as the experience of the current Chief lnformation Security Officer; vulnerability and patch management programs; the institution's use (or not) of multi-factor authentication for its systems; due diligence process regarding information security; and so on.
As pointed out by the American Banker, Lawsky's letter offers no indication that the Department of Financial Services' tough examinations will vary depending on the size of the bank. This would mean that "a tiny institution like the $18.6 million-asset Bank of Cattaraugus, near Buffalo, would be subject to the same basic requirements as Bank of New York Mellon, with more than $300 billion in assets." Nonetheless, the New York Bankers Association complimented Lawsky on his Department's initiative and for being "at the forefront of the cyber security issue. We will continue to work closely with Superintendent Lawsky on this critical issue, and we look forward to studying the guidelines in depth."