Cybersecurity Examination Guidance for Nonbank Financial Services Companies
Cybersecurity has become one of the biggest risks facing the financial services industry, and there have been extensive guidance and initiatives from US banking regulators to help ensure the safety of the institutions and the banking system. Some of the more recent regulatory requirements and other developments will have a significant impact on nonbank financial services companies, such as mortgage lenders, brokers and servicers, and other consumer financial services companies. For example, the Federal Trade Commission (FTC) has revised its Standards for Safeguarding Customer Information (FTC Safeguards Rule), and the New York Department of Financial Services (NYDFS) has issued proposed changes to its cybersecurity regulation. These two recent developments will require many nonbank financial services companies to enhance their existing cybersecurity programs to meet these heightened security standards.
Similar to the actions of the FTC and the NYDFS, the Conference of State Bank Supervisors (CSBS) has issued exam program guidance to steer nonbank financial services companies to improve cybersecurity measures in an effort to equip the industry with the necessary tools to enhance privacy protection. This information is set out in the Nonbank Cybersecurity Exam Program, which covers a number of topics with examination-related questions. CSBS generally supports state regulators in advancing the supervision of banks and nonbank financial services companies by ensuring safety, soundness, and consumer protection. This role includes developing state examination procedures for various types of nonbank financial services companies.
The CSBS exam materials are intended to be “easily digestible, non-technical reference” guides to help executives develop a comprehensive, responsive cybersecurity program in line with best practices. While these resource guides do not guarantee prevention, the processes, tools and technologies, when properly leveraged, should help reduce cybersecurity risk. A brief overview of the CSBC exam programs is set forth below.
Overview of CSBS Nonbank Cybersecurity Exam Programs
The CSBC exam programs can be used to assess an institution’s cyber preparedness and may be best employed during an internal or external review. The first iteration of this exam program, the Baseline Nonbank Exam Program, is based on the pilot version (previously called Version 1) released in December 2020.
The exam program questions are categorized according to the Uniform Rating System for Information Technology (URSIT) component ratings of Audit, Management, Development and Acquisition, and Support and Delivery. URSIT was developed by the Federal Financial Institutions Examination Council to evaluate the information technology function at banks. Each question contains a citation to the updated FTC Safeguards Rule (which is fully effective on December 9, 2022) and a document request list reference.
The Enhanced Nonbank Cybersecurity Exam Program was released on May 9, 2022. The new exam program covers the same content as the pilot but in a streamlined version, as recommended by examiners in 2021. The Enhanced Nonbank Cyber Security Exam Program redesigned Version 1 to increase usage by reducing the overall number of exam questions by nearly half, with no loss of coverage.
The comprehensive exam program provides state regulators and industry the tools needed to conduct a review of a nonbank financial services company’s information technology and cybersecurity risks. The exam programs consist of an exam notification letter, document request list, and exam procedures. The exam programs aim to allow regulators to harmonize and automate the exam process while streamlining work for institutions.
Both the Baseline and Enhanced exam programs were created by the Nonbank Cybersecurity and IT Work Group, comprised of state regulator information technology (IT) and cybersecurity subject matter experts. The companion exam programs build off one another with the enhanced exam program containing the baseline exam program questions, plus review areas for more complex institutions or IT situations. This allows examiners to transfer easily from one exam program to the other based on the size, complexity, and risk profile of the institution. Both exam programs use the same document request list, which also contributes to the ease of transferring between exam programs.
The new Enhanced Nonbank Exam Program is a comprehensive program created for larger and more complex nonbank financial services companies. It contains all the questions in the Baseline Nonbank Exam Program with additional exam questions in areas where a deeper dive may be required. This IT and cybersecurity exam program was created by state regulators for examinations of nonbank financial services companies.
The procedures provide an in-depth risk evaluation of the main components of the Uniform Rating System for Information Technology (URSIT): Audit, Management, Development and Acquisition, and Support and Delivery. The primary purpose of this rating system is to evaluate the examined institution's overall risk exposure and risk management performance and determine the degree of supervisory attention necessary to ensure that weaknesses are addressed and risks are properly managed.
The Enhanced Nonbank Exam Program also contains citations to the updated FTC Safeguards Rule. These cross-references are particularly helpful for those nonbank financial services companies required to comply with the FTC Safeguards Rule.
The cyber exam tool contains examination questions for:
- Development and Acquisitions
- Information Security Program
- Vendor Management
- Support and Delivery
- Network Security
- Data Protection
- Malware Protection
- Patch Management
- Asset Inventory
- Network Scanning
- User Access Controls
- Mobile Devices
- Physical Security
- Business Continuity Management
- Incident Response
Takeaways for Nonbank Financial Services Companies
Nonbank financial services companies can use the CSBS’s exam programs as a barometer to assess the strengths and weaknesses in their existing information security and privacy programs. These steps are particularly important as the FTC’s Safeguards Rule becomes fully enforceable in December 2022, and more states create their own privacy and data protection requirements. Nonbank financial services companies will need to continually review and update their cybersecurity policies and procedures to meet the evolving regulatory requirements and prepare for regulatory examinations of their current practices.