On December 10, 2014, the New York Department of Financial Services (NYDFS) issued a letter to banking institutions chartered or licensed in New York notifying them of an expansion of the NYDFS information technology examination procedures to focus on cyber security issues as an integral aspect of risk management. The NYDFS issuance is just the most recent example of the increasing focus among state and federal regulatory agencies and government officials regarding cyber security and its importance to the financial services industry.
The expanded procedures will look at cyber security in a comprehensive manner and will include a review of corporate governance as it relates to cyber security risks, the relationship between information security and core business functions, shared infrastructure risks, training, disaster planning and insurance coverage and other third-party protection.
Following standard NYDFS procedure for information technology examination, each institution will receive a “First Day Letter” shortly before its examination with specific questions addressing the new cyber security review in addition to current examination topics. Financial institutions may need to devote additional time or resources to preparing for the examinations in order to address the increased scope of the questions provided in the First Day Letters.
In addition, the NYDFS has indicated that it will be conducting a comprehensive risk assessment of each banking institution. As part of that process, banking institutions can expect to receive separate requests from NYDFS for detailed information in response to 12 questions addressing such matters as information security policies and procedures, information security staffing and organizational structure, vulnerability management programs, incident response programs, identity and access management systems and due diligence processes for selecting and monitoring third-party service providers.
While the current expansion of the NYDFS information technology procedures is focused on banking institutions, it is clear that NYDFS considers cyber security an important risk factor for all of the institutions falling within its jurisdiction. We expect NYDFS to follow up with similar procedures for examination of insurance companies and other entities subject to the examination authority of the NYDFS.