The New York State Department Of Financial Services (“DFS”) Issues Industry Guidance Letter To DFS-Regulated Banks

King & Spalding
Contact

On December 10, the DFS issued an industry guidance letter to all New York DFS-regulated banks announcing new targeted DFS cyber security preparedness assessments. The new cyber security assessments will become part of all DFS bank examinations moving forward. The financial institutions will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cyber security; their defenses against breaches, including multi-factor authentication; the security of their third-party vendors, and a number of other issues.

Superintendent of Financial Services, Benjamin M. Lawsky, said, “It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators. Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.”

The guidance letter pinpointed the following topics that will become a regular part of the Department’s new IT/cyber security examinations:

  • Corporate governance, including organization and reporting structure for cyber security related issues;
  • Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
  • Resources devoted to information security and overall risk management;
  • The risks posed by shared infrastructure;
  • Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
  • Information security testing and monitoring, including penetration testing;
  • Incident detection and response processes, including monitoring;
  • Training of information security professionals as well as all other personnel;
  • Management of third-party service providers;
  • Integration of information security into business continuity and disaster recovery policies and procedures; and
  • Cyber security insurance coverage and other third-party protections.

DFS also provided information to financial institutions regarding its new examination process, including a procedure for assessing and scheduling IT/cyber security examinations. Moving forward the DFS will schedule an IT/cyber security examination following a comprehensive risk assessment of each institution.

To view a copy of the December 10, 2014 industry guidance letter from Superintendent Lawsky, click here. To view a copy of the DFS press release regarding the industry guidance letter, click here.

Reporter, Sarah E. Statz, Atlanta, GA, +1 404 572 2813, sstatz@kslaw.com.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.