Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, December 10, 2014

New York regulator spells out cyber security preparedness assessment criteria

By Charles A. Menke, J.D.

The New York Department of Financial Services (DFS) is expanding its information technology examination procedures for the institutions it regulates to focus more attention on cyber security. The DFS announced a new cyber security assessment process in an industry guidance letter that sets forth the specific issues and factors the agency will be considering when conducting regular, targeted cyber security preparedness assessments of regulated institutions.

Ongoing examination component. The cyber assessments will be a regular and ongoing component of all DFS examinations taking into account protocols such as: the detection of cyber breaches and penetration testing; corporate governance related to cyber security; defenses against breaches, including multi-factor authentication; and the security of third-party vendors. "It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators,” DFS Superintendent Benjamin M. Lawsky said.

Assessment process. The DFS has incorporated into its regular examinations new questions and topics on cyber security, which will be embodied in pre-examination "First Day Letters." Areas covered by the DFS will include:

  • management of cyber security issues, such as the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of policies and procedures in response to changing risks;

  • resources devoted to information security and overall risk management;

  • risks posed by shared infrastructure;

  • protections against intrusion including multi-factor or adaptive authentication and server and database configurations;

  • information security testing and monitoring;

  • incident detection and response processes;

  • training of information security professionals and other personnel;

  • management of third-party service providers;

  • integration of information security into business continuity and disaster recovery policies and procedures; and

  • cyber security insurance coverage.

MainStory: TopStory BankingOperations IdentityTheft NewYorkNews Privacy

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.