On December 10, 2014, the New York Department of Financial Services (NYDFS) issued a letter to banking institutions chartered or licensed in New York notifying them of an expansion of the NYDFS information technology examination procedures to focus on cyber security issues as an integral aspect of risk management. The NYDFS issuance is just the most recent example of the increasing focus among state and federal regulatory agencies and government officials regarding cyber security and its importance to the financial services industry.
The expanded procedures will look at cyber security in a comprehensive manner and will include a review of corporate governance as it relates to cyber security risks, the relationship between information security and core business functions, shared infrastructure risks, training, disaster planning and insurance coverage and other third-party protection.
Following standard NYDFS procedure for information technology examination, each institution will receive a "First Day Letter" shortly before its examination with specific questions addressing the new cyber security review in addition to current examination topics. Financial institutions may need to devote additional time or resources to preparing for the examinations in order to address the increased scope of the questions provided in the First Day Letters.
In addition, the NYDFS has indicated that it will be conducting a comprehensive risk assessment of each banking institution. As part of that process, banking institutions can expect to receive separate requests from NYDFS for detailed information in response to 12 questions addressing such matters as information security policies and procedures, information security staffing and organizational structure, vulnerability management programs, incident response programs, identity and access management systems and due diligence processes for selecting and monitoring third-party service providers.
While the current expansion of the NYDFS information technology procedures is focused on banking institutions, it is clear that NYDFS considers cyber security an important risk factor for all of the institutions falling within its jurisdiction. We expect NYDFS to follow up with similar procedures for examination of insurance companies and other entities subject to the examination authority of the NYDFS.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2014. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.