N.Y. Bank Regulator Lawsky Lays Out Plan for Cyber Exams

New York banking regulator Benjamin Lawsky provided details Wednesday about his plan to require the state's financial institutions to strengthen their cyberdefense systems.

In a memo published on the Department of Financial Services website, Lawsky said that he planned to include a heightened focus on data protection in department's IT examinations and risk assessments.

"In an effort to promote greater cyber security across the financial services industry, the New York State Department of Financial Services plans to expand its information technology examination procedures to focus more attention on cybersecurity," Lawsky said in the memo.

Banks will now be required to answer questions about their cyber infrastructure in a pre-examination questionnaire known as a "First Day Letter." The questions will cover a range of topics, including a bank's reporting structure for cybersecurity issues, plans for information security testing and insurance coverage for third-party liabilities.

Additionally, Lawsky said the department will begin inspecting banks' cybersecurity policies and infrastructure, following each bank's comprehensive risk assessment.

As part of those examinations, banks will be required to provide information on 12 different topics related to their cyber infrastructure, including credentials of their chief information security officers, their data classification systems and due diligence process for vetting providers.

The announcement, which comes two months after JPMorgan Chase disclosed a breach of 76 million accounts, represents the state's first formal move to push banks to beef up their data security.

New York Governor Andrew Cuomo said in May that he had ordered the department to conduct regular assessments of the state's banks and credit unions, to focus on protecting consumer data.

Lawsky previewed plans for heightened security standards in October, saying in a speech that he planned to use the cybersecurity provisions of his proposal to regulate virtual currency firms as a model for future bank cyber regulations.

His BitLicense proposal, issued in July, included a requirement that firms implement an IT program designed to detect and recover from possible breaches.

For reprint and licensing requests for this article, click here.
Bank technology Law and regulation New York New York
MORE FROM AMERICAN BANKER