N.Y. Bank Regulator Lawsky Lays Out Plan for Cyber Exams

Bank Cyber Security and Regulatory Imperatives  Register Now!
Bank technology

N.Y.'s Lawsky Considering Strict Cybersecurity Regime for Banks

New York regulator Benjamin Lawsky may use the cybersecurity rules he's proposed for virtual-currency companies as a model for traditional banks. That would subject the financial institutions his agency supervises to the most stringent data-security rules anywhere.

By Chris Cumming

October 17
Bank technology

Eight Lessons for Banks from the Data Breaches of 2014

Bank executives need to understand these basics of vulnerability and accountability when it comes to the security of electronic networks or they could quickly lose their jobs.

By Penny Crosman

December 2

New York banking regulator Benjamin Lawsky provided details Wednesday about his plan to require the state's financial institutions to strengthen their cyberdefense systems.

In a memo published on the Department of Financial Services website, Lawsky said that he planned to include a heightened focus on data protection in department's IT examinations and risk assessments.

"In an effort to promote greater cyber security across the financial services industry, the New York State Department of Financial Services plans to expand its information technology examination procedures to focus more attention on cybersecurity," Lawsky said in the memo.

Banks will now be required to answer questions about their cyber infrastructure in a pre-examination questionnaire known as a "First Day Letter." The questions will cover a range of topics, including a bank's reporting structure for cybersecurity issues, plans for information security testing and insurance coverage for third-party liabilities.

Additionally, Lawsky said the department will begin inspecting banks' cybersecurity policies and infrastructure, following each bank's comprehensive risk assessment.

As part of those examinations, banks will be required to provide information on 12 different topics related to their cyber infrastructure, including credentials of their chief information security officers, their data classification systems and due diligence process for vetting providers.

The announcement, which comes two months after JPMorgan Chase disclosed a breach of 76 million accounts, represents the state's first formal move to push banks to beef up their data security.

New York Governor Andrew Cuomo said in May that he had ordered the department to conduct regular assessments of the state's banks and credit unions, to focus on protecting consumer data.

Lawsky previewed plans for heightened security standards in October, saying in a speech that he planned to use the cybersecurity provisions of his proposal to regulate virtual currency firms as a model for future bank cyber regulations.

His BitLicense proposal, issued in July, included a requirement that firms implement an IT program designed to detect and recover from possible breaches.

Kristin Broughton

twitter