Tuesday, October 11, 2016

Cybersecurity - A Model Approach

Managing Director
Lenders Compliance Group

As some of you know, Lenders Compliance Group is the first risk management firm in the country to provide both a risk assessment and a disaster recovery plan for banks and nonbanks. The goal is to make the due diligence approach both affordable and consequential. Importantly, the resulting findings must meet regulatory scrutiny, since liability remains with the financial institution with respect to implementing Internet Technology, Information Security, and Cybersecurity requirements. The review process is conducted by Kevin Origoni, our Director/IT-IS-Cybersecurity, who is a Six Sigma awardee for his knowledge and experience. Our interest in this area has only grown more attentive as federal and state regulators have become very active in implementing disaster recovery and cybersecurity guidelines.

Our attentiveness has been borne out by the recently proposed regulation involving cybersecurity issued by the New York State Department of Financial Services (DFS). The regulation would impose significant cybersecurity standards on entities it supervises. The proposal is subject to a 45-day public comment period, which will end on November 14, 2016. Importantly, some of these standards exceed current state and federal requirements. It is valuable, therefore, to take a brief look at these prospective standards.

The proposed regulation would apply to entities operating or required to operate under a license, registration or other authorization under the New York Banking Law, Insurance Law or Financial Services Law. These covered entities include:
  • New York state chartered banks,
  • New York licensed branches and agencies of foreign banks,
  • insurance companies,
  • money transmitters,
  • licensed lenders,
  • mortgage brokers, and
  • mortgage bankers, lenders and servicers.

Certain small entities would be exempt from some, but not all, of the requirements of the proposed regulation.

If adopted, the proposed regulation would require covered entities to adopt a written cybersecurity program and implement various safeguards to protect nonpublic information, as broadly defined in the proposal. Covered entities would have to annually certify to the DFS their compliance with the proposed regulation.

We believe that the DFS proposal will set a nationwide standard for cybersecurity and should be carefully considered as a model for disaster recovery, IT, IS, and cybersecurity requirements.

As it is currently drafted, the proposed regulation is prescriptive, inasmuch as it goes beyond the requirements imposed by the federal banking regulators on the depository institutions they supervise. For instance, guidance provided by the Federal Financial Institutions Examination Council (FFIEC) in its September 2016 Examination Handbook suggests that financial institutions should implement the type and level of encryption that is commensurate with the sensitivity of information being protected. However, FFIEC does not mandate that all nonpublic information be encrypted while in transit and at rest, or resident, as the DFS has proposed. But the DFS proposal also appears to require multi-factor authentication in a much broader range of circumstances than the guidance provided by federal regulators to depository institutions, which is mostly focused on online banking.

Similarly, the federal banking regulators require financial institutions to provide notice of information security breaches involving unauthorized access to or use of sensitive customer information; however, the DFS would mandate such notification within 72 hours of any cybersecurity event, a timeframe which the federal banking regulators do not require.

The DFS sets forth standards for policies and procedures. Each covered entity’s cybersecurity program would need to be designed to ensure the confidentiality, integrity and availability of the covered entity’s information systems and to perform the following functions: