REPORT: Cybersecurity To Become Part Of The New York Department of Financial Services Banking Examination

The NYDFS issued a report entitled “Report on Cyber Security in the Banking Sector”, in which the NYDFS stated that it plans to review a bank’s cyber security incident response and event management, access controls, network security, vendor management, and disaster recovery in evaluating the bank’s overall safety and soundness. 

From the report’s Introduction:

Cyber attacks against financial services institutions are becoming more frequent, more
sophisticated, and more widespread. Although large-scale denial-of-services attacks against
major financial institutions generate the most headlines, community and regional banks, credit
unions, money transmitters, and third-party service providers (such as credit card and payment
processors) have experienced attempted breaches in recent years.

The rise in frequency and breadth of cyber attacks can be attributed to a number of factors.
Unfriendly nation-states breach systems to seek intelligence or intellectual property. Hacktivists
aim to make political statements through systems disruptions. Organized crime groups, cyber
gangs, and other criminals breach systems for monetary gain—i.e., to steal funds via account
takeovers, ATM heists, and other mechanisms.  As the cost of technology decreases, the barriers to entry for cyber crime drop, making it easier and cheaper for criminals of all types to seek out new ways to perpetrate cyber fraud. A growing black market for breached data serves to encourage wrongdoers further.

With this in mind, the New York State Department of Financial Services (“the Department”) in 2013 conducted an industry survey on cyber security. A total of 154 institutions were asked to complete a questionnaire seeking information on each participant’s cyber security program, costs, and future plans. The objective of the survey was to obtain a horizontal perspective of the financial services industry’s efforts to prevent cyber crime, protect consumers and clients in the event of a breach, and ensure the safety and soundness of their organizations. Of the total 154 depository institutions that completed the Department’s cyber security questionnaire, there were 60 community and regional banks, 12 credit unions, and 82 foreign branches and agencies.

The survey asked questions about each participant’s information security framework; corporate governance around cyber security; use and frequency of penetration testing and results; budget and costs associated with cyber security; the frequency, nature, cost of, and response to cyber security breaches; and future plans on cyber security.

In addition to the survey, the Department met with a cross-section of depository institutions and cyber security experts over the course of several months to discuss industry trends, concerns, and opportunities for improvement. This dialogue provided important additional context regarding specific challenges facing the industry, including the rapid pace of technological change and the increased frequency and sophistication of cyber attacks.

The findings described in this report represent responses of the survey participants as a whole or of specific sub-categories of participants (e.g., by asset size). The findings are not indicative of any particular institution.

Download the full report here: New York State Department of Financial Services Report on Cyber Security in the Banking Sector