On Wednesday, December 10, 2014, financial industry regulatory and enforcement agencies issued statements that their organizations will increase scrutiny of financial industry cybersecurity practices going forward.
In New York, the State’s Department of Financial Services Superintendent Benjamin Lawsky issued new guidelines to banks, detailing how their cybersecurity practices would be evaluated. The memorandum—sent to all New York chartered or licensed banking institutions—noted that the Department would take a close look at banks’ data breach detection abilities, cybersecurity corporate governance practices, resources devoted to information security, defenses against cyberattacks, management of third-party service providers, and cybersecurity insurance coverage, among other things.
The memorandum further noted that, prior to conducting an examination, the Department intends to request information on 12 information technology- and cybersecurity-related issues, including the qualifications and responsibilities of banks’ Chief Information Security Officers, information security policies, due diligence processes, and software development standards.
Also on Wednesday, Commodity Futures Trading Commission (“CFTC”) Chairman Timothy Massad stated at a Senate Agriculture Committee hearing that cybersecurity is an issue that “will be focused on” in his agency’s examinations. Although the CFTC does not conduct independent testing of its cybersecurity requirements, it reviews evidence provided for satisfaction of the requirements. The CFTC currently requires the implementation of system safeguards, an information security risk management program, the prompt notification of the CFTC in the event of an incident, and the existence of recovery procedures.
In addition to the above, officials from the FBI, the Secret Service, the Treasury, Homeland Security, and the Comptroller of the Currency testified Wednesday in a separate Senate hearing before the Committee on Banking, Housing, and Urban Affairs about the cybersecurity risks faced by the financial sector. The officials described the risks faced by financial institutions as “increasingly complex,” “organized,” and “persistent,” and vowed to work with the industry to reduce cybersecurity threats.
The increased scrutiny by regulators likely reflects growing public concern over the security and infrastructure of financial institutions. The announcements above follow recent data breaches at major banks and others, such as JPMorgan Chase, Target, Michaels Stores, and Home Depot.