There’s a new meaning to “C-suite” as cybersecurity is not just an IT risk. The New York State Department of Financial Services (DFS) gave new meaning to “C-suite” when it sent a letter to CEOs, GCs and CIOs of regulated insurance companies at the end of March 2015, notifying them that DFS examinations will now focus more attention on cybersecurity.
The letter came on the heels of DFS Superintendent Benjamin M. Lawsky warning: “Recent cybersecurity breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyberdefenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.”
Given these concerns and the high stakes associated with cybersecurity, C-suites of all financial institutions—not just those regulated by DFS—should carefully consider how they can bolster their firms’ cybersecurity defenses by reviewing regulatory findings and implementing appropriate practices to safeguard their data.
In its letter, DFS “encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.” DFS instructed each insurer to prepare and submit a report by April 27, 2015, responding to 16 separate requests. The reports are intended to assist DFS in conducting comprehensive risk assessments for each institution, which will be used to schedule IT/cybersecurity examinations.
Not surprisingly, the letter echoes DFS’s December 2014 letter to all New York chartered or licensed banks, announcing the incorporation of new questions into its examinations to “promote greater cybersecurity across the financial services industry.” The letters by and large mirror each other and indicate that DFS will now examine regulated entities on such things as penetration testing, protocols for the detection of cyberbreaches, defenses against such breaches and corporate governance related to cybersecurity.
There are some differences between the two letters, however, which may indicate the evolution of DFS’s thinking on cybersecurity or the areas that are most concerning to DFS at this point in time. In particular, the March 2015 letter contains four new requests for institutions to:
- Provide a copy of policies and procedures governing relationships with third-party service providers that address information security risks;
- Describe the steps taken to adhere to the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (NIST) concerning third-party stakeholders;
- Describe protections the institution uses to safeguard sensitive data sent to, received from, or accessible to third-party service providers; and
- List protections against loss or damage incurred as a result of an information security failure by a third-party service provider.
All four of these requests relate to cybersecurity risks posed by third parties. Their importance, though, was signaled by Lawsky in a speech earlier this year, in which he discussed how cybersecurity keeps financial regulators “up at night.” Lawsky stressed that “a company’s cybersecurity is only as strong as the cybersecurity of its third-party vendors” and that DFS is “considering mandating that our financial institutions receive robust representations and warranties from third-party vendors that those vendors have critical cybersecurity protections in place.”
While Lawsky’s speech does not elaborate and the DFS letter does not contain any particular guidance on how insurance companies or other financial institutions should address these items, the letter does point to the NIST framework for cybersecurity best practices. In relevant part, the framework applies a tiered system, which encourages collaborative risk management with third parties to help improve cybersecurity before a cyberevent occurs through information sharing and training.
For insurance companies and other financial institutions looking for additional guidance, DFS recently published a report outlining observations from its cybersecurity examination of 40 regulated banking organizations focusing on their management of third-party service providers. In particular, the report notes that most banks:
- Typically classify vendors by risk category for due diligence purposes and conduct specific information security risk assessments of at least their high-risk vendors;
- Have information security requirements for their vendors and require multi-factor authentication for at least some vendors to access sensitive data or systems; and
- Require vendors to represent that they have established minimum information security requirements and to allow the banks to audit them.
The report also notes that, while the “overwhelming majority” of the banks had adopted NIST principles concerning third-party stakeholders, the application of these principles varies across the institutions.
The Financial Industry Regulatory Authority (FINRA) Report on Cybersecurity Practices, published in February 2015, provides valuable tips and observations on how to manage third-party cybersecurity risks. It recommends managing those risks across the lifecycle of third-party relationships (e.g., vendors and business partners), including:
- Performing initial and ongoing due diligence of third parties that complements the firm’s periodic risk assessments;
- Factoring third parties into risk assessment planning and controls; and
- Inserting appropriate terms into third party contracts (e.g., express indemnification and notice provisions for cyberattacks, warranties and representations for cybersecurity measures in place, and audit provisions).
With respect to the first recommendation, the FINRA report outlines various controls that should be examined during initial and ongoing due diligence, including that the third party:
- Limits its employees and subcontractors access to data and periodically trains them;
- Implements reasonable technical controls (e.g., virus protection, encryption, system patches, and multi-factor authentication); and
- Conducts periodic risk assessments and regularly updates its cybersecurity policies and procedures.
FINRA observed that due diligence is typically conducted by teams that include employees from a firm’s relevant business, legal, compliance, information technology/security, and risk management departments. FINRA also observed that the level of due diligence performed is typically calibrated with the level of risk posed by the third party.
Given the general nature of these tips and observations, they may be transferable beyond the broker-dealer context to help guide insurers and other financial institutions tailor reasonable cybersecurity measures that are relevant to their particular business and risk profile.
Regulators have made clear that cybersecurity is now a C-suite issue. Abdication of the issue to IT is no longer an option. C-suites of financial institutions should be knowledgeable about and involved with their cybersecurity programs to ensure that appropriate cybersecurity practices are in line with regulatory guidance. After all, “C” now means “cybersecurity,” at least in the eyes of DFS.
By Judy Selby and Jonathan A. Forman
Orignially published: Legaltech news