One of the most persistent and insidious threats to companies is cyber attacks. Whether these attacks involve theft of intellectual property, installation of malware, or denial of service, they pose a significant risk to businesses and their customers. For many companies, especially financial services companies, the risk is heightened by the personally identifiable information (PII) of customers and employees usually housed on company systems. This PII can be the target of or collateral damage from cyber attacks. Adding to the problem, cyber attacks do not take a single form, and hackers have shown that they evolve quickly to thwart static cybersecurity tools.
Given the dynamic nature of the threat, it’s unsurprising that The Wall Street Journal reported last month that the U.S. financial services industry is projected to spend an additional $2 billion dollars on cybersecurity in 2015. The money, according to the report, will go to outside consulting firms and new employees dedicated to cyber-security. Based on recent comments from and actions by key financial regulators, the additional funding to detect and prevent cyber-attacks is money well spent.
In October, Benjamin Lawsky, Superintendent of Financial Services for the State of New York, began requesting information from banks regarding their cybersecurity practices, and announced that cybersecurity rules could be coming. Just last week, Lawsky’s agency announced that it had issued new examination guidance outlining “Targeted Cyber Security Preparedness Assessments” that would be incorporated into future bank examinations. The guidance informs DFS-regulated banks that they will now face new questions and topics to be addressed in examinations, including:
- Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cyber security insurance coverage and other third-party protections.
Nor is all the action limited to state regulators. Martin Gruenberg, Chairman of the Federal Deposit Insurance Corporation, included a report on FDIC’s efforts to encourage enhanced cybersecurity at banks of all sizes in his remarks to the Senate Committee on Banking Housing and Urban Affairs this fall, noting that the FDIC had also been active in issuing guidance to banks to make them more aware of the need to address this threat. And in November, the Federal Financial Institutions Examination Council (FFIEC) released its “Cybersecurity Assessment General Observations,” which concluded that as a result of its recenty assessment of financial institutions’ cybersecurity preparedness levels, the FFIEC was “reviewing and updating current guidance to align with changing cybersecurity risk” – a statement that reflects additional guidance and increased monitoring requirements may be forthcoming in 2015.