On May 31, 2017, the Federal Financial Institutions Examination Council (FFIEC) released an update to its Cybersecurity Assessment Tool.

The Cybersecurity Assessment Tool was originally released by the FFIEC in June of 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Cybersecurity Assessment Tool is intended to be used by financial institutions of all sizes to perform a self-assessment and inform their risk management strategies. Upon the release of the original Cybersecurity Assessment Tool, the FFIEC noted its plan to update the Cybersecurity Assessment Tool as threats, vulnerabilities, and operational environments evolve.

According to the FFIEC’s May 31st press release, the update to the Cybersecurity Assessment Tool “addresses changes to the FFIEC IT Examination Handbook by providing a revised mapping in Appendix A to the updated Information Security and Management booklets”. The updated Cybersecurity Assessment Tool also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.”

Financial institutions can find the updated version of the Cybersecurity Assessment Tool here.

Earlier this month, the new cybersecurity regulation from the New York Department of Financial Services (“DFS“) took effect. The new regulation requires banks, insurance companies and other financial services institutions regulated by the DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The final cybersecurity regulation is very similar to the proposed regulation, which we reported on in a previous post, but contains a few notable changes:

  • Record retention requirements for audit trails designed to detect and respond to Cybersecurity Events were reduced from five years to three years.
  • Clarification that Covered Entities’ policies and procedures regarding notice to be provided by Third Party Service Providers of Cybersecurity Events cover only Covered Entity’s Nonpublic Information being held by the Third Party Service Provider.
  • Clarification of the circumstances under which a Covered Entity must provide notice of Cybersecurity Event to the Superintendent.
  • The limited exemptions have been revised to specifically include the number of employees and the gross annual revenue of a Covered Entity’s affiliates located in New York.
  • Clarification on the exemptions available for companies regulated under New York’s Insurance Law.

Financial institutions in other states may wish to pay particular attention to this “first-in-the-nation cybersecurity regulation” issued by a state financial regulator, particularly as it may be only a matter of time before other states follow New York’s lead.

The DFS regulation, 23 N.Y.C.R.R. Part 500, is available here.

Last month, the Financial Industry Regulatory Authority (FINRA) released its annual Regulatory and Examination Priorities Letter (the “2017 Priorities Letter”) which highlights the areas that FINRA plans to focus on in its 2017 examination of registered broker-dealers.

It should come as no surprise that cybersecurity is listed as one of the operational threats that FINRA intends to focus on in 2017. The 2017 Priorities Letter recognizes that “[c]ybersecurity threats remain one of the most significant risks many firms face.” As part of its examination, FINRA will assess a broker-dealer’s programs to mitigate cybersecurity risks, taking into consideration each broker-dealer’s business model, size and risk profile. More specifically, broker-dealers should be prepared for FINRA to (i) review the broker-dealer’s methods for preventing data loss, (ii) assess the controls the broker-dealer uses to monitor and protect its data, and (iii) review how the broker-dealer manages their vendor relationships.  Also, because FINRA understands that “[t]he nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources,” FINRA intends to examine a broker-dealer’s controls to protect sensitive information from insider threats.

Additionally, FINRA intends on focusing on two areas in which FINRA has noted repeated shortcomings in controls among the broker-dealers that it regulates: (1) poor cybersecurity controls at branch offices (for example, poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data), and (2) failure to preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once read many (WORM) format pursuant to Securities Exchange Act (SEA) Rule 17a-4(f).

The full text of FINRA’s 2017 Regulatory and Examination Priorities Letter can be found here.

On December 28, 2016, the New York State Department of Financial Services (NYDFS) updated its proposed cybersecurity regulation to protect New York State.  The proposed regulation is effective March 1, 2017, and requires banks, insurance companies and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.  Entities covered by the rule include “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”  We last reported on the draft version of these rules in a previous post.

The rule was issued after receiving comments on the proposed rule due November 14, 2016.  The updated proposed regulation, which was submitted to the New York State Register on December 15, 2016 and published on December 28, will be finalized following an additional 30-day notice and public comment period, which ends 30 days from publication, or Friday, January 27, 2017.

You may view the updated proposed regulation by clicking here.