New York Officials Ratchet Up Cybersecurity Efforts

WASHINGTON – New York state officials are ratcheting up their efforts to ensure that all financial institutions they regulate are paying strict attention to cybersecurity.

In a letter to all financial institutions in the state, the New York Department of Financial Services (DFS) said the department is seeking detailed data from each of them on a raft of information regarding technology/cybersecurity procedures. The DFS said it will use the data to conduct a comprehensive risk assessment of each institution, and then schedule IT/cybersecurity examinations of those institutions.

In particular, IT/cybersecurity examinations will now include such areas as:

- Corporate governance, including organization and reporting structure for cybersecurity-related issues;

- Management of cybersecurity issues, including the interaction between information security and core business functions, written security policies and procedures, and the periodic re-evaluation of such policies and procedures in light of changing risks;

- The resources devoted to information security and overall risk management.

The DFS also wants to know about the risks posed by shared infrastructure, training of personnel on cybersecurity issues, management of third-party service providers, and cybersecurity insurance coverage and other third-party protections.

It wants answers to 16 detailed questions from all insurers, with the information to be provided to the agency by April 27, according to a letter from DFS Superintendent Benjamin Lawsky.

A raft of federal and state agencies, including the National Association of Insurance Commissioners (NAIC) and Congress, also are looking into the issue.

Last week, the House Intelligence Committee reported out a cybersecurity information sharing bill aimed at encouraging the sharing of critical cyberthreat information.

The bill is similar to the Cybersecurity Information Sharing Act (CISA), which was reported out by the Senate Intelligence Committee recently.

In general, the bills would allow for the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies.

InsuranceNewsNet Washington Bureau Chief Arthur D. Postal has covered regulatory and legislative issues for more than 30 years. He can be reached at [email protected].