National CyberSecurity Awareness Month: A Useful Tool from an Unlikely Source

With October being National CyberSecurity Awareness Month, now is a good time for financial institutions to take a hard look at their own information security and privacy practices.  As we all know, privacy and protection of customer information is a duty of every employee of the institution. As a compliance officer or auditor, your role is to make sure your institution complies with the myriad rules, regulations, policies and procedures applicable to you. In addition to assuring compliance you are tasked with assessing the adequacy of those policies and procedures. Since most states have been slow to enact specific cybersecurity legislation (other than incident response requirements) you are mostly concerned with federal laws like GLBA, BSA, FACTA, etc. However, there is one state that has been proactive and actually took action in 2017. The NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES enacted 23 NYCRR 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES on March 1, 2017. This CRR is an excellent document for compliance officers/auditors to use as a checklist for assessing the adequacy of their own information security policies and procedures. If your state does not have a similar law or regulation, I suggest you take a look at the complete New York cybersecurity regulation 23 NYCRR 500 at

In the mean time we’ve created a brief summary of the key components of the regulation:
Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. 

  • Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform core cybersecurity functions.

  • Cybersecurity Policy. Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and address all areas applicable to the Covered Entity’s operations.

  • Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”). 

  • Penetration Testing and Vulnerability Assessments. The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. 

  •  Audit Trail.  Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment:
  • (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and
  • (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

  • Access Privileges. As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment, each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.

  • Application Security. Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

  • Risk Assessment. Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations. 

  • Cybersecurity Personnel and Intelligence. Each Covered Entity shall utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third-Party Service Provider sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions.

  • Third Party Service Provider Security Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable.

  • Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.

  • Limitations on Data Retention. As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

  • Training and Monitoring. As part of its cybersecurity program, each Covered Entity shall:
  • (1) implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and
  • (2) provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.

  • Encryption of Nonpublic Information. As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.

  • Incident Response Plan. As part of its cybersecurity program, each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations.

  • Notices to Superintendent. Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred. 
For more information on cybersecurity education and awareness training, visit ThreatAdvice, Springhouse Compliance's sister company. Want an idea on where your bank stand as far as current cybersecurity awareness? Request your complimentary Phishing Report today.