In a recent webinar, SecurityScorecard hosted Justin Herring, Executive Deputy Superintendent, Cybersecurity Division of the New York Department of Financial Services (DFS), and Luke Dembosky, Partner and Co-Chair of the Data Strategy & Security practice at Debevoise & Plimpton, to discuss DFS’s top cybersecurity priorities this year, current enforcement and to examine trends, and the regulatory environment around cybersecurity in 2022. Herring is the first Executive Deputy Superintendent of Cybersecurity at DFS. The Cybersecurity Division aims to protect consumers and industries from cyber threats. The division oversees all aspects of DFS cybersecurity regulation, including enforcement, examination, and guidance.
Overview of DFS and its Cyber Regulation (Part 500)
The overarching cybersecurity regulation DFS entities are subject to, commonly known as “Part 500,” turns five years old in March. Part 500 is a regulation establishing cybersecurity requirements for DFS-regulated financial services companies, including insurance, banking, as well as cryptocurrency and student loan services. The cyber division of DFS, and Part 500 regulation, is necessary because cybersecurity cuts across every aspect of financial services companies, according to Herring.
To be covered by Part 500, a company must already be regulated by DFS. If the company is not regulated by DFS at all, it will not be regulated for cyber. There is not a single answer to which companies need to be licensed and regulated by DFS because it is specific by sector, Herring said. The banking and insurance industry comprises the majority of DFS-regulated entities. Other entities commonly regulated by DFS include mortgage loan providers, student loan providers, financial trusts, cryptocurrency companies, and a large category of money-services businesses including check cashers and payment companies like PayPal or Google Payments.
Where it can get complex on whether a company is subject to DFS compliance, Herring said, is when a company is affiliated with a licensed covered entity, such as companies that provide non-banking financial services. If a company has a footprint in New York—for example, a solo insurance broker, or small financial services office—DFS regulation contains an adoption provision to address this affiliate compliance issue. The smaller company does not need to create a separate cyber program or hire a CISO if there is an organization-wide CISO. The smaller company can adopt the cyber program of its larger affiliate. The key factor is that the cyber program adopted must be fully compliant with Part 500 and other DFS regulations; if the covered entity is relying in whole or in part on its larger affiliate to round out the covered entity’s compliance with Part 500, DFS can review the relevant portions of the larger affiliate’s program in order to understand the basis for compliance.
One of the core activities of the cyber division is conducting examinations. Prior to the COVID-19 pandemic, examinations typically involved a physical review, meeting with officers of a company, interviews, and overall doing a thorough assessment of the company’s condition. DFS still fulfills all components of the traditional examination process, though altering some of the process to conform to a virtual assessment. These examinations are designed to ensure that the company has a cyber program and proper protocol that addresses cyber risks and other obligations under Part 500.
Financial Sector Cybersecurity Outlook
Herring provided a candid discussion of the challenges facing the financial services sector in 2022, and the cyber risks that DFS is particularly concerned about this year. While Herring said, “there will be no surprises” in terms of regulation, and companies have become more accustomed to Part 500 obligations, cyber risks continue to evolve and advance. The top-of-mind risks to DFS covered entities are (1) ransomware and (2) third-party risk.
Ransomware
Ransomware is arguably the most serious risk to the financial sector. Herring pointed out that not only is ransomware increasingly prevalent, and virulent, it is a non-traditional threat to the sector. Whereas certain traditional cyber incidents, like intrusion and hacking, more commonly result in data theft, or the exposure of sensitive information, ransomware represents an operational threat to covered entities and could cause a financial meltdown.
As in the Colonial Pipeline ransomware attack, a ransomware attack can shut down a company’s operations, destabilizing the organization and negatively influencing financial markets by causing a chain reaction. The longer-term financial and reputational repercussions for a company that could result from a major cyber incident like this add to the pernicious effects of ransomware attacks.
Third-party risk
We are all in the business of third-party cyber risk (from service providers, vendors, and affiliates), Herring said. He views the increased risk presented by third-party vendors just behind ransomware as a chief priority for DFS. Recent breaches commonly demonstrate third-party connections, which could produce cascading negative effects.
Third-party vendors present a myriad of additional risks to any company. When a company builds a relationship with a vendor, it exposes that company to the vendor’s cybersecurity risks. This transitive risk, Herring discussed, can have serious implications for the security of a covered entity. Ensuring the security and cyber resilience of any entity in 2022 will require increased visibility, and emphasis, on third-party risk management.
Enforcement and Compliance in 2022
Luke Dembosky, a leading cyber and data privacy attorney at Debevoise & Plimpton who represents many financial services clients, asked Herring about how DFS plans to engage entities in enforcement and compliance in 2022. Many of Debevoise’s clients are subject to DFS regulations and are interested in learning how DFS plans to update and modernize its cybersecurity practices to keep up with the dynamic and growing threats to the sector.
In 2021, the most common control gaps were issues with Multifactor Authentication (“MFA”). In late 2021, DFS published MFA guidance that Herring described as “the greatest hits list of problems when it comes to enforcement and examination.” For enforcement actions that have been publicly resolved, two out of three included charges related to lack of MFA or failure to implement MFA. Another factor in two out of three of the enforcement actions was a failure to investigate cyber incidents.
Herring emphasized the importance of a company’s investigation and response following a cyber incident. DFS expects companies to investigate the scope of the harm to the company and customers and diligently comply with breach notification requirements. In addition, a company should learn what when wrong that contributed to security vulnerabilities and the incident, and how the company—and companies alike—can refine their cybersecurity programs with new security measures to prevent future incidents.
Enterprise-wide Risk Management
Governance is an important aspect of DFS’ cyber regulations, i.e., Part 500. Herring believes that senior leadership taking responsibility for security is critical for Part 500 compliance. Under Part 500, each covered entity is required to annually certify that its cybersecurity program is in compliance with Part 500. Herring believes the certification requirement is the single most transformative requirement in Part 500 because of the diligence it leads to.
DFS guidance is not intended to just be for attorneys or the compliance department of companies, Herring said. DFS wants companies’ senior leadership—including the Board and C-suite executives—to understand the operational and business risks associated with cyber incidents, and resource cybersecurity commensurate to risk.
An enterprise-wide approach to risk management will require enterprise-wide solutions, Herring said. Senior leadership sets the direction and those executives are the people who drive the necessary change within a company and ultimately, the industry. By pushing for the leaders of a company to take responsibility at a high level for security, leaders set a tone through the organization that prioritizes risk management.
Continuous Monitoring with Security Ratings
Herring wants to modernize the enforcement and compliance tools DFS uses to meet the dynamic cyber threats companies face. Herring has looked to industry for solutions, specifically the insurance industry, in how to modernize and develop existing tools. Herring told the audience that DFS has asked cyber insurers what tools they use to continuously monitor and assess the cybersecurity risks of their regulated entities.
Herring expects DFS to use already existing tools—like control analysis surveys and rating analysis that third parties like SecurityScorecard produce—to advance existing examination and assessment processes.
DFS leverages risk management tools, including SecurityScorecard’s security ratings platform, to “better track risk over time, and across the 3,000 entities,” over whom DFS regulates. By leveraging real-time risk monitoring, both of covered entities and of their third-party risks, DFS takes the outside-in and data-driven approach of security ratings to supplement and enhance DFS’s existing enforcement and compliance framework.
You can watch the webinar “Fireside Chat with N.Y. Dep’t of Financial Services’ Cyber Chief” on demand here.