NYDFS Cybersecurity: Risk assessment

In case you didn’t already know, banks are prime targets for cyber criminals. Financial organizations suffered 52 data breaches last year, according to figures from the Identity Theft Resource Center, and 72,000 records were compromised. With number of cyber attacks rising across the country, the New York State Department of Financial Services (DFS) is on the alert.

In March, the NY DFS released rigorous cybersecurity requirements for banks, consumer lenders, money transmitters, insurance companies, and other financial service providers (i.e. ‘Covered Entities’). These requirements include a risk assessment, the details of which are outlined in section 500.09 of the proposal.

Are you prepared?

A risk assessment is one of the first tasks an organization should complete in order to begin their cybersecurity policy and program.

The DFS proposal emphasizes the fact that any organization’s cybersecurity policy should be based on the findings of its own risk assessment. This assessment must tackle the key issues that the DFS has highlighted throughout the proposal process. In an article covering the full report, the Harvard Law School Forum summarizes the role the risk assessment should play in the following areas:

  • Penetration testing and vulnerability assessments should be tailored towards the risks and vulnerabilities identified in the risk assessment. The only time testing is not necessary is if the entity maintains “effective continuing monitoring, or other systems to detect, on an ongoing basis, changes […] that may create or indicate vulnerabilities.”
  • Audit trail systems should be based on the risk assessment.
  • Access privileges to systems that provide ‘Nonpublic Information’ should be limited based on the findings of the risk assessment.
  • Security policies and procedures accessible to third parties will depend on applicable facts as well as the risk assessment.
  • Multi-factor authentication should be implemented if deemed necessary by the risk assessment.
  • Encryption of ‘Nonpublic Information’ or whether to employ alternative compensating measures should be determined based on the risk assessment.

Putting a policy in place

If you don’t know where to begin, our vsRisk™ software can help your organization prepare and give you a clear picture of your risks and threats. Providing a framework to start your cybersecurity program, you can save time, effort and expense with this risk assessment tool. Learn more about vsRisk™ >>