Cyber Security: The Next Level

Don Miller

Financial Sector Regulators Expanding Scope of Cyber Security Audits

bTrade has written before about cyber security risk assessments.  We also covered the topic on our Twitter feed (@bTradeLLC) during National Cyber Security Awareness Month (#CyberAware).  We would be remiss if we didn’t let MFT Nation readers know about a New York agency in the financial sector that is actively pushing for new regulations governing a variety of cyber security topics, including risk assessment.

To “promote greater cyber security across the financial services industry,” the New York State Department of Financial Services (NYDFS) announced late last year that it would be “expanding” its IT audits to “focus more attention on cyber security.”  The expanded audit scope includes an examination of a broad array of relevant cyber security items, including the qualifications and management of an entity’s employees and third party vendors who are performing cyber security functions, steps taken to protect against intrusion, and cyber security insurance coverage.

NYDFS also advised that it would not even schedule a cyber security audit until a company has completed a “comprehensive risk assessment.”  To aid in the assessment, each institution is required to submit a 16-part, detailed report describing its information security processes, including the systems in place to safeguard information, patch management programs, and “vetting, selecting, and monitoring third-party service providers.”

Earlier this month, the NYDFS published a letter that it addressed to a group of financial sector agencies/associations at both the federal and state level.  After offering an opinion that cyber security is “among the most critical issues facing the financial world today,” NYDFS describes the results of its cyber security audits, as well as other steps it has taken to “highlight and identify existing and emerging cyber security risks at banks and insurance companies.”  NYDFS also discusses several “broad conclusions and concerns” that emerged from the risk assessments.

It would be worth your time to review the entirety of the NYDFS letter because the MFT Nation staff have the feeling that NYDFS’s audit/risk assessment processes will likely spread to other states.  In fact, NYDFS made such a recommendation in its letter:  “The Department believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues.”

If you have any questions about this post or the cyber security risk assessment process, please send a confidential email to