By Ronald A. Sarachan and Zoë K. Wilhelm
The Wall Street Journal recently reported that the New York State Department of Financial Services (DFS) is “requiring” about 200 banks “to answer questions in real time on December 12 to assess their cybersecurity policies and processes” in “what amounts to a competition on which is best prepared to handle a cyberattack.” The real story about DFS’s stance on cybersecurity is both bigger and smaller than the Wall Street Journal describes.
DFS Already Surveyed Banks on Cybersecurity Practices
DFS will not necessarily learn anything new in the web-based, real-time surveys on December 12, nor is that the stated intent. Earlier this year, DFS surveyed banks that it regulates on their cybersecurity policies. The surveys were sent by mail and were apparently voluntary. The move was overshadowed by DFS’s subsequent survey of insurance companies, in part because the insurance companies were legally required to respond. The media also may have overlooked the bank surveys because DFS issued a press release to announce the insurance company surveys, but buried the announcement of the bank surveys in a single sentence in that same release. DFS has received cybersecurity surveys from about 200 regulated entities, including both banks and insurance companies, as DFS Superintendent Benjamin Lawsky reported in testimony Monday, November 18 at a New York Senate public hearing on cybersecurity.
According to Superintendent Lawsky, DFS is providing the real-time survey on December 12 to benefit banks. DFS already has and is currently analyzing the 200 survey responses that it received this spring. Superintendent Lawsky testified last Monday that DFS has learned from those surveys that “institutions want to know how they are doing on cybersecurity, especially relative to their peers,” but because of the competitive atmosphere in the financial industry, there is little information sharing. Indeed, in February, U.S. bank representatives on the Federal Advisory Committee requested the Federal Reserve to collect and share information about cyberthreats among financial institutions and law enforcement. And while Mr. Lawsky stated that DFS is “asking” its regulated entities (excluding insurance companies) to participate, he did not report that they would be legally required to do so. Mr. Lawsky testified that he believed that this real-time survey would be a first for regulators and stated, “We’re hoping this can be a model for getting the industry to share data more and thus improve their cyber responses.”
New York State is Increasingly Focused on Cybersecurity
Both DFS’s real time survey of banks and its written surveys earlier this year are part of a larger, New York State initiative led by Governor Cuomo to focus on cybersecurity. In May, DFS sent its written surveys on the heels of Governor Cuomo’s announcement of the membership of a newly formed Cyber Security Advisory Board to “advise the administration on developments in cyber security and make recommendations for protecting the state’s critical infrastructure and information systems.” The advisory board is co-chaired by Superintendent Lawsky.
Governor Cuomo’s concern about cybersecurity is not limited to the financial services sector. In his announcement of the advisory board, he stated, “In the 21st century, almost all of our daily activities are linked to the internet – from banking to shopping to using our telecommunications networks and physical infrastructure systems.” In addition to responding to and preventing cyberattacks, Governor Cuomo seeks to position New York as a leader in cybersecurity in order to attract businesses in the rapidly growing field to the state. Mr. Lawsky, in his public hearing testimony, echoed this sentiment.
Meanwhile, state legislators signaled at the senate hearing Monday that they were considering cybersecurity legislation, questioning those who testified about whether there is a gap in federal regulation and noting that “there are other states out there that are further ahead than we are.” Superintendent Lawsky, for one, expressed reluctance to advocate for more legislation or regulations at either the state or federal level. “More regs and more laws are often not the answer,” he said. “If we focus on the ones we have and really enforcing them and using them in creative ways to their utmost, we’ll probably be successful.”
In the coming months, DFS will issue reports about the results of the cybersecurity surveys and guidelines for cybersecurity practices for the financial industry. The nonprofit government contractor (CIS) will likely play a role in analyzing the survey data and preparing the guidelines. DFS is collaborating with CIS to offer the web-based survey on December 12, as Mr. Lawsky stated on Monday. Also on Monday, Governor Cuomo announced that the New York State Intelligence Center, the state’s cybersecurity protection agency, has relocated to the Center for Internet Security.
As states become increasingly active in the area of cybersecurity, it is important for business to keep up-to-date on state as well as federal regulations and initiatives. We will continue to monitor the cybersecurity-related reports and press releases of both DFS and other New York government entities.