New York Department of Financial Services (DFS) Opinion

Executive Summary
I reviewed and analyzed the report released by the New York Department of Financial Services (DFS). With cyber-attacks becoming more prevalent, Governor Andrew Cuomo has directed the department to conduct more comprehensive assessments of DFS regulated banks and financial institutions. The New York DFS conducted a survey of 154 financial institutions inquiring into their information security practices and general IT environment. The results showed that the participants experienced cyber security events that can be prevented in the future, such as intrusions that led to account takeovers.

The use of the internet for financial services has become omnipresent, and it is imperative that the assurance of proper cyber security measures are implemented to mitigate the risks associated with the information technology environment within financial institutions in accordance with compliance regulations. In order to implement the necessary controls for technological risks, financial institutions in New York are required to have I.T. audits conducted to identify and address cyber security concerns.

Technology Risk / I.T. audit is a service line that encompasses the factors necessary for maintaining a strong and secure IT environment including, but not limited to, network security assessments, penetration testing, logical access controls, IT system management task allocation, and compliance regulation testing such as GLBA and SOx. Technology Risk Consulting can provide tremendous value by assessing and evaluating technology risks in the environment with experts. An in depth inspection of the current IT practices in place and advice on the best methods and solutions to mitigate the risk with findings and observations that are present. By collaborating with clients, Technology Risk Consulting is able to provide extensive knowledge and advice that will lead beyond the satisfaction of the new compliance regulations.

On May 6th, New York Governor Andrew Cuomo announced the release of a cyber security report indicating the growing risk and sophistication of cyber-attacks on financial institutions in New York. In an effort to install countermeasures to control such risks, Governor Cuomo has directed the Department of Financial Services (DFS) to consistently conduct new targeted cyber security preparedness assessments of DFS regulated banks. Due to the growing number of users using the internet for their financial activities, this has led to an exponential increase in targets for cyber-attacks. This has demonstrated that it is important now more than ever to address the need for assurance in cyber security.

“With today’s growing cyber threats we need to make sure New Yorkers’ finances are protected from online predators,” Governor Cuomo said. “Targeted cyber security assessments for banks will better safeguard financial institutions from attacks and secure personal bank records from being breached. When consumers sign up for online banking they expect their personal information to be secure and we are working to make sure financial institutions take the proper precautions to safeguard it.”

The New York State Department of Financial Services conducted an industry-wide survey in 2013 on the cyber security programs in effect. The survey inquired about the following:
  • Information security frameworks,
  • Corporate governance in regards to cyber security,
  • Use and frequency of penetration testing and results,
  • Budget and costs associated with cyber security,
  • The frequency, nature, cost of, and response to cyber security breaches, and
  • Future plans on cyber security.

The report demonstrated the findings as a result of the year-long survey that was taken from the 154 banks that the DFS regulates. It was found that cyber-attacks have become more sophisticated in nature, with most institutions experiencing intrusions and/or attempted intrusions. Most of the aforementioned events resulted in account takeovers and identity theft. With such events taking place and the risk of future events present, it is imperative that adequate cyber security programs are in effect and regularly assessed in order to prevent and minimize such malicious activity.  According to the report, it was discovered that the majority of the banks that participated in the survey indicated that the institutions planned to ramp up their cyber security spending in the coming years. An increase in cyber security budgets represents a key opportunity for job growth and creation that will contribute to economic development in New York.

The Department of Financial Services has introduced new initiatives to gain control of the growing cyber threat, particularly involving a new targeted assessment of DFS regulated bank’s cyber security programs that will supplement the existing DFS examination process. Included in the new assessment are additional questions in the areas of IT management and governance, incident response, access controls, network security, vendor management, and disaster recovery.

Technology Risk Consulting provides risk management solutions from the information technology perspective to mitigate the risks associated with cyber security. Technology risk services includes, (but are not limited to) internal and external hack penetration testing, assessing logical access controls, network security assessments, evaluating procedures for outsourcing technology services, as well as performing a general IT audit.

Internal Hack Penetration Testing
By performing an internal hack penetration test, Technology Risk Consulting determines if an attacker has unauthorized access to internal application systems of the organization. The results will demonstrate just how the intruder may have gained access to the system and what malicious activity can be carried out in the event of a successful intrusion. Best Practices strongly encourages organizations to include internal penetration testing as a part of their regular cyber security program to ensure that internal networks are properly secured.

External Hack Penetration Testing
External hack penetration testing exposes what information is vulnerable to intrusions from the exterior of the organization. Technology Risk Consulting penetration testers mimic the actions of an intruder exploiting the weaknesses in the network security that could potentially disrupt the integrity of the IT network. Performing an external penetration test provides value to clients by identifying key IT security compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) that require an organization to conduct testing of information security programs in an effort to identify vulnerabilities and address findings of concern accordingly.

Network Security Assessment (NSA)
Performing network security assessments is crucial in reviewing clients’ IT security controls. This assessment includes examining IT security policies, IT security management practices, a review of the IT secure architecture, as well as penetration testing. With more regulatory compliance standards being installed, it is not only required that such an assessment is conducted, but is beneficial to clients for their information security needs in knowing that they have consulted experts to ensure that their organization has mitigated risks by putting controls in place.

Logical Access Controls
Logical access controls are the tools utilized for identification, authentication, authorization, and accountability of access to an organization’s program data and key financial information. These tools are in place to protect information assets from unauthorized remote access. Through assessment and evaluation of logical access controls, Technology Risk Consulting identifies if the entity’s information security policy is relevant and compliant with Industry Best Practices and IT governance programs. Technology Risk Consulting works provides advice and solutions to address any audit findings and observations associated with access controls.

Evaluate Outsourcing of Technology Services
According to the report released by New York’s DFS, it was shown that the majority of banks of all sizes have a mix of managed in-house and outsourced IT systems. As technology services are outsourced, additional risks are posed as critical information is in the possession of a third-party’s possession. It is important to periodically evaluate the processes for vendor management in order to mitigate the related risks. As an element of Technology Risk Consulting IT general controls audit, experts take a close look at client’s policies and procedures in place for dealing with third-party vendors as well as the service agreements involved. Through the evaluation of such contracts Technology Risk Consulting ensures that appropriate components of the service agreements are in place to protect the client and reduce the risks associated with outsourcing critical IT tasks such as data storage and processing. Technology risk consultants work with clients to identify key findings and provide the best solutions in safeguarding their organization when dealing with vendors.

General I.T. Audit
In an organization IT risk can stem from human error, malicious activity, or discrepancies in compliance regulations. It is imperative to identify significant events such as network failures, electronic fraud, data breaches, and the like as such events can result in damage to the organization’s brand, finances, information, and reputation. Such outcomes can result to risks of liabilities, loss of business, and prevent businesses from reaching their goals. Technology Risk Consulting practice provides the service of performing a IT general controls review audit to assess the risks posed in client’s IT environment. Within the IT audit, evaluations are conducted in information privacy and data protection measures, industry regulatory compliance, penetration testing, cloud computing and social media risk assessments. Additionally, for financial institutions, testing for compliance with GLBA, SOx, HIPAA, and other regulatory acts in place that consistently require an IT audit.