Cyber Risk Management: No More Quiet Backrooms

 

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice

 

 

 

Last month, in New York City, Protiviti hosted a gathering of scores of financial service industry representatives to discuss the recently enacted New York Department of Financial Services’ (DFS) Part 500, Cybersecurity Requirements For Financial Services Companies. Similar in design to the previously enacted DFS Part 504, Transaction Monitoring and Filtering Program Requirements and Certifications, Part 500 requires DFS-regulated covered entities (including banking organizations, insurance companies, money services businesses and others) to develop and maintain effective cybersecurity programs and to certify annually to the DFS that they are meeting the requirements of the regulation.

The attendees – chief information security officers, chief compliance officers, chief counsels, internal auditors and other senior executives of banks and insurance companies – engaged in a lively discussion with a panel of cyber experts about the challenges of managing cyber risk and were especially honored to hear directly from DFS Superintendent of Banking Maria Vullo, who shared the reasons her agency felt it necessary to adopt this regulation, as well as her compliance expectations.

Superintendent Vullo said that “as cyber-attacks are increasing across the globe, laws and regulations are not just appropriate, they are necessary. Government must be in the game, looking ahead to help prevent misconduct.” The need for a proactive partnership between government and industry to do more to prevent and learn from cyber attacks was a strong theme throughout the Superintendent’s comments. While she recognized that many covered entities have multiple regulators all of whom may have different expectations regarding cyber risk management, the Superintendent stated her firmly-held belief that to do nothing, in the hopes of achieving a uniform regulatory approach in the U.S., was simply not an option for the DFS, and she encouraged other regulators to adopt the DFS model. From a governance perspective, the Superintendent was very clear that industry responsibility for cyber risk management rests squarely at the feet of boards of directors and senior management.

In designing Part 500, the Superintendent said that DFS’s goal was to develop “a roadmap – minimum safeguards for cybersecurity – which leave room for innovation.”  The agency’s focus will be on the outcome, recognizing that different risk profiles will require different responses. Superintendent Vullo signaled a willingness to work with the industry and share leading practices toward the common goal of strengthening the industry’s cyber resilience and said that “where we see clear cooperation and good faith effort, our response will be tempered even where there is need for improvement.”

While the DFS is still developing its cyber framework and examination program, comments from the Superintendent and from the expert panel suggested that, in addition to support from the top of the organization, several other key takeaways from the session should be noted:

  • Until there is a uniform regulatory standard, organizations – especially large, complex multinational organizations – will still need to address varying expectations and different areas of focus as they develop or enhance their cyber programs.
  • A rigorous, customized risk assessment should be the cornerstone of the cybersecurity program, and it will be important for covered institutions to step back and revisit their risk assessment process and output to ensure that it is providing the appropriate foundation for building the program.
  • While many organizations would immediately turn to IT to build the cyber program, it is very important to involve the business – e.g., materiality should be designed at the business level since IT may see the risk differently. To be effective, cyber professionals must understand the business.
  • Third-party risk management issues, which are a very complex challenge for many organizations, are critically important to the cyber compliance effort.
  • While some of the control requirements (multifactor authentication and encryption or reasonable substitutes for these) are not required immediately, the time to start thinking about them is now since implementation will take time.
  • Communication across the organization will be critical to the success of the program.

One of our expert panelists likely summed up the feeling in the room when he reflected that in the beginning of his career IT people sat in a backroom and no one much cared what they did so long as things kept working, but as technology gradually became a business enabler, the attendant risks to the business could not be ignored. Cyber is one of those risks on which every institution and every regulator is now focused.  No more quiet backrooms for the IT, business and risk professionals charged with protecting their organizations against cyber attacks; they are now front and center in the battle to protect their organizations, their customers, and the market against the growing cyber threats.

 

 

 

 

Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading