Cyber regulatory pressures mount for banks

This article is part of our look into cybersecurity at the Industry intersections of technology, banking and asset management.

Emerging rules focus on controls, resilience and boards

The banking industry is at the very top of the maturity spectrum for cybersecurity, yet there is more work to do.

Because of the industry’s unique status and importance to the overall economy, the threat from cyberthieves is intense in banking. Companies throughout the industry have responded to this threat with best-in-class cybersecurity controls and procedures, complying with and even exceeding the high standards that regulatory bodies have created for banking.

But because the threat is unending for the banking industry, regulatory obligations continue to evolve. Among the latest developments, proposed new amendments to New York State’s cybersecurity regulations will add requirements that have never been seen before in any industry.

The draft New York Department of Financial Services (NYDFS) Part 500 Cybersecurity Regulations were issued in July 2022 and will apply widely to financial services providers throughout the country.

“NYDFS regulations impact many financial institutions, not just those headquartered in New York,” said John Pearce, a principal with the Cyber Risk Advisory Services practice at Grant Thornton LLP. “It basically applies to virtually every retail and commercial bank, and it even hits the insurance industry. There are certain banks that are excluded because they’re borne maybe in investment entities, but with core commercial, retail, brick-and-mortar banking, it will be generally applicable due to the nature of their business.”

The proposed NYDFS 500 amendments are not the only regulatory development banks are watching. Other rulemaking of note includes:

Cybersecurity legislation enacted in March in the Consolidated Appropriations Act of 2022 that requires entities in critical infrastructure sectors to report to the federal government within 72 hours after a breach and within 24 hours after a ransom payment. Banks will be subject to this legislation, but the Critical Infrastructure Services Agency has yet to define what entities or incidents are covered by the law.
Operational resilience standards from the Office of the Comptroller of the Currency (OCC) that include a focus on cybersecurity. The OCC standards promote a principles-based approach for governance, scenario analysis, system resilience, surveillance and reporting.
The SEC’s proposed amendments to disclosure rules related to cybersecurity risk management, strategy, governance and incident reporting by public companies. The proposed rules would require reporting on material cybersecurity incidents, updates on previous incidents, and disclosures on governance and management’s role in cybersecurity activities.

A complicating factor in all these developments is that banks and financial institutions aren’t only liable from a regulatory standpoint for breaches that originate in their own systems. If a cyber incident occurs as a result of a third party’s access to a bank’s system, the damage can be just as severe as if the attacker targeted the bank directly.

The regulatory consequences are likely to be just as severe as well.

“Increasingly, regulators are less concerned about whether the breach happens to the regulated entity or their infrastructure, or to one of their third parties,” said Max Kovalsky a managing director with the Cybersecurity and Privacy Advisory Services at Grant Thornton. “To the regulators, that means one and the same. If a supplier suffers a breach that impacts data that belongs to the regulated entity, it is no different than the regulated entity itself becoming breached.”

In a sector with substantial reliance on fintech software, third-party risk under these regulatory circumstances is a significant concern. That’s why many banks are no longer simply relying even on highly regarded SOC reports or ISO 27001 certifications to protect themselves from third-party risk.

Banks will be held responsible for breaches introduced by third parties, even if they have satisfactory compliance reports or certifications. Therefore, banks are going an extra mile with their own additional testing.

“For some organizations, those risks are top of mind; they go as far as to say, ‘Any software that we procure, we want to make sure that our preferred penetration testing provider actually tests the software, or we want to be able to run a dynamic code scan or even do static code analysis to understand what software components are used and what vulnerabilities are present,’” Kovalsky said.

Unprecedented scrutiny

There’s little doubt that the proposed DFS amendments, if approved, will subject banks to an unprecedented level of scrutiny in several areas. Board composition requirements and new rules pertaining to the CEO and the Chief Information Security Officer (CISO) will create new compliance objectives that will need to be addressed carefully.

C-suite certification. One proposed requirement is similar to a well-known rule in the Sarbanes-Oxley Act, which requires the CEO and CFO of public companies to issue a statement certifying that financial statements fairly represent the operations and financial condition of the company. The NYDFS 500 proposal would require a bank’s CEO and CISO to sign the annual certification for NYDFS cybersecurity compliance.

The proposal also would require the CISO to meet certain new requirements related to independence and risk management authority.

As SOX did with financial reporting, this requirement reenforces C-suite accountability for cybersecurity. Although larger banks are likely to have measures in place that may make it easier to meet these requirements, there will still be an uplift in scope, coverage and resource requirements. Regional and community banks might not have that level of expertise or maturity. As a result, an annual cyber audit by an independent third party, which is proposed to be required for “Class A” companies with over 2,000 employees or over $1 billion in gross revenue, might be a key tool for these banks to develop comfort with compliance for this regulation.

Board composition rules. The proposed rules would require boards to have enough expertise on cybersecurity to effectively exercise oversight over this important area of risk.

“They’ve been very prescriptive,” Pearce said of regulators. “They want to see someone serving as a board member who has direct cyber experience. [Boards] of smaller institutions may have to reshuffle the deck.”

Although boards of larger banks may possess this expertise already, this might prove to be one of the most challenging areas of this proposed regulation for regional and community banks because of the scarcity of specialists available in this area.

Board oversight of cybersecurity issues may occur through different committees depending on the organization. Some boards have designated a specific cybertechnology risk committee or subcommittee. Others will get input from the operational risk committee or the audit committee on this topic. For boards that don’t have a cyberrisk committee or subcommittee, this might be a good time to consider forming one.

Reporting requirement. Companies will be required to notify the NYDFS within 72 hours of unauthorized access to privileged-level accounts or ransomware discovery.

The proposal also would require banks to meet certain technical and written policy requirements, including mandating controls such as multifactor authentication, access controls, asset management, penetration testing, vulnerability assessments, email security, backup protocols and risk assessments. Many cyberinsurance carriers are requiring many of these controls already as a condition of coverage.

Resilience becomes essential

The NYDFS proposals also include toughened operational resilience requirements that are designed to help banks respond appropriately if a breach should occur. The proposals contain requirements for business continuity/disaster recovery plans and incident response plans, plus periodic testing requirements for those plans.

These proposals reflect important cybersecurity best practices. While preventive and detective controls are an indispensable part of an organization’s cybersecurity regimen, it’s virtually impossible to provide 100% certainty that a breach will never occur. As a result, resilience is a critical component of any cyber defense plan. Resilience planning and practice typically includes:

A detailed plan for how all the key personnel throughout the organization will respond in the event of a breach. This includes people in IT, legal, risk management, communications, and even the board and the CEO. The plan also should describe what outside resources will be used. This should include insurance brokers and carriers, where applicable, as well as forensic and legal specialists and even law enforcement.
Repeated, scenario-based practice of the response plan, which requires the participation of all stakeholders. This can help identify potential gaps in the response plans. For example, if approval of the chief communications officer is required for certain regulatory reporting and that person is not part of the response plan, a scenario-based practice will reveal the gap that needs to be filled.

One way for financial institutions to build top-of-the-line resilience regimes is to participate in the Sheltered Harbor initiative, which is bult on the elements of data vaulting, resilience and certification. A key component of the initiative helps financial institutions preserve their trust by designating a partner or developing a plan that helps restore customer data to a restoration platform as quickly as possible.

“The whole design is meant to ensure 100% reliability on recovery so that you’re not going to have any issues with data or accounts being compromised in any way,” said Graham Tasman, Principal, Risk Advisory Services Leader and Banking Sector Lead for Grant Thornton. “The methodology and approach is designed with a higher level of assurance than traditional data recovery and data vaulting approaches and meets the specific needs of the financial services industry that expects full assurance and access to customer accounts at all times.”

Some financial institutions have put the data vaulting and resilience processes of Sheltered Harbor in place but haven’t yet undergone the all-important resilience certification step, including a verified recovery plan.

“If you don’t get that certification, you’re not really covered by Sheltered Harbor because they won’t have the ability to verify the recovery plan in that dire moment of need after a real event,” Tasman said. “I think a lot of institutions haven’t gotten to that last step, and it’s a critical one.”

Internal audit’s role

Bank internal audit departments have an important role in cybersecurity risk management. Cybersecurity audit plans should be comprehensive and integrated into all aspects of the business, and they need to report on whether controls and resilience plans are appropriate.

A successful internal audit plan also will evaluate whether a bank is in compliance with applicable cybersecurity regulations, and it should be flexible and timely enough to determine if changes are being made to keep up with new rules. Internal audit would independently assess the new regulations, determine the bank’s compliance with them and report to the audit committee and the board as to the bank’s true compliance posture.

“It needs to be more than just one audit that you roll into the broader IT plan, and it needs to be more precise than that big red risk that you have on the heat map every year,” said Scott Peyton, Grant Thornton’s IT and Cybersecurity Internal Audit Leader. “Perform a risk analysis and really develop a multiyear cybersecurity plan that you can update to understand what risks are greatest and how you can help the organization understand if those risks are mitigated to an acceptable level.”

Protection is the key

Ultimately the regulatory requirements that financial institutions are facing — such as strengthening controls, improving board oversight and focusing on resilience — can lead to improved cybersecurity that can protect banks and ultimately the financial system.

But compliance with the regulations may be easier for some financial institutions than for others.

“Many of these fall into really good, leading practices that many banks already exercise,” Pearce said, “but if there’s something that if they don't have an in place, it could take time to implement.”