SlideShare a Scribd company logo

Cybersecurity_Alert_Dec_16_2014

Paul Ferrillo, profile picture
Paul Ferrillo

Major financial institutions have been the target of some of the most startling cyber security breaches in recent years. Mobile banking poses a new threat, as malware can specifically target mobile devices to steal banking credentials. In response, the New York Department of Financial Services has issued new cyber security guidance for banks, urging them to improve protections such as multi-factor authentication and incident response plans. Proper cyber governance, insurance, and continual assessment of risks are needed to promote cyber resilience among financial organizations.

1 of 4
Download to read offline
1
2
3
4
Weil, Gotshal & Manges LLP Though other more notorious cyber security breaches have recently flooded the news, there can be no question that some of the more startling breaches have involved major financial institutions.1 Indeed, the cyber threats to the banking industry are real and upon us, and are cropping up in ways we potentially did not think of previously: Vulnerabilities in mobile banking pose another new and highly sophisticated danger, as mobile banking vulnerabilities may exist on mobile devices that are not patched, and malware can be developed to specifically target the use of mobile devices. One example of this type of vulnerability is the Zeus-in-the-Middle malware, a mobile version of the GameOver Zeus malware, which itself was one of the most sophisticated types of malware the FBI ever attempted to disrupt. GameOver Zeus was designed to steal banking credentials that criminals could then use to initiate or redirect wire transfers to overseas bank accounts. All told, the malware infected over 1 million computers worldwide and caused over $100 million in estimated losses.2 In continued recognition of persistent threats upon the banking industry, on December 10, 2014, Benjamin J. Lawsky, Superintendent of the New York Department of Financial Services (NYDFS), issued a guidance letter to NYDFS-regulated banks outlining specific cyber security-related factors that will be reviewed as part of a bank’s annual review. In this release, Superintendent Lawsky stated: It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators. Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.3 With the non-stop breach activity we have seen over the last few weeks, both state and federal regulators are showing their concern, and urging regulated entities to improve their cyber security postures immediately before the “bad guys” can wreak as much havoc on the U.S. financial markets as they have on other U.S. companies, particularly those in the retail sector.4 Alert Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014 New York Department of Financial Services Issues Cyber Security Guidance Letter By Paul A. Ferrillo
Weil, Gotshal & Manges LLP 2 This alert will discuss the recently announced cyber security guidance issued by NYDFS as well as other recent statements issued by various federal regulators concerning their own annual examinations or desk audits. NYDFS Guidance Superintendent Lawsky’s guidance letter is very specific, and encourages banks to provide comprehensive answers to very important cyber governance issues, including: ■■ Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks; ■■ Resources devoted to information security and overall risk management; ■■ The risks posed by shared infrastructure; ■■ Protections against intrusion, including multi- factor or adaptive authentication and server and database configurations; ■■ Information security testing and monitoring, including penetration testing; ■■ Incident detection and response processes, including monitoring; ■■ Training of information security professionals as well as all other personnel; ■■ Management of third-party service providers; ■■ Integration of information security into business continuity and disaster recovery policies and procedures; and ■■ Cyber security insurance coverage and other third- party protections.5 This guidance may be seen as a welcome blessing for the many New York-based financial institutions or financial services organizations (or pieces of them) that are also regulated by the SEC’s Office of Compliance,6 FINRA,7 or the FDIC, OCC, and/ or FFEIC8 – each of which has announced either guidance or street sweep letters for annual audits/ reviews of its respective regulated entities. Thankfully, much of the guidance issued by these organizations to their respective regulated entities is similar to that issued by NYDFS. Conflicting guidance would have only confused the question of “best cyber security practices” even further, and could have caused regulated entities double or triple the compliance work in order to keep up with each involved agency. In the inherently perplexing area of cyber security, we need more good answers, rather than more questions to be answered by regulatory entities. Good Cyber Governance and Cyber Compliance The NYDFS guidance is also well-placed in that it focuses not just on “data protection” measures, which are but a piece of the puzzle, but also on “incident detection and response… and on the integration of information security into business continuity and disaster recovery policies and procedures,” as well as cyber security insurance coverage. These three pieces go together like a hand in a glove. As recent major data breaches have taught us, it is more than likely that despite state of the art firewall and anti-virus protection, every day New York- regulated entities are subjected to thousands of cyber security “events” of various intensity and complexity. Those thousands of events require sophisticated incident detection tools to determine whether they are actually “incidents” in disguise, which would then require immediate remediation and/or counter-measures. Unfortunately, despite the best efforts of companies, it is estimated by some that at least 90% of all intrusion detection systems might not be able to catch the most sophisticated hack.9 The name of today’s game is not being “cyber perfect” (because we can’t be) but remaining “cyber resilient,”10 i.e., being able to take a cyber-punch and get back off the canvas through a battle-tested incident response and data recovery plan aimed at getting the organization back in business as soon as possible. Helping maintain resiliency is cyber insurance, which can potentially defray the huge (and potentially crippling) costs of a cyber-breach forensic investigation and recovery efforts.11 Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014
Weil, Gotshal & Manges LLP 3 As noted above, NYDFS-regulated banks, financial institutions, and some insurance companies may not be subject to just NYDFS regulation, but to other federal regulations as well.12 For these reasons, New York-regulated organizations need to become more culturally “cyber compliant”-based organizations. Essentially, instead of “checking the box” once every audit cycle, cyber security procedures, training and policies (along with incident detection hardware and software) need to be revisited by internal IT departments and outside IT experts more than just once a year. Unfortunately, despite our best efforts, what is state-of-the-art today may not be state-of-the- art tomorrow. Cyber security processes, procedures, and internal discussions need to be documented when necessary to evidence improvements when made. And solid information concerning cyber security events, incidents, and incident responses needs to come to the attention of the board of directors in a timely fashion so that boards can exercise their fiduciary duties regarding enterprise risk management. Good cyber security is a living, breathing concept and needs to be treated as such. 1. See “J.P. Morgan Says About 76 Million Households Affected By Cyber Breach”, available at http://www.wsj. com/articles/j-p-morgan-says-about-76-million-households- affected-by-cyber-breach-1412283372. 2. See testimony of Joseph Demarest, Assistant Director of the FBI’s Cyber Division, available at http:// insurancenewsnet.com/oarticle/2014/12/11/senate-banking- housing-and-urban-affairs-committee-hearing-a-577571. html#.VI4J74E8KrU. 3. See Press Release of NYDFS Superintendent Benjamin Lawsky, available at http://www.dfs.ny.gov/about/ press2014/pr1412101.htm. 4. See “Happy Holidays becomes ‘Happy Data Breaches’”, available at http://thehill.com/blogs/congress-blog/ technology/226972-happy-holidays-becomes-happy-data- breaches. 5. Id. 6. See OCIE Cyber Security Initiative (which applies to registered broker-dealers and registered investment advisers), available at http://www.sec.gov/ocie/ announcement/Cybersecurity+Risk+Alert++%2526+Appen dix+-+4.15.14.pdf. 7. See FINRA Targeted Cyber Security Exam Letters, found at http://www.finra.org/Industry/Regulation/Guidance/ TargetedExaminationLetters/P443219. 8. See testimony of Office of the Comptroller of the Currency’s Senior Critical Infrastructure Officer Valerie Abend, December 10, 2014, available at http://www.occ. gov/news-issuances/congressional-testimony/2014/pub- test-2014-165-written.pdf. 9. See “FBI: Sony hack would work on ‘90 percent’ of public, private firms”, available at http://thehill.com/ policy/cybersecurity/226657-fbi-sony-hack-would-work- on-99-percent-of-companies. We note that the forensic investigation of the Sony hack is continuing, so the final word is not out yet on the sophistication of the attack. 10. See “Five questions (and answers) about North Korea and the Sony hack”, available at http://www.washingtonpost. com/blogs/monkey-cage/wp/2014/12/14/five-questions- and-answers-about-north-korea-and-the-sony-hack/ (noting that “There is really no such thing as a secure system, but there are things one can do to boost protection. Redundancy, resilience and backup networks, as well as decentralization, are all tactics that need to be used by important government branches and corporations.”) 11. See “Will Banks Be Required to Have Cyber-Insurance?” available at http://www.bankinfosecurity.com/will-banks- be-required-to-have-cyber-insurance-a-7673 (noting “…what cyber-risk insurance can do is provide some measure of financial support in case of a data breach or cyber-incident”); see generally “Cyber Security, Cyber Governance, and Cyber Insurance,” available at http:// blogs.law.harvard.edu/corpgov/2014/11/13/cyber-security- cyber-governance-and-cyber-insurance/. 12. See e.g., SEC Regulation S-ID, which generally requires “SEC or CFTC registrants (e.g., investment advisers, investment companies, broker-dealers, commodity pool advisors, futures commission merchants, retail foreign exchange dealers, commodity trading advisers, introducing brokers, swap dealers, and major swap participants) to establish and maintain programs that detect, prevent, and mitigate identity theft, if they maintain certain types of accounts for clients.” See PWC Memo “Identity Theft Regulation: Are you under the SEC/CFTC microscope?” available at http://www.pwc.com/us/en/ financial-services/regulatory-services/publications/ identity-theft-regulation.jhtml. Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014
Weil, Gotshal & Manges LLP 4 Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014 If you have questions concerning the contents of this issue, please speak to your regular contact at Weil, or to: Paul A. Ferrillo (NY) Bio Page paul.ferrillo@weil.com +1 212 310 8372 © 2014 Weil, Gotshal & Manges LLP. All rights reserved. Quotation with attribution is permitted. This publication provides general information and should not be used or taken as legal advice for specific situations that depend on the evaluation of precise factual circumstances. The views expressed in these articles reflect those of the authors and not necessarily the views of Weil, Gotshal & Manges LLP. If you would like to add a colleague to our mailing list, please click here. If you need to change or remove your name from our mailing list, send an email to weil.alerts@weil.com.

More Related Content

PDF
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
PDF
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
 
PPTX
CS3: Cybersecurity Extortion & Fraud
Paige Rasid
 
PDF
Cybersecurity infographic
CSC Australia
 
PDF
1. security 20 20 - ebook-vol2
Adela Cocic
 
PDF
idg_secops-solutions
Jonny Nässlander
 
PDF
Cyber Client Alert
Graeme Cross
 
PDF
Security Compliance Models- Checklist v. Framework
Divya Kothari
 
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
 
CS3: Cybersecurity Extortion & Fraud
Paige Rasid
 
Cybersecurity infographic
CSC Australia
 
1. security 20 20 - ebook-vol2
Adela Cocic
 
idg_secops-solutions
Jonny Nässlander
 
Cyber Client Alert
Graeme Cross
 
Security Compliance Models- Checklist v. Framework
Divya Kothari
 

What's hot (20)

PDF
Insurance for Cyber Risks
smithjgdc
 
PDF
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
PDF
Information Security
trunko
 
PDF
Securing Cyber Space- Eljay Robertson
Eljay Robertson
 
PDF
2017 global-cyber-risk-transfer-report-final
Δρ. Γιώργος K. Κασάπης
 
PDF
Outsourcing
karlhennessy
 
PDF
2017 FS-ISAC Security Conference
David Sweigert
 
PDF
Managed security services for financial services firms
Jake Weaver
 
PDF
NCRIC Analysis of Cyber Security Emergency Management
David Sweigert
 
PPTX
The CPAs Guide to Buying Cyber Insurance
Joseph Brunsman
 
PDF
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Precisely
 
PDF
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 
PDF
Volume2 chapter1 security
at MicroFocus Italy ❖✔
 
PDF
Marriage of Cyber Security with Emergency Management -- NEMA
David Sweigert
 
PDF
IBM Security Services
Rainer Mueller
 
DOCX
Case study on JP Morgan Chase & Co
Victor Oluwajuwon Badejo
 
PDF
Sept 2012 data security & cyber liability
DFickett
 
PDF
Cyber for Counties Guidebook
Kristin Judge
 
PDF
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
PwC France
 
PDF
CISO Survey Report 2010
Scientia Groups
 
Insurance for Cyber Risks
smithjgdc
 
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
Information Security
trunko
 
Securing Cyber Space- Eljay Robertson
Eljay Robertson
 
2017 global-cyber-risk-transfer-report-final
Δρ. Γιώργος K. Κασάπης
 
Outsourcing
karlhennessy
 
2017 FS-ISAC Security Conference
David Sweigert
 
Managed security services for financial services firms
Jake Weaver
 
NCRIC Analysis of Cyber Security Emergency Management
David Sweigert
 
The CPAs Guide to Buying Cyber Insurance
Joseph Brunsman
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Precisely
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 
Volume2 chapter1 security
at MicroFocus Italy ❖✔
 
Marriage of Cyber Security with Emergency Management -- NEMA
David Sweigert
 
IBM Security Services
Rainer Mueller
 
Case study on JP Morgan Chase & Co
Victor Oluwajuwon Badejo
 
Sept 2012 data security & cyber liability
DFickett
 
Cyber for Counties Guidebook
Kristin Judge
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
PwC France
 
CISO Survey Report 2010
Scientia Groups
 
Ad

Viewers also liked (15)

PPTX
Line following using maze simulator
Sharjeel Sarwar
 
PDF
100 golden rules of english grammar
Himmat Singh
 
PPTX
Aula do dia 21 de novembro investimentos
Jose Roberto Yasoshima
 
PDF
Portfolio_Hui_Jiang
Hui Jiang
 
PPTX
BYU Women's Conference -- April 2015, Sacrament
ruthrenlund
 
PDF
thesis report 2012
Sharjeel Sarwar
 
PDF
Annual Report 2014 - 2015 WEB
Dawn Marie Cavasin (Dipl. PR)
 
DOC
Mohamed-NOUr-2
mohamed nour
 
DOC
Shuja khan cv
Shuja Khan
 
PDF
MAKE MY DAY - How to Change Your Colleague’s World
Alex Yates
 
DOC
新建 Microsoft word 文档
CTOWATCH
 
PDF
SlideShare Dashboard | Communications
Alex Yates
 
PPT
Noora Heikkilä/Frankfurt Book Fair 2014
Tamlit
 
PDF
CDN implmentation consideration
Avi Shalisman
 
PPTX
Maroc
hardami
 
Line following using maze simulator
Sharjeel Sarwar
 
100 golden rules of english grammar
Himmat Singh
 
Aula do dia 21 de novembro investimentos
Jose Roberto Yasoshima
 
Portfolio_Hui_Jiang
Hui Jiang
 
BYU Women's Conference -- April 2015, Sacrament
ruthrenlund
 
thesis report 2012
Sharjeel Sarwar
 
Annual Report 2014 - 2015 WEB
Dawn Marie Cavasin (Dipl. PR)
 
Mohamed-NOUr-2
mohamed nour
 
Shuja khan cv
Shuja Khan
 
MAKE MY DAY - How to Change Your Colleague’s World
Alex Yates
 
新建 Microsoft word 文档
CTOWATCH
 
SlideShare Dashboard | Communications
Alex Yates
 
Noora Heikkilä/Frankfurt Book Fair 2014
Tamlit
 
CDN implmentation consideration
Avi Shalisman
 
Maroc
hardami
 
Ad

Similar to Cybersecurity_Alert_Dec_16_2014 (20)

PDF
A1 - Cibersegurança - Raising the Bar for Cybersecurity
Spark Security
 
PDF
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Ethan S. Burger
 
PDF
Cover and CyberSecurity Essay
Michael Solomon
 
PDF
Cybersecurity After WannaCry: How to Resist Future Attacks
Strategy&, a member of the PwC network
 
DOCX
Provide a MEMO.docx
write30
 
PPSX
November 2017: Part 6
seadeloitte
 
PDF
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Booz Allen Hamilton
 
DOCX
Not Prepared for Hacks .docx
hallettfaustina
 
PDF
Security - intelligence - maturity-model-ciso-whitepaper
CMR WORLD TECH
 
DOCX
12Cyber Research ProposalCyb
ChantellPantoja184
 
DOCX
12Cyber Research ProposalCyb
AnastaciaShadelb
 
PDF
You Are the Target
EMC
 
PDF
Richmond reprint 20151106
Ted Richmond
 
PDF
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
NationalUnderwriter
 
PDF
No National 'Stand Your Cyberground' Law Please
William McBorrough
 
PDF
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
PDF
Risks Of A Dos Attack
Ashley Thomas
 
PDF
American Bar Association guidelines on Cyber Security standards
David Sweigert
 
PPTX
Cyber Security - Things you need to know
Nathan Desfontaines
 
PDF
Managing Information Assurance in Financial Services 1 edition Edition H. R. Rao
hbvtzqf504
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
Spark Security
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Ethan S. Burger
 
Cover and CyberSecurity Essay
Michael Solomon
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Strategy&, a member of the PwC network
 
Provide a MEMO.docx
write30
 
November 2017: Part 6
seadeloitte
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Booz Allen Hamilton
 
Not Prepared for Hacks .docx
hallettfaustina
 
Security - intelligence - maturity-model-ciso-whitepaper
CMR WORLD TECH
 
12Cyber Research ProposalCyb
ChantellPantoja184
 
12Cyber Research ProposalCyb
AnastaciaShadelb
 
You Are the Target
EMC
 
Richmond reprint 20151106
Ted Richmond
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
NationalUnderwriter
 
No National 'Stand Your Cyberground' Law Please
William McBorrough
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Risks Of A Dos Attack
Ashley Thomas
 
American Bar Association guidelines on Cyber Security standards
David Sweigert
 
Cyber Security - Things you need to know
Nathan Desfontaines
 
Managing Information Assurance in Financial Services 1 edition Edition H. R. Rao
hbvtzqf504
 

Cybersecurity_Alert_Dec_16_2014

  • 1. Weil, Gotshal & Manges LLP Though other more notorious cyber security breaches have recently flooded the news, there can be no question that some of the more startling breaches have involved major financial institutions.1 Indeed, the cyber threats to the banking industry are real and upon us, and are cropping up in ways we potentially did not think of previously: Vulnerabilities in mobile banking pose another new and highly sophisticated danger, as mobile banking vulnerabilities may exist on mobile devices that are not patched, and malware can be developed to specifically target the use of mobile devices. One example of this type of vulnerability is the Zeus-in-the-Middle malware, a mobile version of the GameOver Zeus malware, which itself was one of the most sophisticated types of malware the FBI ever attempted to disrupt. GameOver Zeus was designed to steal banking credentials that criminals could then use to initiate or redirect wire transfers to overseas bank accounts. All told, the malware infected over 1 million computers worldwide and caused over $100 million in estimated losses.2 In continued recognition of persistent threats upon the banking industry, on December 10, 2014, Benjamin J. Lawsky, Superintendent of the New York Department of Financial Services (NYDFS), issued a guidance letter to NYDFS-regulated banks outlining specific cyber security-related factors that will be reviewed as part of a bank’s annual review. In this release, Superintendent Lawsky stated: It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators. Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.3 With the non-stop breach activity we have seen over the last few weeks, both state and federal regulators are showing their concern, and urging regulated entities to improve their cyber security postures immediately before the “bad guys” can wreak as much havoc on the U.S. financial markets as they have on other U.S. companies, particularly those in the retail sector.4 Alert Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014 New York Department of Financial Services Issues Cyber Security Guidance Letter By Paul A. Ferrillo
  • 2. Weil, Gotshal & Manges LLP 2 This alert will discuss the recently announced cyber security guidance issued by NYDFS as well as other recent statements issued by various federal regulators concerning their own annual examinations or desk audits. NYDFS Guidance Superintendent Lawsky’s guidance letter is very specific, and encourages banks to provide comprehensive answers to very important cyber governance issues, including: ■■ Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks; ■■ Resources devoted to information security and overall risk management; ■■ The risks posed by shared infrastructure; ■■ Protections against intrusion, including multi- factor or adaptive authentication and server and database configurations; ■■ Information security testing and monitoring, including penetration testing; ■■ Incident detection and response processes, including monitoring; ■■ Training of information security professionals as well as all other personnel; ■■ Management of third-party service providers; ■■ Integration of information security into business continuity and disaster recovery policies and procedures; and ■■ Cyber security insurance coverage and other third- party protections.5 This guidance may be seen as a welcome blessing for the many New York-based financial institutions or financial services organizations (or pieces of them) that are also regulated by the SEC’s Office of Compliance,6 FINRA,7 or the FDIC, OCC, and/ or FFEIC8 – each of which has announced either guidance or street sweep letters for annual audits/ reviews of its respective regulated entities. Thankfully, much of the guidance issued by these organizations to their respective regulated entities is similar to that issued by NYDFS. Conflicting guidance would have only confused the question of “best cyber security practices” even further, and could have caused regulated entities double or triple the compliance work in order to keep up with each involved agency. In the inherently perplexing area of cyber security, we need more good answers, rather than more questions to be answered by regulatory entities. Good Cyber Governance and Cyber Compliance The NYDFS guidance is also well-placed in that it focuses not just on “data protection” measures, which are but a piece of the puzzle, but also on “incident detection and response… and on the integration of information security into business continuity and disaster recovery policies and procedures,” as well as cyber security insurance coverage. These three pieces go together like a hand in a glove. As recent major data breaches have taught us, it is more than likely that despite state of the art firewall and anti-virus protection, every day New York- regulated entities are subjected to thousands of cyber security “events” of various intensity and complexity. Those thousands of events require sophisticated incident detection tools to determine whether they are actually “incidents” in disguise, which would then require immediate remediation and/or counter-measures. Unfortunately, despite the best efforts of companies, it is estimated by some that at least 90% of all intrusion detection systems might not be able to catch the most sophisticated hack.9 The name of today’s game is not being “cyber perfect” (because we can’t be) but remaining “cyber resilient,”10 i.e., being able to take a cyber-punch and get back off the canvas through a battle-tested incident response and data recovery plan aimed at getting the organization back in business as soon as possible. Helping maintain resiliency is cyber insurance, which can potentially defray the huge (and potentially crippling) costs of a cyber-breach forensic investigation and recovery efforts.11 Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014
  • 3. Weil, Gotshal & Manges LLP 3 As noted above, NYDFS-regulated banks, financial institutions, and some insurance companies may not be subject to just NYDFS regulation, but to other federal regulations as well.12 For these reasons, New York-regulated organizations need to become more culturally “cyber compliant”-based organizations. Essentially, instead of “checking the box” once every audit cycle, cyber security procedures, training and policies (along with incident detection hardware and software) need to be revisited by internal IT departments and outside IT experts more than just once a year. Unfortunately, despite our best efforts, what is state-of-the-art today may not be state-of-the- art tomorrow. Cyber security processes, procedures, and internal discussions need to be documented when necessary to evidence improvements when made. And solid information concerning cyber security events, incidents, and incident responses needs to come to the attention of the board of directors in a timely fashion so that boards can exercise their fiduciary duties regarding enterprise risk management. Good cyber security is a living, breathing concept and needs to be treated as such. 1. See “J.P. Morgan Says About 76 Million Households Affected By Cyber Breach”, available at http://www.wsj. com/articles/j-p-morgan-says-about-76-million-households- affected-by-cyber-breach-1412283372. 2. See testimony of Joseph Demarest, Assistant Director of the FBI’s Cyber Division, available at http:// insurancenewsnet.com/oarticle/2014/12/11/senate-banking- housing-and-urban-affairs-committee-hearing-a-577571. html#.VI4J74E8KrU. 3. See Press Release of NYDFS Superintendent Benjamin Lawsky, available at http://www.dfs.ny.gov/about/ press2014/pr1412101.htm. 4. See “Happy Holidays becomes ‘Happy Data Breaches’”, available at http://thehill.com/blogs/congress-blog/ technology/226972-happy-holidays-becomes-happy-data- breaches. 5. Id. 6. See OCIE Cyber Security Initiative (which applies to registered broker-dealers and registered investment advisers), available at http://www.sec.gov/ocie/ announcement/Cybersecurity+Risk+Alert++%2526+Appen dix+-+4.15.14.pdf. 7. See FINRA Targeted Cyber Security Exam Letters, found at http://www.finra.org/Industry/Regulation/Guidance/ TargetedExaminationLetters/P443219. 8. See testimony of Office of the Comptroller of the Currency’s Senior Critical Infrastructure Officer Valerie Abend, December 10, 2014, available at http://www.occ. gov/news-issuances/congressional-testimony/2014/pub- test-2014-165-written.pdf. 9. See “FBI: Sony hack would work on ‘90 percent’ of public, private firms”, available at http://thehill.com/ policy/cybersecurity/226657-fbi-sony-hack-would-work- on-99-percent-of-companies. We note that the forensic investigation of the Sony hack is continuing, so the final word is not out yet on the sophistication of the attack. 10. See “Five questions (and answers) about North Korea and the Sony hack”, available at http://www.washingtonpost. com/blogs/monkey-cage/wp/2014/12/14/five-questions- and-answers-about-north-korea-and-the-sony-hack/ (noting that “There is really no such thing as a secure system, but there are things one can do to boost protection. Redundancy, resilience and backup networks, as well as decentralization, are all tactics that need to be used by important government branches and corporations.”) 11. See “Will Banks Be Required to Have Cyber-Insurance?” available at http://www.bankinfosecurity.com/will-banks- be-required-to-have-cyber-insurance-a-7673 (noting “…what cyber-risk insurance can do is provide some measure of financial support in case of a data breach or cyber-incident”); see generally “Cyber Security, Cyber Governance, and Cyber Insurance,” available at http:// blogs.law.harvard.edu/corpgov/2014/11/13/cyber-security- cyber-governance-and-cyber-insurance/. 12. See e.g., SEC Regulation S-ID, which generally requires “SEC or CFTC registrants (e.g., investment advisers, investment companies, broker-dealers, commodity pool advisors, futures commission merchants, retail foreign exchange dealers, commodity trading advisers, introducing brokers, swap dealers, and major swap participants) to establish and maintain programs that detect, prevent, and mitigate identity theft, if they maintain certain types of accounts for clients.” See PWC Memo “Identity Theft Regulation: Are you under the SEC/CFTC microscope?” available at http://www.pwc.com/us/en/ financial-services/regulatory-services/publications/ identity-theft-regulation.jhtml. Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014
  • 4. Weil, Gotshal & Manges LLP 4 Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014 If you have questions concerning the contents of this issue, please speak to your regular contact at Weil, or to: Paul A. Ferrillo (NY) Bio Page paul.ferrillo@weil.com +1 212 310 8372 © 2014 Weil, Gotshal & Manges LLP. All rights reserved. Quotation with attribution is permitted. This publication provides general information and should not be used or taken as legal advice for specific situations that depend on the evaluation of precise factual circumstances. The views expressed in these articles reflect those of the authors and not necessarily the views of Weil, Gotshal & Manges LLP. If you would like to add a colleague to our mailing list, please click here. If you need to change or remove your name from our mailing list, send an email to weil.alerts@weil.com.