Financial R&R: New York State Sharpens its Focus on Cybersecurity for Financial Institutions

Intro (00:01):
Welcome to Financial R&R, a show dedicated to financial insurance and risk management solutions and trends shaping the market today. Here are your hosts, Ron Borys and Ryan Farnsworth.

Ron Borys (00:14):
Well, welcome, everyone. This is Ron Borys and this is the Financial R&R podcast. I'm joined today with Ryan Farnsworth and our special guest, David Finz. David is a regular on the Financial R&R podcast circuit and we saw some news. As we know, regulators have been hot on the trail of focusing and regulating and becoming hypersensitive and looking at controls, responsibilities regarding financial institutions. And sounds like New York has just beat the rest of the states to the punch with another regulation, specifically targeting the financial institutions industry sector. So we thought it'd be a great opportunity to dissect this a little bit, break it down, talk to our subject matter expert, David Finz, and certainly invite you all listening today to reach out to us with any questions. How does that sound, Ryan?

Ryan Farnsworth (01:01):
Sounds good to me, and I think cybersecurity risk is good for David's job security, is good for content on the Financial R&R and the New York State Department of Financial Services – just as they proposed another round of amendments – keeps us all busy with what to talk about and what to think about from a risk perspective. Right, David?

David Finz (01:18):
Absolutely, and Ron, Ryan, thank you both for having me on. So yeah, this is a pretty interesting development here. As some of our listeners may already know, the DFS, the Department of Financial Services rolled out regulations in 2017 that have become something of a role model being emulated elsewhere, both at the federal level and by other states. So, they are now proposing what would be their second set of amendments to the 2017 regulation, which those of us in New York State know as part 500. And, the goal here they say, is to ensure that regulated entities keep pace with the changing threat environment and to adopt best practices that would protect consumers and businesses. Superintendent Adrienne Harris noted that cyber criminals go after all types of companies, big and small, across different industries, and so, you know, regardless of whether you're a regional bank, cryptocurrency exchange, a health insurance company, you're impacted by these proposed amendments.

Ryan Farnsworth (02:20):
So the DFS has thrown out these amendments and there's a comment period that they may or may not take those comments and amend their amendments. But what's in the proposal now? What's the proposed amendment? What are some initial takeaways that we should be thinking about?

David Finz (02:35):
Right, and so the proposed amendments, which the public has 60 days to comment on from the date of issuance on November 9th; so basically, would be looking at early January that the comments would need to be received. They're meant to integrate cyber risk into business planning, into decision making, and into the ongoing risk management of these regulated entities. And broadly speaking, I guess you could summarize them in five categories. They're looking to heighten governance standards, to make cybersecurity a priority in the boardroom and the C-suite to the extent that it isn't already. They are proposing stepped up security controls to keep bad actors out of the network and to halt the spread of any attack. They're looking to mandate businesses conduct regular risk assessments and strengthen their incident response plans and also to expand corporate training and cybersecurity awareness within an organization.

Ron Borys (03:29):
David, what do you think DFS is getting at here? We've obviously worked with financial institutions for 20 plus years. The cyber concerns, the risk exposures have become a more pressing issue, let's say over the last decade and really heightened sensitivity and focus in the last five years. But I don't know, Ryan, from my experience, our financial institution clients seem to be investing a lot. It seems to be a top priority in the boardroom already. So it says raising the threshold that exempts smaller companies, so, maybe you can kind of dig into that a little bit.

David Finz (04:02):
Right, so, by raising the threshold, they're potentially taking organizations that are currently exempt and getting them to a point where perhaps they would no longer be. So, I think what we're looking at here is that the cyber threat environment is not a static situation. When these regulations were first passed in 2017, the ransomware epidemic had yet to take place. People were not working from home in the numbers that they are now so an organization's attack surface might have been easier to manage. And so as a result of this, there is a need to consistently update what the security controls are that these organizations are expected to have in place. I think there's a recognition also that the financial system is an attractive target. I mean, if you think about the NotPetya attack in Ukraine several years ago, right? That was actually targeted at accounting software.

David Finz (04:57):
We've seen other examples of it in this country where a title insurance company has been hit. A large bank that's a leading home equity lender was hit with an attack a few years ago. And I think there's a recognition that this is an area, this is an industry that has to be at the cutting edge of cybersecurity because of what is at stake. I mean, I'd put it up there with healthcare and energy or any other critical infrastructure type of enterprise. So, because of that, I think DFS is looking at this and saying we need to get ahead of it and we need to make sure that the regulation requires controls that are not fighting the last war.

Ron Borys (05:36):
That's great. So certainly a key takeaway here is if you're a smaller financial institution, and again, I'm not sure what the parameters are that DFS is using to define; whether it's revenue, whether it's assets, whether it's industry class, I'm sure that more clarification is to come on that front, but if you're someone who thinks you've flown under the radar of DFS because you weren't big enough, it sounds like that's potentially changing.

David Finz (06:04):
Well again, when it says raising the threshold, it exempts smaller companies. We understand here that that's again a fluid situation. Companies grow, their market cap grows, their revenue grows, their assets under management grow. And I think it's a moving target, especially in an inflationary environment. So I would not assume that because a regulated entity is currently exempt that they will continue to be.

Ryan Farnsworth (06:28):
So with the comment period and recognizing that it's a fluid situation as you say, what is it that our listeners should be focused on from a cybersecurity risk perspective? And then once we address those risks and outline what they are for our own companies, what are the insurance ramifications, if any, at this point?

David Finz (06:48):
Sure. First off, I don't think just because an organization is domiciled outside of New York state or doesn't do much business in New York state, that this doesn't apply to them. Because, as we mentioned earlier in this episode, the DFS regs have become something of a role model for regulators in other parts of the country and also at least for banking regulators at the federal level. So what's happening in Albany, New York may have ramifications in other states because other state regulators are looking at what Albany is doing as something of a bellwether. So that's the first thing. Even if an entity does not conduct business in New York State, they still should be watching what is happening here. I would highly recommend that folks consult with privacy council. I think it's important that organizations stay in front of this. Some form of this proposed amendment will pass. There may be some tweaks to it after the comment period, but I think it's safe to say that the DFS is looking to keep this regulation current with the threat environment. And because of that, there's no time like the present to take a look at a company's current data privacy policies, how they line up with 23 NYCR part 500, and, with the details of this rather lengthy proposed amendment, obviously, it's about, I think 19 pages long, but to make sure that their practices are keeping current with what regulators believe the threat environment is. The other implication here for cyber insurance, is that folks need to confirm that their coverage is triggered by the commencement of any privacy regulatory proceeding by an enforcement body. And that needs to be regardless of whether that inquiry was preceded by an actual data breach. And the reason for this is because there are so many more scenarios now where an entity can be targeted for regulatory inquiry by virtue of them not having complied with these regulations, irrespective of whether any data has actually been compromised. A violation in and of itself could give grounds for regulators to begin an enforcement proceeding. Therefore it ought to trigger the coverage and folks should not assume that their policy wording is written in such a way that it would do so. So that's something that we double check for our clients to make sure that the regulatory trigger, the trigger for regulatory coverage, is broad enough to encompass these types of proceedings.

Ron Borys (09:25):
Listen, that's fantastic, David. I can't say it enough, how fortunate we are to have someone like you as a partner to our brokers, to our clients, to our prospects. As we continue down that path of trying to help people find that more rewarding way to manage risk, being able to stay on top of this stuff, being able to produce updates and clarifications and being able to dissect these things in real time as they come about, is just incredibly important for what we've been doing and what we are committed to continuing to do in the near term. So for those of you who are listening today, if you have any questions on this particular topic or anything cyber-related, visit our website at www.alliant.com.