On August 9, 2022, the Conference of State Bank Supervisors (CSBS) released two cybersecurity tools for nonbank financial services institutions to help them prepare for state cybersecurity examinations and, ultimately, improve cybersecurity maturity and protect financial institution infrastructure. These tools are designed to address key aspects of the Uniform Rating System for Information Technology; namely, Audit, Management, Development and Acquisition, and Support and Delivery. The CSBS also outlined the key documents that state examiners are likely request during examinations to help ensure nonbank financial services institutions are prepared to respond to examination questions.
CSBS Cybersecurity Tools
Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program (the “Programs”) are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements. While these Programs are optional resources, the CSBS encourages nonbank financial services institutions to leverage these Programs as prescriptive guidance in implementing and maintaining a compliant cybersecurity program.
The Baseline Nonbank Cybersecurity Exam Program is intended for small nonbank financial services institutions, whereas the Enhanced version is used by state examiners evaluating larger more complex nonbank financial services institutions (the distinction between which institutions fall under the Baseline vs the Enhanced Program are not specified). Both Programs cover four overarching areas of the Uniform Rating System for Information Technology (URSIT) – (1) Audit, (2) Management, (3) Development and Acquisition, and (4) Support and Delivery. Specifically, the examination covers a wide range of topics, such as executive oversight of the cybersecurity program, details on the institution’s network security, vendor management, cyber insurance, malware protection controls, patch management procedures, asset inventory, business continuity management and incident response plan. The examination questions, where relevant, cite to the FTC Safeguards Rule, as amended (16 CFR § 314) which became effective January 10, 2022 (with the exception of a limited number of sections that are not enforceable until December 9, 2022).
The CSBS also provides a Document Request List, outlining key artifacts that state examiners may request (and have requested during past examinations) to help support the institutions’ response to the examination questions. Key artifacts include core policies and procedures, written information security programs, risk assessment(s), materials presented to the board/senior management discussing cybersecurity, vulnerability assessments, and patch deployment confirmation.
These Programs, according to CSBS’s Senior Vice President of Nonbank Supervision, Chuck Cross, are intended to streamline supervisory clarity and create a more resilient financial system. These Programs are a part of CSBS’ larger initiative to equip the industry with the necessary tools to protect the critical infrastructure of financial institutions; for example, it previously provided nonbanks with a Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide for executives.
Through the Programs, CSBS has provided nonbank financial services institutions the ability to more adequately prepare for regulatory examinations by outlining core questions and artifacts. However, the cybersecurity regulations applicable to financial institutions continue to evolve, both on the federal and state level, requiring additional resources and expertise. It is also unclear how widely adopted these Programs will be by state regulators, particularly state regulators that have developed their own comprehensive cybersecurity examination questions (such as the New York Department of Financial Services), and there will likely continue to be differences across state regulatory examinations.
We will continue monitoring the guidance issued by CSBS and other financial industry participants and regulators with respect to the evolving cybersecurity compliance landscape.