NYDFS: Tighter Cybersecurity Needed for Banks’ Vendors

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insurancejournal.com/magazines/features/2015/04/20/364430.htm

The New York State Department of Financial Services (NYDFS) issued a report
on April 9 that found significant potential cybersecurity vulnerabilities
with banks’ third-party vendors.

New York regulators noted that banks rely on third-party vendors for a
broad range of services – such as law firms that provide them with legal
advice or even companies contracted to run their HVAC systems. Those
third-party firms often have access to a financial institution’s
information technology systems, providing a potential point of entry for
hackers.

The NYDFS expects to move forward in the coming weeks on regulations
strengthening cybersecurity standards for banks’ third-party vendors –
including potential measures related to the representations and warranties
banks receive about cybersecurity in place at those firms.

The NYDFS said it is in the process of conducting a similar survey
regarding the cybersecurity of third-party vendors at the insurance
companies it regulates. The department said it also expects to put in place
higher cybersecurity standards for vendors providing services to insurers.

“A bank’s cybersecurity is often only as good as the cybersecurity of its
vendors. Unfortunately, those third-party firms can provide a backdoor
entrance to hackers who are seeking to steal sensitive bank customer data,”
said New York Financial Services Superintendent Benjamin Lawsky.

The NYDFS said it conducted a survey of 40 banking organizations –
including many of the largest institutions it regulates – about the
cybersecurity standards those firms have in place for their third-party
vendors. Key findings outlined in the report include:

- Nearly one in three (approximately 30 percent) of the banks surveyed do
not require their third-party vendors to notify them in the event of an
information security breach or other cybersecurity breach.
- Fewer than half of the banks surveyed conduct any on-site assessments of
their third-party vendors.
- Approximately one in five banks surveyed do not require third-party
vendors to represent that they have established minimum information
security requirements. Additionally, only one-third of the banks require
those information security requirements to be extended to subcontractors of
the third-party vendors.
- Nearly half of the banks do not require a warranty of the integrity of
the third-party vendor’s data or products (e.g., that the data and products
are free of viruses).

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!