When it comes to data security, the New York State Department of Financial Services has been taking a long hard look at the banking sector and it isn’t all that happy with what it has been seeing. The result? New, more stringent regulations could be on the way for every banking institution that is licensed in the state of New York. Because of its clout in the financial services industry, regulatory mandates in the state of NY would have far-reaching impact throughout the entire industry including organizations that provide services to banking institutions.
Last spring the New York State Department of Financial Services issued a cybersecurity report from a survey of more than 150 banks. That report found the industry, like many industries, heavily dependent on third-party service providers for the delivery of its core services. And, also like many industries, the banking industry falls short when it comes to vetting the security and risk management programs of their vendors.
The state regulators grew so concerned about third party security due diligence by banks that it decided to query 40 regulated banking organizations in the fall of 2014 regarding their current vendor management practices when it comes to data security. From that survey, the department noted a number of common issues and concerns, and the result is likely to be new regulations (by the end of this year) around third party due diligence processes when it comes to their safeguarding sensitive data, and protections against loss incurred due to third-party information security failures.
Any regulatory actions taken by the state of New York are closely watched by the rest of the states throughout the country, and could be an indication of where other states and federal regulatory bodies go when it comes to updating their own information security regulations.
For an in-depth read the survey findings, read Update on Cyber Security in the Banking Sector: Third Party Service Providers. That report found improvement in third party risk assessments, but there remains much more to be done. The report states that only 46% of those surveyed are required to conduct pre-contract on-site assessments of at least high-risk third-party vendors, while only 35% are required to conduct periodic on-site assessments of at least high-risk third-party vendors.
It was last week, speaking at the Reuters Financial Regulation Summit in New York, when the head of the agency, Benjamin M. Lawsky, said that new information security regulation for all banks licensed in the state would be forthcoming. "The one thing we find to be an existential threat right now is whether our financial institutions and systems are adequately protected when it comes to cybersecurity," Lawsky said.
"The one thing we find to be an existential threat right now is whether our financial institutions and systems are adequately protected when it comes to cybersecurity.
I’m not sure about “existential” threats here. After decades of interviewing financial services companies on their programs, I’d be shocked if any of the banks that posed systemic risk to the financial system suffered a breach from which they couldn’t recover. But, hyperbole aside, since the Target breach last year, third party security has been a big deal across many industries, and, fortunately, much more attention has been paid to the risks there. The Target breach was widely reported to be the result of a heating and air conditioning repair contractor who was breached, which led to the compromise of the point of sale network.
So it’s no surprise, considering that incident, the political climate around cybersecurity, and the poor results of the survey regarding third party security that new regulation is on the way. One such mandate could be aimed at ensuring banks require their vendors to provide assertions regarding the level of security they have in place. Another could require banks to adopt multi-factor authentication processes for employees and customers to log into their systems.
I’m confident that the banks know exactly what they need to do, but they’ve been slow getting it implemented. Much of that is because of countless other federal and state regulatory mandates that they must contend with. And while risk-based deployment of multi-factor authentication would make sense, as does requiring, in certain cases, continuous assessment of third-party risk, the devil will be in the details, as is usually the case. So we’ll await to see when the regulations actually do come down before concluding anything about their merit.
Just before the long U.S. Memorial Day weekend, Lawsky announced he would step down as the top New York financial regulator. It’s unclear what impact, if any, this will have on the proposed regulations. The New York State governor will likely announce Lawsky’s successor in upcoming weeks.