Bank contractors offer 'back door' to cyber thieves - NY regulator
During a survey of 40 banks, the New York Department of Financial Services (NYDFS) discovered that thirty percent do not require their third-party vendors to notify them of any cyber security breaches that they have taken place.
To make matters worse, fewer than half conduct on-site security assessments of their vendors, while twenty-one percent do not even require their vendors to abide by minimum information security requirements.
“A bank's cyber security is often only as good as the cyber security of its vendors,” NYDFS superintended Benjamin M. Lawsky said in a statement. “Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data.”
DFS REPORT: Nearly 1 in 3 banks don't require their third-party vendors to report a cyber security breach http://t.co/y6TLEYVoQK
— Matt Anderson (@MattAnderson_NY) April 9, 2015
The NYDFS is now considering imposing cyber-security requirements for banks that would apply to their relationship with third-party service providers. The “high-risk vendors” are defined by the regulator as being, check and payment processors, trading and settlement operations, and data processing companies.
“We will move forward quickly, together with the banks we regulate, to address this urgent matter,” Lawsky said.
For the purposes of the report, banks were categorized as “small” if their assets were less than $100 billion, “medium” if their assets were between $100 billion and $1 trillion, and “large” if their assets exceeded $1 trillion.
Large banks are twice as likely as small ones to require their third-party vendors to certify their data and products are free of viruses, the report indicates.
Just one in three banks surveyed by New York require their security vendors to notify them of a cyber breach http://t.co/RvBNYJP9in
— Jon Prior (@JonAPrior) April 9, 2015
“The report does name particular institutions to help ensure we receive candid answers and so as to not reveal vulnerabilities at specific firms that could be exploited," NYDFS spokesman Matthew Anderson told Courthouse News Service.