US Banks Get Tough On Cybersecurity In 2016

Uploaded on 2015-12-29 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Financial

New York state cybersecurity requirements for banks are expected to be applied nationally across the US next year, to include multi-factor authority, regular audits and pen-tests, and exacting third-party vendor cybersecurity scrutiny.

New York state regulators are prepping to release new cybersecurity guidelines for banks that are expected to set a status quo for state-level and federal banking regulators.

The guidelines coming from the New York State Department of Financial Services cover required policies for vendor management, breach notification, implementing multi-factor authentication for customers, employees and service providers, and third-party security management policies.

This news will be a breath of fresh air for well-founded fears that banks have fallen behind in cybersecurity, although the new guidelines are expected for release in early 2016 and so far no deadline for complying with the guidelines has been revealed.

This change has strong roots in a November letter from NYSDFS, which called out the financial industry's weakness with cybersecurity, and its problematic reliance on third-party service providers for critical banking and insurance functions.

The letter cites troubling results from internal security surveys and risk assessments, noting that financial institutions have been unable to keep up with developing attack and defense in infosec, that third-party vendors pose a serious cybersecurity risk, and that the scale of attacks is now of global import.

Regulation is on the horizon. The NYSDFS letter states, "There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions."

Requirements are expected to force the creation of policies for managing third-party service providers' cybersecurity, which will include hiring qualified CISOs, insuring CISOs enforce cybersecurity procedures and standards that ensure application security, employing multi-factor authentication, maintaining cyber-incident and breach notification policies, among other requirements.

In a move that should have been made years ago, financial institutions will now be required to "conduct annual penetration testing and quarterly vulnerability assessments."

Under the department's terms, third-party vendor management has particular requirements that will likely prove difficult to implement, although if successful, would result in raising the difficulty levels for attackers overall. According to BankInfoSecurity, "federal banking regulators have been hammering home the need for more third-party oversight for the past 18 months."

Those third-party requirements include at minimum that banks ensure third party vendors: Encrypt all sensitive data, both in transit and at rest; Notify the banking institution of all cybersecurity incidents; Contractually indemnify the banking institution against any cybersecurity incident that results in lost data; Allow the banking institution or its agents to perform cybersecurity audits of all third parties; Implementation of multi-factor authority and more.

It remains to be seen how this will be enforceable, but it's several steps in a good direction. From a consumer point of view, it's sad that we've had to wait this long for our banks to have a level of security that compares to online retail organizations and social networks... but at least it's getting better.
ZD Net: http://zd.net/1mfZGNl

« Intelligence Agencies Should Recruit Like Google
Getting Workers To 'buy-in' To Cybersecurity »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

TenIntelligence

TenIntelligence

TenIntelligence provides due diligence, brand protection and fraud investigation services including digital forensics.

Internet Security Alliance (ISA)

Internet Security Alliance (ISA)

ISA is an international trade association providing thought leadership in advancing a sustainable system of cyber security.

FIRST Conference

FIRST Conference

Annual conference organised by the Forum of Incident Response and Security Teams (FIRST), a recognized global leader in computer incident response.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

Synelixis Solutions

Synelixis Solutions

Synelixis Solutions is a high-tech company founded to provide complete telecommunications, networking, security, control and automation solutions.

OneTrust

OneTrust

OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management.

bluedog Security Monitoring

bluedog Security Monitoring

Sentinel from bluedog provides powerful and affordable internal network monitoring.

Beryllium InfoSec Collaborative

Beryllium InfoSec Collaborative

Beryllium InfoSec Collaborative is an information security and cyber security company with 40-plus years of experience across industry & government.

TechRate

TechRate

Techrate is an analytics agency focused on blockchain technology and engineering. Or expertise includes security and technical audits of projects.

GreyNoise Intelligence

GreyNoise Intelligence

GreyNoise Intelligence is a cyber security company that collects, labels, and analyzes Internet-wide scan and attack data.

BlackhawkNest

BlackhawkNest

Blackhawk is the only cyber security solution on the market that combines network monitoring and incident response into a cohesive appliance.

NSR

NSR

NSR provide trusted solutions that deliver positive business outcomes for our clients in cybersecurity and data protection challenges.

Palitronica

Palitronica

Palitronica build cutting-edge hardware and breakthrough software that revolutionizes how we defend critical infrastructure and key resources.

Vercara

Vercara

Vercara offers a purpose-built, global cloud security platform that provides layers of protection to safeguard businesses’ online presence, no matter where an attack comes from or where it is aimed.

SequelNet

SequelNet

SequelNet is an emerging MSP, providing 360° business IT solutions and consulting services.

Silobreaker

Silobreaker

Silobreaker is a SaaS platform that enables threat intelligence teams to produce high-quality and relevant intelligence at a faster pace.