US Banks Get Tough On Cybersecurity In 2016

New York state cybersecurity requirements for banks are expected to be applied nationally across the US next year, to include multi-factor authority, regular audits and pen-tests, and exacting third-party vendor cybersecurity scrutiny.

New York state regulators are prepping to release new cybersecurity guidelines for banks that are expected to set a status quo for state-level and federal banking regulators.

The guidelines coming from the New York State Department of Financial Services cover required policies for vendor management, breach notification, implementing multi-factor authentication for customers, employees and service providers, and third-party security management policies.

This news will be a breath of fresh air for well-founded fears that banks have fallen behind in cybersecurity, although the new guidelines are expected for release in early 2016 and so far no deadline for complying with the guidelines has been revealed.

This change has strong roots in a November letter from NYSDFS, which called out the financial industry's weakness with cybersecurity, and its problematic reliance on third-party service providers for critical banking and insurance functions.

The letter cites troubling results from internal security surveys and risk assessments, noting that financial institutions have been unable to keep up with developing attack and defense in infosec, that third-party vendors pose a serious cybersecurity risk, and that the scale of attacks is now of global import.

Regulation is on the horizon. The NYSDFS letter states, "There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions."

Requirements are expected to force the creation of policies for managing third-party service providers' cybersecurity, which will include hiring qualified CISOs, insuring CISOs enforce cybersecurity procedures and standards that ensure application security, employing multi-factor authentication, maintaining cyber-incident and breach notification policies, among other requirements.

In a move that should have been made years ago, financial institutions will now be required to "conduct annual penetration testing and quarterly vulnerability assessments."

Under the department's terms, third-party vendor management has particular requirements that will likely prove difficult to implement, although if successful, would result in raising the difficulty levels for attackers overall. According to BankInfoSecurity, "federal banking regulators have been hammering home the need for more third-party oversight for the past 18 months."

Those third-party requirements include at minimum that banks ensure third party vendors: Encrypt all sensitive data, both in transit and at rest; Notify the banking institution of all cybersecurity incidents; Contractually indemnify the banking institution against any cybersecurity incident that results in lost data; Allow the banking institution or its agents to perform cybersecurity audits of all third parties; Implementation of multi-factor authority and more.

It remains to be seen how this will be enforceable, but it's several steps in a good direction. From a consumer point of view, it's sad that we've had to wait this long for our banks to have a level of security that compares to online retail organizations and social networks... but at least it's getting better.
ZD Net: http://zd.net/1mfZGNl

« Intelligence Agencies Should Recruit Like Google
Getting Workers To 'buy-in' To Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Securezoo

Securezoo

Securezoo's mission is to simplify and enhance information security by providing trusted security guidance, products, and information to small and mid-sized businesses and security professionals.

Siscon

Siscon

Siscon delivers tailor-made compliance solutions that are based on the customer's specific wishes and reality and then supplement with many years of experience in the field.

Jiran Security

Jiran Security

Jiran Security provides data and application security solution over email, mobile device and endpoints.

Romanian Association for Electronic Industry & Software (ARIES)

Romanian Association for Electronic Industry & Software (ARIES)

ARIES is the Romanian Association for Electronic Industry and Software, the biggest and most influental organization created for the IT&C industry in Romania.

ThreatGen

ThreatGen

ThreatGEN™ works with your team to improve your resiliency and industrial cybersecurity capabilities through an innovative and modernized approach to training and services.

Rule4

Rule4

Rule4 is a global professional services firm that provides practical, real-world knowledge and solutions in areas including cybersecurity, AI, Machine Learning and industrial control systems.

QuillAudits

QuillAudits

QuillAudits offers advanced Ethereum, EOS, TRON smart contract audit, blockchain protocol security and formal verification to ensure your platform’s integrity.

Trava Security

Trava Security

Trava simplifies cyber risk management for business owners and IT professionals. Automated assessments, mitigation advising, and data-driven cyber insurance.

VCG Group

VCG Group

VCG provides everything you need for the design, implementation and management of data centres, cyber-secure enterprise networks, cloud and connectivity services.

Telstra

Telstra

Telstra is one of the world's leading telecommunications and technology companies, offering a wider range of services from networks and cloud solutions to mobility and enterprise collaboration tools.

TPx Communications

TPx Communications

TPx is a leading managed services provider offering a full suite of managed IT, unified communications, network connectivity and security services.

Acrisure

Acrisure

Acrisure is powered by the best of human and high-tech and offers insurance, reinsurance, real estate, cyber and more solutions to millions of clients around the world.

Abacus Group

Abacus Group

Abacus Group is a global IT services firm for alternative investment firms, providing an enterprise technology platform specifically designed to meet the unique needs of financial services.

Solcon Capital

Solcon Capital

Solcon Capital is a forward-looking, technology-focused investment firm that is committed to identifying and investing in the most promising areas of innovation and development in the tech industry.

The Purple Guys

The Purple Guys

The Purple Guys offer Trouble-Free IT Support to businesses across the Central and Southern US. Safe and Secure, Rapid Response, Friendly Support that’s our Purple Promise.

CyberMaxx

CyberMaxx

At CyberMaxx, our approach to cybersecurity provides end-to-end coverage for our customers – we use offense to fuel defense.