The New York Department of financial services plans to increase their cyber security oversight on state-chartered banks. Director Benjamin Lawsky says that New York banks will have to pass a more difficult cyber security examination that will be more precise than the cyber security exams conducted on federal banks.
These new regulations will require New York state-chartered banks to provide more insight into their staffing choices. Banks will need to show regulators the CV and job description for the current CIO, detailing all responsibilities, and how the current CIO meets the requirements. Another requirement will be a chart showing the internal organization chart of bank employees, with detailed reporting lines for the IT departments. State-chartered banks must also provide information about how they monitor cyber risks. Banks currently can say that they have been monitoring cyber risks by employing a third party security firm to monitor the risks for them. The problem with this is that nobody is monitoring the third party cyber security companies, and hackers could try to access those companies to get to their main target. This was demonstrated with Target’s cyber breach in 2013. Hackers were able to access 40 million credit cards after hacking into a third party vendor connected with Target.
State banks will also need to have multifactor authentication systems in place. This will provide consumers with an extra layer of security, as cyber criminals will have more trouble accessing bank accounts with stolen passwords. Before banks authorize the widespread use of these multifactor authentication methods, New York banks will have to show regulators how the authentication methods work, how effective they are, and how they can keep consumer financial information safe.
The Federal Financial Institutions Examination Council assessed 500 federal banks last summer. Currently federal regulations are more flexible than the proposed New York regulations. Federal cyber security assessments focus on BYOD policies, network connections, and dependence on third party cyber security providers. While federal banks have government oversight, third party security companies do not. Government agencies now want to make sure that third party security companies will not be vulnerabilities for cyber attacks on federal banks.
The Office of the Comptroller of the Currency currently ranks banking institutions on the systemic risks they face. The Office plans to conduct spot cyber security assessments to determine if federal banks are vulnerable.
Consumers have become wary of cyber attacks after so many of them have occurred in 2014. The data breach that occurred at JP Morgan Chase especially has consumers reeling after 76 million households and 8 million small businesses were compromised. Government agencies and regulators have been pushing private companies and banks to increase their cyber security measures in the wake of all of these attacks. EiQ’s SecureVue security intelligence platform is designed for government-chartered institutions. SecureVue provides continuous monitoring of all networks, and provides remediation if malware is detected. SecureVue also provides DISA STIG & USGCB compliance monitoring, which saves time by automating many benchmark checks against standards. Third party security vendors will be the key to providing continuous cyber security coverage as banking cyber security regulations become more stringent.