Banking regulators have been warning banks for more than a year to beef up their cyberdefenses as attacks on financial institutions become more frequent, sophisticated and widespread. New York regulators are going beyond issuing warnings, though, and will soon start grading financial firms on their cyber readiness.
Gov. Andrew Cuomo announced Tuesday that he's asked the Department of Financial Services to conduct cybersecurity assessments of financial institutions to ensure that they are appropriately protecting sensitive customer data. State-chartered banks, credit unions, and foreign banks whose U.S. headquarters are in New York will all be subject to the examinations.
New York officials say they are responding to the growing risk of cyberattacks facing the state's banks. In a year-long study of state banks, the DFS found that the banks' biggest challenge to building an adequate cyber security program is keeping up with increasingly sophisticated threats. It also found that most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years and concluded that, in many cases, small institutions are less equipped than larger ones to thwart cybercrime.
"The fact that so much of our financial lives are spent online makes banks increasingly tempting targets for cyberattacks," said Superintendent of Financial Services Benjamin M. Lawsky in a statement Tuesday. "Hackers spend day and night trying to think up new ways to steal consumers' personal information and disrupt our nation's financial markets, and it's more important than ever that we rise to meet that challenge."
The banking industry's reaction so far is a mix of assent and cooperation. While the new cybersecurity scrutiny will force many to make investments they might have otherwise put off, in an environment of overall skyrocketing regulatory costs, many see it as reasonable and inevitable. More than three-quarters (77%) of New York financial institutions surveyed have increased their information security budget in the past three years, and 79% already had plans to increase security investment over the next three years.
That bank regulators see cyberattacks as a threat to the safety and soundness of the financial system is not new. Last June, the Office of the Comptroller of the Currency said in a report that cyber threats are the fastest-growing risk to banks. In April, the Federal Financial Institutions Examination Council issued statements warning banks about denial-of-service attacks and ATM fraud, and urging them to beef up security.
Also last month, the Securities and Exchange Commission said it plans to conduct more than 50 examinations to assess cybersecurity preparedness in the securities industry.
New York's banking department, though, will be first regulator to go so far as conduct regular, targeted cyber security preparedness assessments of banks.
Christopher Walsh, corporate information security officer at the $5.2 billion-asset Bank Leumi USA in New York, says he was unsurprised by the state regulators' latest move.
"We saw it coming," he says. "Regulators seem to follow after the curve. Often they look around the industry and see some people paying more attention than others. They want to protect the public."
Bank Leumi USA has been making a concerted effort to strengthen its cyber defenses since 2011, Walsh says. "We take the position that it's the right thing to do," he says. "We feel we're a little ahead."
The bank recently deployed technology from Invincea and Forescout that it will use to collect threat information and feed it into a network access controller that acts as a security guard for the bank's network.
The state bankers association also expressed support for the regulators' initiative. "New York banks of all sizes have pledged their cooperation with the Department of Financial Services, federal bank regulators, and law enforcement in efforts to counter cybercrime," said Michael P. Smith, president and chief executive of the New York Bankers Association, in an email. "Protecting our customers is a top priority."
Industry observers say New York's attention to cybersecurity could give bank IT departments more ammunition for increasing tech budgets.
"Regulation drives security spending and attention in the C-level suites, and this should make it easier for security staff to get the budgets they need to secure their banking operations," says Avivah Litan, vice president at Gartner.
"It's going to come at a cost to the banks, but you have to weigh the risk versus the cost," adds Nada Marie Anid, professor and dean of the School of Engineering and Computing Sciences at New York Institute of Technology. "We must admit that the risk is very large and cybertheft is a reality."
Anid also acknowledges that Gov. Cuomo has mixed motives for pushing banks to step up their cybersecurity.
"The governor is not denying the fact that this is also an economic development opportunity for the state," she says. "Banks will need more robust software to secure their assets. Cybersecurity will rise to top of the board agendas. That will create business for cybersecurity companies, and banks will hire more staff that specialize in cyberattacks and cyber procedures."