= Subscriber content; or subscribe now to access all American Banker content.

N.Y. Regulators Plan Heightened Scrutiny of Banks' Cyber Readiness

The new exams could also benefit the New York Institute of Technology, which recently added cybersecurity and smartphone security courses to its curriculum; it also offers a master's degree in security.

The New York Department of Financial Services did not immediately respond to a request for an interview and did not share information about what the new exams will look like. It did say its cybersecurity exam will include questions about incident response and event management, access controls, network security, vendor management, and disaster recovery.

It also published the results of a cybersecurity test it conducted last year that give clues to its areas of focus.

"Although large-scale denial-of-services attacks against major financial institutions generate the most headlines, community and regional banks, credit unions, money transmitters, and third-party service providers (such as credit card and payment processors) have experienced attempted breaches in recent year," the regulators wrote.

In the report, essentially the results of a survey of 154 banks and credit unions under New York's jurisdiction, the agency found that most (90%) have an information security framework in place that includes a written information security policy, security awareness education and employee training, risk management of cyber-risk, information security audits and incident monitoring and reporting.

But the test results also pointed out many gaps in banks' cyber defenses, especially among smaller banks. The report lamented that just 52% of small institutions — defined as those with less than $1 billion of assets — require employees to use two-factor authentication, compared to 76% of medium-sized firms and 93% of large ones. (The report defines "medium-sized" as institutions with $1 billion to $10 billion in assets and "large" as firms with more than $10 billion in assets.)

Community banks are also less likely to conduct compliance audits of third parties that handle personal data of customers and employees (62% of small banks, 80% of large and medium-sized institutions do this). Small banks are also less likely to share security threat information with their peers, for instance by working with a group like the Financial Services-Information Sharing and Analysis Center. The FS-ISAC has 100 New York members, according to a spokesman for the group. It has 4,700 members worldwide.

Based on the report's findings, community banks in particular have much work to do to beef up their defenses.

"This will force a lot of the New York banks to step up their efforts and budgets spent on security," Gartner's Litan says.




Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.