Quantcast
Bloomberg News
"Hackers spend day and night trying to think up new ways to steal consumers' personal information and disrupt our nation's financial markets," says New York's Superintendent of Financial Services Benjamin M. Lawsky.
Partner Insights

N.Y. Regulators Plan Heightened Scrutiny of Banks' Cyber Readiness

Print
Email
Reprints
Comment
Twitter
LinkedIn
Facebook
Google+

The new exams could also benefit the New York Institute of Technology, which recently added cybersecurity and smartphone security courses to its curriculum; it also offers a master's degree in security.

The New York Department of Financial Services did not immediately respond to a request for an interview and did not share information about what the new exams will look like. It did say its cybersecurity exam will include questions about incident response and event management, access controls, network security, vendor management, and disaster recovery.

It also published the results of a cybersecurity test it conducted last year that give clues to its areas of focus.

"Although large-scale denial-of-services attacks against major financial institutions generate the most headlines, community and regional banks, credit unions, money transmitters, and third-party service providers (such as credit card and payment processors) have experienced attempted breaches in recent year," the regulators wrote.

In the report, essentially the results of a survey of 154 banks and credit unions under New York's jurisdiction, the agency found that most (90%) have an information security framework in place that includes a written information security policy, security awareness education and employee training, risk management of cyber-risk, information security audits and incident monitoring and reporting.

But the test results also pointed out many gaps in banks' cyber defenses, especially among smaller banks. The report lamented that just 52% of small institutions defined as those with less than $1 billion of assets require employees to use two-factor authentication, compared to 76% of medium-sized firms and 93% of large ones. (The report defines "medium-sized" as institutions with $1 billion to $10 billion in assets and "large" as firms with more than $10 billion in assets.)

Community banks are also less likely to conduct compliance audits of third parties that handle personal data of customers and employees (62% of small banks, 80% of large and medium-sized institutions do this). Small banks are also less likely to share security threat information with their peers, for instance by working with a group like the Financial Services-Information Sharing and Analysis Center. The FS-ISAC has 100 New York members, according to a spokesman for the group. It has 4,700 members worldwide.

Based on the report's findings, community banks in particular have much work to do to beef up their defenses.

"This will force a lot of the New York banks to step up their efforts and budgets spent on security," Gartner's Litan says.

JOIN THE DISCUSSION

SEE MORE IN

RELATED TAGS

'I Want a Tom O'Brien Action Figure Doll': Comments of the Week

American Banker readers share their views on the most pressing banking topics of the week. Comments are excerpted from reader response sections of AmericanBanker.com articles and from our social media platforms.

(Image: Bloomberg News)

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.