Banking regulators have been warning banks for more than a year to beef up their cyberdefenses as attacks on financial institutions become more frequent, sophisticated and widespread. New York regulators are going beyond issuing warnings, though, and will soon start grading financial firms on their cyber readiness.
Gov. Andrew Cuomo announced Tuesday that he's asked the Department of Financial Services to conduct cybersecurity assessments of financial institutions to ensure that they are appropriately protecting sensitive customer data. State-chartered banks, credit unions, and foreign banks whose U.S. headquarters are in New York will all be subject to the examinations.
New York officials say they are responding to the growing risk of cyberattacks facing the state's banks. In a year-long study of state banks, the DFS found that the banks' biggest challenge to building an adequate cyber security program is keeping up with increasingly sophisticated threats. It also found that most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years and concluded that, in many cases, small institutions are less equipped than larger ones to thwart cybercrime.
"The fact that so much of our financial lives are spent online makes banks increasingly tempting targets for cyberattacks," said Superintendent of Financial Services Benjamin M. Lawsky in a statement Tuesday. "Hackers spend day and night trying to think up new ways to steal consumers' personal information and disrupt our nation's financial markets, and it's more important than ever that we rise to meet that challenge."
The banking industry's reaction so far is a mix of assent and cooperation. While the new cybersecurity scrutiny will force many to make investments they might have otherwise put off, in an environment of overall skyrocketing regulatory costs, many see it as reasonable and inevitable. More than three-quarters (77%) of New York financial institutions surveyed have increased their information security budget in the past three years, and 79% already had plans to increase security investment over the next three years.
That bank regulators see cyberattacks as a threat to the safety and soundness of the financial system is not new. Last June, the Office of the Comptroller of the Currency said in a report that cyber threats are the fastest-growing risk to banks. In April, the Federal Financial Institutions Examination Council issued statements warning banks about denial-of-service attacks and ATM fraud, and urging them to beef up security.
Also last month, the Securities and Exchange Commission said it plans to conduct more than 50 examinations to assess cybersecurity preparedness in the securities industry.
New York's banking department, though, will be first regulator to go so far as conduct regular, targeted cyber security preparedness assessments of banks.
Christopher Walsh, corporate information security officer at the $5.2 billion-asset Bank Leumi USA in New York, says he was unsurprised by the state regulators' latest move.
"We saw it coming," he says. "Regulators seem to follow after the curve. Often they look around the industry and see some people paying more attention than others. They want to protect the public."
Bank Leumi USA has been making a concerted effort to strengthen its cyber defenses since 2011, Walsh says. "We take the position that it's the right thing to do," he says. "We feel we're a little ahead."
The bank recently deployed technology from Invincea and Forescout that it will use to collect threat information and feed it into a network access controller that acts as a security guard for the bank's network.
The state bankers association also expressed support for the regulators' initiative. "New York banks of all sizes have pledged their cooperation with the Department of Financial Services, federal bank regulators, and law enforcement in efforts to counter cybercrime," said Michael P. Smith, president and chief executive of the New York Bankers Association, in an email. "Protecting our customers is a top priority."
Industry observers say New York's attention to cybersecurity could give bank IT departments more ammunition for increasing tech budgets.
"Regulation drives security spending and attention in the C-level suites, and this should make it easier for security staff to get the budgets they need to secure their banking operations," says Avivah Litan, vice president at Gartner.
"It's going to come at a cost to the banks, but you have to weigh the risk versus the cost," adds Nada Marie Anid, professor and dean of the School of Engineering and Computing Sciences at New York Institute of Technology. "We must admit that the risk is very large and cybertheft is a reality."
Anid also acknowledges that Gov. Cuomo has mixed motives for pushing banks to step up their cybersecurity.
"The governor is not denying the fact that this is also an economic development opportunity for the state," she says. "Banks will need more robust software to secure their assets. Cybersecurity will rise to top of the board agendas. That will create business for cybersecurity companies, and banks will hire more staff that specialize in cyberattacks and cyber procedures."
The new exams could also benefit the New York Institute of Technology, which recently added cybersecurity and smartphone security courses to its curriculum; it also offers a master's degree in security.
The New York Department of Financial Services did not immediately respond to a request for an interview and did not share information about what the new exams will look like. It did say its cybersecurity exam will include questions about incident response and event management, access controls, network security, vendor management, and disaster recovery.
It also published the results of a cybersecurity test it conducted last year that give clues to its areas of focus.
"Although large-scale denial-of-services attacks against major financial institutions generate the most headlines, community and regional banks, credit unions, money transmitters, and third-party service providers (such as credit card and payment processors) have experienced attempted breaches in recent year," the regulators wrote.
In the report, essentially the results of a survey of 154 banks and credit unions under New York's jurisdiction, the agency found that most (90%) have an information security framework in place that includes a written information security policy, security awareness education and employee training, risk management of cyber-risk, information security audits and incident monitoring and reporting.
But the test results also pointed out many gaps in banks' cyber defenses, especially among smaller banks. The report lamented that just 52% of small institutions — defined as those with less than $1 billion of assets — require employees to use two-factor authentication, compared to 76% of medium-sized firms and 93% of large ones. (The report defines "medium-sized" as institutions with $1 billion to $10 billion in assets and "large" as firms with more than $10 billion in assets.)
Community banks are also less likely to conduct compliance audits of third parties that handle personal data of customers and employees (62% of small banks, 80% of large and medium-sized institutions do this). Small banks are also less likely to share security threat information with their peers, for instance by working with a group like the Financial Services-Information Sharing and Analysis Center. The FS-ISAC has 100 New York members, according to a spokesman for the group. It has 4,700 members worldwide.
Based on the report's findings, community banks in particular have much work to do to beef up their defenses.
"This will force a lot of the New York banks to step up their efforts and budgets spent on security," Gartner's Litan says.