The Capital One breach is a classic example of the “insider threat” that has been present since the first merchant hung a shingle and sold goods, and is certainly not limited to the digital age.
The insider threat is not limited to employees and extends to third-party providers as was the case with Capital One.
The third-party provider threat is a concern for CISOs and regulators alike, which is why the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) include specific requirements regarding third-party service providers.
Under the regulation, banks and financial services providers must secure their own systems as well as implement third-party risk management programs.
Coincidentally the regulation’s applicability for third-party service providers just went into effect in March of this year. According to the regulation, section 500.11, “The organization must document written procedures and policies to ensure third-party risk management programs protect information systems and non-public information.”
Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections, addressing: Access controls, including multi factor authentication; Encryption; Notifications to be provided to the primary organization in response to a cybersecurity event; Representations and warranties for a third party’s cybersecurity policies and procedures.
The good news is the perpetrator was identified and arrested, but it remains to be seen the severity of penalties that Capital One will incur from federal and state regulators. Although, Capital One is headquartered in Virginia it is licensed to conduct business in New York with branches in the state, thus falling under the jurisdiction of the NYDFS.
The U.S. Federal Trade Commission recently proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act, which requires financial institutions to explain their information-sharing practices to their customers and to safeguard customer data.
The Safeguards Rule requires financial institutions to have measures in place to keep customer information secure. They are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties. The proposal generally would require all financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data.
The proposed changes, introduced in March, are modeled after New York regulator’s cybersecurity regulations, but unlike the NYDFS regulation, they would apply to all financial institutions in the U.S.
