Banks' Vendor Monitoring Comes Up ShortNew York State Regulator Considering More Scrutiny
Banking institutions in the state of New York are not doing enough to ensure that their third-party service providers are taking adequate cybersecurity steps, according to a survey conducted by the New York State Department of Financial Services.
As a result of the survey findings, more state regulatory scrutiny of banks' vendor management policies and procedures may be on the way, state officials say.
"In light of the increasing number and sophistication of cyber-attacks, including recent breaches at both banks and insurers, the department is now considering, among other regulations, cybersecurity requirements for financial institutions that would apply to their relationships with third-party service providers," the Financial Services Department noted in its April 9 report, "Update on Cyber Security in the Banking Sector: Third Party Service Providers".
The report, based on a survey of 40 banks conducted last October, complements its May 2014 report, "Report on Cyber Security in the Banking Sector," which included findings from a survey of more than 150 banking institutions in the state.
The state banking regulator is now conducting a similar survey to gauge the cybersecurity of third-party vendors. "In the coming weeks, NYDFS expects to move forward on regulations strengthening cybersecurity standards for banks' third-party vendors, including potential measures related to the representations and warranties banks receive about the cybersecurity protections in place at those firms," the department said in a release about the new report.
Benjamin M. Lawsky, New York's superintendent of financial services, notes: "A bank's cybersecurity is often only as good as the cybersecurity of its vendors. Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter."
The New York state agency did not immediately reply for a request for additional comment.
Change Will Take Time
The emerging risks third-party security gaps pose to banking institutions has been an increasingly hot topic for banking regulators, says Shirley Inscoe, a fraud expert and analyst at the consultancy Aite (see FFIEC: New Threats to Banks?).
But changing the way banking institutions manage their third-party service providers and other vendors is going to take time, she says.
"It strikes me that most financial institutions have multiyear contracts with third-party providers, and it will take quite some time before all those agreements come up for renewal and new language and requirements can be negotiated," Inscoe says. "It is easy to forget the sheer size and complexity of the U.S. banking and payments systems. We tend to take it for granted, because we are so used to it. But it is a very challenging environment, and any new requirement will take a few years to fully penetrate and for all institutions to be in compliance."
Varying Third-Party Oversight
While the New York survey found that all but one of the 40 organizations it polled perform security risk assessments on their high-risk vendors - such as payments processors, trading and settlement operations, and data processing companies - some banking institutions are not conducting the same due diligence for vendors categorized as low-risk - such as office suppliers, printing companies, food catering businesses and janitorial services providers.
Only 46 percent of the surveyed institutions say they conduct pre-contract, on-site assessments of high-risk vendors. And only 35 percent say they conduct periodic on-site assessments to ensure ongoing security.
What's more, 21 percent of the institutions surveyed say they do not require third-party vendors, regardless of whether they are high- or low-risk, to prove that they have any minimum information-security requirements. And only 36 percent of the surveyed institutions require that those information security requirements be extended to vendors' subcontractors.
Nearly half of the banking institutions surveyed say they do not require that third-party vendors prove that their data and/or products are free of viruses, the report also notes.
"While banks have made great strides to better manage the risks associated with doing business through third parties, these survey findings show there is room for improvement," says Greg Dickinson, CEO of Hiperos, which provides third-party management services. "Regulators are urging and/or assisting banks to do more to confront these issues. Clearly, the warning bell has sounded, and banks will need to respond quickly to meet regulatory requirements designed to protect the banking system from ever-increasing risk."
Other Survey Findings
The Department of Financial Services says a third of the banking institutions it surveyed do not require their third-party vendors to notify them of a breach. And while 63 percent of the surveyed institutions say they carry cyber-insurance that would cover security incidents, only 47 percent say they have cyber-insurance policies that explicitly cover information security failures at a third-party vendor.
Only half of the banking organizations surveyed require indemnification clauses in their agreements with third-party vendors, the report says.
Most institutions say they routinely encrypt data that they electronically send to vendors. But U.S. branches of foreign banks more commonly require multifactor authentication for third parties accessing banking data and systems than domestic institutions, the report finds.
"It is not surprising that international banks may be ahead of domestic banks, since many European nations, as one example, have required multifactor authentication for online commerce for several years," Inscoe says. "No other nation has the sheer number of financial institutions as the U.S. either, so solutions to meet requirements such as these have to be implemented thousands of times over to meet regulators' demands in our country."
Some 70 percent of the surveyed institutions require multifactor authentication for at least some third-party vendors to access sensitive data or systems. When used, multifactor authentication is required for third-parties to remotely access sensitive data or banking systems, either on computers or portable devices.