N.Y. to Propose Cybersecurity RegulationsThird-Party Risks Require More Due Diligence
In April, the New York State Department of Financial Services issued a report about significant third-party and vendor management risks that numerous banks throughout the state were failing to address (see Banks' Vendor Monitoring Comes Up Short).
Now, just one month later, the head of the agency says he plans to propose by year's end new cybersecurity regulations that would better ensure banks are addressing those risks. Plus, the agency may propose new requirements for stronger user authentication.
New York's regulatory actions are closely watched by the rest of the country and could suggest that similar guidelines are likely at the federal level.
Benjamin M. Lawsky, superintendent of the state agency, made the announcements during Reuters' 2015 Financial Regulation Summit in New York. He said one new regulation could be aimed at ensuring banks require vendors to provide warranties of cybersecurity protection in the event they are breached. The other could require banks to adopt multiple-step authentication processes for employees and customers to log into their systems.
Lawsky said the poor marks banks gave themselves earlier this year in a survey of cybersecurity practices conducted by his agency spurred the proposal for new regulations.
"The one thing we find to be an existential threat right now is whether our financial institutions and systems are adequately protected when it comes to cybersecurity," Lawsky said, noting why cybersecurity must be a focus during routine examinations. "If they fail, there would be pretty severe consequences."
Is More Regulation the Answer?
While many security experts acknowledge that third-party risks are a growing concern, more regulation may not be the best answer, contends financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. She also questions the efficacy of more stringent authentication practices and encourages banking institutions to, instead, do more to enhance their back-end analytics.
"A 'harder is better' strategy [for authentication] often results in annoying good customers and users, while the bad guys can still get in," Litan says. "Some of the most effective controls are detection models that work behind the scenes and don't impose extra steps for the user logging in."
And while third-party risks have been well-documented by banking regulators, more regulation will only put more burden on banks that are already heavily regulated, Litan contends.
"Lawsky's actions are justified, but, unfortunately, they impose a lot of extra work on banks," she says. "We could see, and have already seen, similar movements from federal banking regulators, especially around auditing third-party vendor security practices."
Federal banking regulators have been focusing more on third-party risks since the Target breach in late 2013, which stemmed from the compromise of one of the retailer's vendors (see FFIEC Issues Malware, Attack Alerts ).
In March, Kevin Greenfield, director of bank IT for the Office of the Comptroller of the Currency, noted during an interview with Information Security Media Group about the Federal Financial Institutions Examinations Council's new cyber-resilience guidance that third-party cybersecurity risks are a big concern for banking regulators. He said banks need to ensure the third parties with which they work are secure.
The latest FFIEC guidance builds on updated third-party risk guidance the OCC issued in August 2014.
Last month, at the American Bankers Association's Risk Management Forum in St. Louis, Heather Wyson-Constantine, senior director of payments and cybersecurity policy for the ABA, said banking institutions need to ensure they have contractual protections with their vendors in case they're responsible for a breach.
"The amount of vendors that the companies and banks have to have oversight over and due diligence for poses a formidable issue," Wyson-Constantine said in an interview with ISMG at the forum. "There are so many vendors that they have to manage, and how far down do you go in order to ensure that they're complying with the contractual agreements that you set forth?"
Tom Kellermann, chief cybersecurity officer at security firm Trend Micro, says Lawsky's commitment to ensure banks are adequately addressing third-party risks is laudable.
"I do feel that these proactive regulations will be mirrored by the FFIEC in 2015," Kellermann says. "Systemic risk is here ... as cybercriminals leapfrog through bank information supply chains."