Wall Street’s top watchdog is calling on banks to boost their oversight of cybersecurity at outside firms they work with, or face new regulations.
The New York State Department of Financial Services, which has been leading the charge to tighten cybersecurity banking regulations, released a survey of 40 banks on Thursday. The agency found only 30 percent of those banks require outside vendors to notify them of breaches.
It also found banks are lagging in conducting on-site inspections of outside vendors’ security measures and mandating assurances that a third-party’s system is free of viruses.
Hackers frequently infiltrate major companies like Target through third-party vendors with less sophisticated cyber defenses, eventually pilfering millions of customers’ personal data.
In the banking world, outside partners can range from law firms and check-processing companies to accounting firms or data analysts.
Hackers last year breached a third-party managed website for JPMorgan Chase’s charitable racing competitions.
JPMorgan has said that specific intrusion was not responsible for the company’s data breach last fall that exposed 76 million households’ information.
Still, the JPMorgan breach, among numerous others in 2014, spurred the New York agency's head Benjamin Lawsky in December to update their information technology examination for banks.
The ongoing threat since then — two large health insurers have been breached in 2015, exposing nearly 100 million Social Security numbers — has Lawsky thinking of imposing a new set of cyber regulations on financial institutions. The rules “would apply to their relationships with third-party service providers,” the report explained.
“The fight against cyber terrorism and cyber crime is one that is not going away,” Lawsky told The New York Times. “We need to start that fight with certain basic hygiene tests and that involves tightening your security with vendors.”