US Banks Get Tough On Cybersecurity In 2016

New York state cybersecurity requirements for banks are expected to be applied nationally across the US next year, to include multi-factor authority, regular audits and pen-tests, and exacting third-party vendor cybersecurity scrutiny.

New York state regulators are prepping to release new cybersecurity guidelines for banks that are expected to set a status quo for state-level and federal banking regulators.

The guidelines coming from the New York State Department of Financial Services cover required policies for vendor management, breach notification, implementing multi-factor authentication for customers, employees and service providers, and third-party security management policies.

This news will be a breath of fresh air for well-founded fears that banks have fallen behind in cybersecurity, although the new guidelines are expected for release in early 2016 and so far no deadline for complying with the guidelines has been revealed.

This change has strong roots in a November letter from NYSDFS, which called out the financial industry's weakness with cybersecurity, and its problematic reliance on third-party service providers for critical banking and insurance functions.

The letter cites troubling results from internal security surveys and risk assessments, noting that financial institutions have been unable to keep up with developing attack and defense in infosec, that third-party vendors pose a serious cybersecurity risk, and that the scale of attacks is now of global import.

Regulation is on the horizon. The NYSDFS letter states, "There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions."

Requirements are expected to force the creation of policies for managing third-party service providers' cybersecurity, which will include hiring qualified CISOs, insuring CISOs enforce cybersecurity procedures and standards that ensure application security, employing multi-factor authentication, maintaining cyber-incident and breach notification policies, among other requirements.

In a move that should have been made years ago, financial institutions will now be required to "conduct annual penetration testing and quarterly vulnerability assessments."

Under the department's terms, third-party vendor management has particular requirements that will likely prove difficult to implement, although if successful, would result in raising the difficulty levels for attackers overall. According to BankInfoSecurity, "federal banking regulators have been hammering home the need for more third-party oversight for the past 18 months."

Those third-party requirements include at minimum that banks ensure third party vendors: Encrypt all sensitive data, both in transit and at rest; Notify the banking institution of all cybersecurity incidents; Contractually indemnify the banking institution against any cybersecurity incident that results in lost data; Allow the banking institution or its agents to perform cybersecurity audits of all third parties; Implementation of multi-factor authority and more.

It remains to be seen how this will be enforceable, but it's several steps in a good direction. From a consumer point of view, it's sad that we've had to wait this long for our banks to have a level of security that compares to online retail organizations and social networks... but at least it's getting better.
ZD Net: http://zd.net/1mfZGNl

« Intelligence Agencies Should Recruit Like Google
Getting Workers To 'buy-in' To Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Global Knowledge Training

Global Knowledge Training

Global Knowledge is a worldwide leader in IT and business training, featuring Cisco, Microsoft, VMware, IBM, security, cloud computing, and project management.

Jumpsec

Jumpsec

Jumpsec provides penetration testing, security assessments, social engineering testing, cyber incident response, training and consultancy services.

Compumatica

Compumatica

Compumatica is a leading European ICT security manufacturer for cybersecurity and encryption products. Solutions include network security, SCADA/ICS security, Mobile/BYOD and email encryption.

FixMeStick

FixMeStick

FixMeStick is a virus removal device, a USB key that removes malware conventional antivirus software often can’t detect.

FarrPoint

FarrPoint

FarrPoint is a specialist telecoms consultancy providing a range of services including cyber security assessments and technical assurance to safeguard your data.

National Cybersecurity Hub - South Africa

National Cybersecurity Hub - South Africa

The mission of the National Cybersecurity Hub is to be the central point of collaboration for cybersecurity incidents in South Africa.

Navarino

Navarino

Navarino is the maritime industry’s most advanced communications and connectivity company. We develop advanced technologies and innovative IT solutions including cyber security.

Cyber Threat Alliance

Cyber Threat Alliance

CTA is working to improve cybersecurity of our digital ecosystem by enabling near real-time cyber threat information sharing among companies and organizations in the cybersecurity field.

NeuroChain

NeuroChain

NeuroChain is an intelligent ecosystem that is more secure, more reliable and much faster than blockchain.

HiScout

HiScout

HiScout is your integrated management system for IT governance, risk & compliance.

Gotham Digital Science (GDS)

Gotham Digital Science (GDS)

Gotham Digital Science is an international security services company specializing in Application and Network Infrastructure security, and Information Security Risk Management.

ISECURION Technology & Consulting

ISECURION Technology & Consulting

ISECURION is an information security consulting company. We provide a unique blend of services to our customers catering to the current information security landscape.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

Raiven Capital

Raiven Capital

Raiven Capital is a global early-stage technology venture capital fund. We focus on founder-led, driven companies on the leading edge of disruption.

MetaWeb Ventures

MetaWeb Ventures

MetaWeb Ventures is a global venture capital firm focused on pre-seed and seed investments in crypto start-ups.

StealthMole

StealthMole

StealthMole is a deep and dark web threat intelligence company that delivers a cloud-based, unified platform for digital investigation, risk assessment, and threat monitoring.