US Banks Get Tough On Cybersecurity In 2016

New York state cybersecurity requirements for banks are expected to be applied nationally across the US next year, to include multi-factor authority, regular audits and pen-tests, and exacting third-party vendor cybersecurity scrutiny.

New York state regulators are prepping to release new cybersecurity guidelines for banks that are expected to set a status quo for state-level and federal banking regulators.

The guidelines coming from the New York State Department of Financial Services cover required policies for vendor management, breach notification, implementing multi-factor authentication for customers, employees and service providers, and third-party security management policies.

This news will be a breath of fresh air for well-founded fears that banks have fallen behind in cybersecurity, although the new guidelines are expected for release in early 2016 and so far no deadline for complying with the guidelines has been revealed.

This change has strong roots in a November letter from NYSDFS, which called out the financial industry's weakness with cybersecurity, and its problematic reliance on third-party service providers for critical banking and insurance functions.

The letter cites troubling results from internal security surveys and risk assessments, noting that financial institutions have been unable to keep up with developing attack and defense in infosec, that third-party vendors pose a serious cybersecurity risk, and that the scale of attacks is now of global import.

Regulation is on the horizon. The NYSDFS letter states, "There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions."

Requirements are expected to force the creation of policies for managing third-party service providers' cybersecurity, which will include hiring qualified CISOs, insuring CISOs enforce cybersecurity procedures and standards that ensure application security, employing multi-factor authentication, maintaining cyber-incident and breach notification policies, among other requirements.

In a move that should have been made years ago, financial institutions will now be required to "conduct annual penetration testing and quarterly vulnerability assessments."

Under the department's terms, third-party vendor management has particular requirements that will likely prove difficult to implement, although if successful, would result in raising the difficulty levels for attackers overall. According to BankInfoSecurity, "federal banking regulators have been hammering home the need for more third-party oversight for the past 18 months."

Those third-party requirements include at minimum that banks ensure third party vendors: Encrypt all sensitive data, both in transit and at rest; Notify the banking institution of all cybersecurity incidents; Contractually indemnify the banking institution against any cybersecurity incident that results in lost data; Allow the banking institution or its agents to perform cybersecurity audits of all third parties; Implementation of multi-factor authority and more.

It remains to be seen how this will be enforceable, but it's several steps in a good direction. From a consumer point of view, it's sad that we've had to wait this long for our banks to have a level of security that compares to online retail organizations and social networks... but at least it's getting better.
ZD Net: http://zd.net/1mfZGNl

« Intelligence Agencies Should Recruit Like Google
Getting Workers To 'buy-in' To Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

iStorage

iStorage

iStorage is the leading global provider of PIN Activated, hardware encrypted, portable data storage solutions.

Sentropi

Sentropi

Sentropi is an online protection solution against charge backs, account takeovers, identity thefts and online scams.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

Modulo Security

Modulo Security

Modulo provides automated Governance, Risk, and Compliance (GRC) solutions.

Neurosoft

Neurosoft

Neursoft is a fully integrated ICT company with Software Development, System Integration and Information Technology Security capabilities.

CyberProof

CyberProof

CyberProof aims to give clarity and confidence to businesses worldwide using a new risk-based approach to cyber security services.

Turkish Accreditation Agency (TURKAK)

Turkish Accreditation Agency (TURKAK)

TURKAK is the national accreditation body for Turkey. The directory of members provides details of organisations offering certification services for ISO 27001.

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

UK Cyber Security Association (UKCSA)

UK Cyber Security Association (UKCSA)

The UK Cyber Security Association (UKCSA) is a membership organisation for individuals and organisations who actively work in the cyber security industry.

Quad9 Foundation

Quad9 Foundation

Quad9 is a free security solution that uses DNS to protect your system against the most common cyber threats. It improves your system's performance, plus, it preserves and protects your privacy.

RealTyme

RealTyme

RealTyme is a secure communication and collaboration platform with privacy and human experience at its core.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

NPCERT

NPCERT

NPCERT is a team of Information Security experts formed to address the urgent need for the protection of national information and growing cybersecurity threat in Nepal.

Chorus

Chorus

Chorus are a leading Managed Security Service Provider (MSSP), and member of the Microsoft Intelligent Security Association (MISA), with three Microsoft Advanced Specialisations in security.

Xmore AI

Xmore AI

Xmore AI, an emerging disruptor in our incubation, is building AI models to optimize and secure IT with the mission of increasing efficiency and reducing costs.

OmniIndex

OmniIndex

OmniIndex PostgresBC is the only commercial solution allowing you to keep your most sensitive and critical data encrypted while analyzing it. Structured and unstructured.