New York to Increase Assessment of Bank Cybersecurity Plans
New York's banks will face new cybersecurity assessments carried out by the Department of Financial Services (DFS), under plans unveiled by Governor Andrew Cuomo.
The assessments will be part of the regular DFS examination process, and include additional questions in the areas of IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery.
Says Cuomo: "With today's growing cyber threats we need to make sure New Yorkers' finances are protected from online predators. Targeted cyber security assessments for banks will better safeguard financial institutions from attacks and secure personal bank records from being breached."
A DFS report (PDF), based on a survey of 154 institutions, shows that most have experienced intrusions or attempted intrusions over the last three years. Malware has hit 22 percent of respondents, phishing 21% and pharming seven percent.
Crooks most commonly use intrusions for account takeovers, although ID theft, telco network disruptions and third party payment processor breaches are also common. Around 15 percent of large banks also say they've suffered mobile banking exploitation.
Nearly 90 percent have an information security framework in place to tackle these threats, although plans are less well developed at small banks. Irrespective of size, the vast majority of those quizzed use security technologies such as anti-virus software, firewalls, server-based access control lists, intrusion detection tools, and encryption.
Most large banks use public key infrastructure systems but few smaller firms use the technology, while biometrics is still a rarity across the board. Only around a quarter have policies and procedures in place to mitigate risks associated with cloud computing.
More than three quarters of respondents have seen their information security budget increase over the last three years and a similar percentage expect another bump in the next three years. Compliance and regulatory requirements is cited as the main reason for increasing spending, followed by business continuity and reputational risk.