Wall St. Is Told to Tighten Digital...
Wall St. Is Told to Tighten Digital Security of Partners
Wall Street's oversight of cybersecurity measures at outside firms it does business with remains a work in progress, according to a review by New York State's top financial regulator.
A survey of 40 banks found that only about a third require their outside vendors to notify them of any breach to their own networks, which could in turn compromise confidential information of the bank and its customers.
Fewer than half the banks surveyed said they conducted regular on-site inspections to make sure the vendors they hire — like data providers, check-processing firms, accounting firms, law firms and even janitorial companies — are using adequate security measures. About half require vendors to provide a warranty that their products and data streams are secure and virus-free.
Benjamin M. Lawsky, New York's superintendent of financial services, whose office began surveying banks on digital security in October, said the responses showed financial institutions need to do more to keep tabs on the outside firms that have access to their networks. But Mr. Lawsky added that he was willing to give financial institutions time to improve their oversight of vendors even as they bolster their own systems.
"I don't cast aspersions on any institutions because the cyberthreat has evolved so quickly," Mr. Lawsky said in an interview discussing the survey results. "Things are in a great state of flux in terms of the institutions and for regulators, too, but all of these things need to be tightened up in a very serious way."
Mr. Lawsky's office is working on proposals and guidelines for banks and other financial institutions, in particular the security of outside vendors. One recommendation could be that financial firms, as part of the contracting process, obtain guarantees from vendors about the quality of their security.
Over the last year, financial regulators nationwide have increasingly focused on steps taken by banks and financial firms to not only safeguard their own networks, but to ensure the outside firms they use are adequately protected as well. The concern about the security of outside vendors comes in the wake of big intrusions at Target and Home Depot that took place in part because the hackers used logon credentials that were apparently stolen from an outside vendor.
One particular area of concern on Wall Street is the security of large law firms, which not only do regulatory work for banks but also advise on corporate transactions. This year, a cybersecurity team at Citigroup issued an internal report that said law firms were a logical target for hackers because they are rich repositories for confidential data. The report also cautioned bank employees that digital security at many law firms, despite improvements, generally remains below the standards of other industries.
For some time now, Mr. Lawsky has called on banks and other financial institutions to improve their security measures. He said Wall Street and other financial services firms did appear to be paying more heed to the threat posed by hackers, especially after a breach last summer at JPMorgan Chase that resulted in hackers gaining access to email addresses and phone numbers of 83 million households and small businesses. Mr. Lawsky said the apparent theft of customer information at the health insurer Anthem in February had similarly heightened awareness of the importance of data security in the insurance industry.
Mr. Lawsky's office recently sent a survey on vendor oversight to insurance companies.
The survey of banks also found that financial firms in the United States lag their counterparts in Europe when it comes to adding protections to safeguard information that is shared with third-party firms. Mr. Lawsky's office said European banks were better at requiring vendors and other outside parties to use "multifactor authentication," a process that requires something more than just a user name and password.
Security consultants argue multifactor authentication should be the norm across a wide range of industries because it makes it more difficult for hackers to break into a network by simply getting their hands on an employee's stolen login credentials.
In the JPMorgan breach, hackers penetrated the bank's vast network by finding a server that had not been upgraded with so-called two-factor authentication, which requires a second, one-time password to gain access. The hackers also breached a website for a charitable racing competition that is managed by an outside vendor. But the bank has said that that intrusion did not provide a gateway to JPMorgan's own network."The fight against cyberterrorism and cybercrime is one that is not going away," Mr. Lawsky said. "We need to start that fight with certain basic hygiene tests and that involves tightening your security with vendors and tightening your security with multifactor authentication."