The New York State Department of Financial Services is considering new regulations to cover third-party vendors that provide services to the banking sector.
A report issued last week revealed that one in three New York banks don’t require third-party service providers to notify them when they suffer a data breach, and that more than half of the surveyed banks neglect to perform routine security assessments on vendors. The survey also found vastly inconsistent information security requirements for third-party banking vendors.
It is common for vendors to be able to access their clients’ systems and/or data – an entry point that often allows cyber attacks and data breaches. The report stresses the importance of implementing appropriate information security policies to cover this weak point.
“A bank’s cyber security is often only as good as the cyber security of its vendors. Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data,” said Benjamin Lawsky, the state’s superintendent of financial services.
Among the report’s other findings:
- Nearly half (44%) of the surveyed banks do not require third-party vendors to provide a warranty confirming that their data or products are free from malware or viruses.
- Only 46% of the banks conduct pre-contract on-site assessments of high-risk third-party vendors.
- Only 35% conduct periodic on-site assessments of high-risk third-party vendors.
- Only 47% of the surveyed institutions reported having cyber insurance policies that explicitly cover information security failures by a third-party vendor.
A PwC report showed data breaches at vendors and other third parties to be costlier than in-house data breaches, and the number of incidents is rising.
Banks are frequently the targets of cyber attacks: the Dyre Wolf campaign combined the Dyre banking trojan with social engineering to steal more than $1 million from banks over the last year.
Third-party vendor management is important for avoiding incidents like the Target breach, and should be included in the risk assessment process of any organisation with an information security management system.
vsRisk™ is the leading information security risk assessment software, and reduces the number of consultancy hours spent on risk assessments by providing a simple, smart and automated solution.
Find out how vsRisk can help you with your risk assessments.