What happens next Where's my refund? Best CD rates this month Shop and save 🤑
MONEY
Securities and Exchange Commission

Banks face new cyber security rules for vendors

Kevin McCoy
USA TODAY
Benjamin Lawsky, superintendent of the New York State Department of Financial Services.

Wall Street banks and other financial institutions need further strengthening of their cyber security measures, a new report said Thursday.

A survey of 40 banks by the New York Department of Financial Services found that nearly one in three don't require third-party vendors to alert them about information security breaches or other cyber security intrusions. In other findings, the seven-page report said:

• Fewer than half of the banks surveyed said they conduct any on-site assessments of third-party vendors.

• Roughly one in five banks don't conduct on-site assessments of the service providers.

• One-third of the institutions surveyed don't require third-party vendors to mandate similar cyber security requirements on their own subcontractors.

Additionally, U.S. branches of foreign banks questioned in the survey instituted some tougher cyber security requirements than domestic counterparts. According to the survey, the foreign banks required multi-factor authentication — a process that involves more safeguards than a computer password — "much more than large or small domestic institutions."

"A bank's cyber security is often only as good as the cyber security of its vendors," said Benjamin Lawsky, superintendent of the New York regulator that oversees major banks and insurance firms such as Barclays, Goldman Sachs and Met Life.

"Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data," Lawsky said.

The regulator is conducting a similar review of cyber security precautions by third-party vendors of the insurance firms it oversees. The results of the surveys will be used to craft rules to guard against electronic breaches that could potentially harm millions of banking and insurance clients.

Citing such a threat in a February speech, Lawsky warned of a potential "Armageddon-type" cyberattack that could devastate U.S. financial markets.

The warnings follow several major cyber breaches in recent months.

JPMorgan Chase, the nation's largest bank, reported in October that a cyberattack compromised information from 76 million households and 7 million small businesses.

The attackers gained access to contact information, including names, addresses, phone numbers and email addresses, as well as internal JPMorgan Chase information about the users, the bank reported in a Securities and Exchange Commission filing. However, the bank said, no customer money appeared to have been stolen.

Anthem, the nation's second-largest health insurer, reported in February that as many as 80 million customers may have had their account information stolen in a "very sophisticated external cyberattack."

Featured Weekly Ad