RSS   Newsletter   Contact   Advertise with us

Banks don't pay attention to third-party partners' security

Staff writer ▼ | April 10, 2015
Benjamin M. Lawsky, Superintendent of Financial Services, announced that the New York State Department of Financial Services (NYDFS) found potential cyber security vulnerabilities with banks' third-party vendors.
Bank app
Security   New York State Department of Financial Services:
Fewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors.
Banks rely on third-party vendors for a broad-range of services – such as law firms that provide them with legal advice or even companies contracted to run their HVAC systems. Those third-party firms often have access to a financial institution’s information technology systems, providing a potential point of entry for hackers.

Among other findings, the NYDFS report uncovered that nearly 1 in 3 banks surveyed do not require their third-party vendors to notify them of cyber security breaches.

In the coming weeks, NYDFS expects to move forward on regulations strengthening cyber security standards for banks' third-party vendors, including potential measures related to the representations and warranties banks receive about the cyber security protections in place at those firms.

NYDFS conducted a survey of 40 banking organizations – including many of the largest institutions it regulates – about the cyber security standards those firms have in place for their third-party vendors. Key findings outlined in the report NYDFS issued today include:

Nearly 1 in 3 (approximately 30 percent) of the banks surveyed do not require their third-party vendors to notify them in the event of an information security breach or other cyber security breach.

Fewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors.

Approximately 1 in 5 banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements. Additionally, only one-third of the banks require those information security requirements to be extended to subcontractors of the third-party vendors.

Nearly half of the banks do not require a warranty of the integrity of the third-party vendor’s data or products (e.g., that the data and products are free of viruses).

NYDFS is in the process of conducting a similar survey regarding the cyber security of third-party vendors at the insurers it regulates. The Department also expects to put in place higher cyber security standards for vendors providing services to insurance companies.


 

MORE INSIDE POST