Vulnerabilities Identified in NY Banking Vendors

To bolster security, banks in New York are planning to enact new regulations for any third party vendors they do business with.

In hopes of bolstering security, banks in New York over the next several weeks want to enact new regulations for any third party vendors they do business with.

A report released last week pointed out that one in three N.Y. banks don’t require their vendors to notify them in the event they experience a data breach. More than half of the banks are also neglectful when it comes to performing routine security assessments on vendors and maintaining information security requirements for them.

That’s according to “Update on Cyber Security in the Banking Sector: Third Party Service Providers,” (.PDF) a report released last Thursday by the New York State Department of Financial Services (NYDFS). As many of the vendors that work with banks have direct dealings with their inner technological systems, often a linchpin for attacks, the report stresses that it’s paramount for banks have the requisite security policies in place.

“A bank’s cyber security is often only as good as the cyber security of its vendors. Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data,” said Benjamin Lawsky, the state’s Superintendent of Financial Services, after the report was issued on Thursday.

NYDFS, the department of New York’s government in charge of regulating New York banks, released the report as part of an ongoing series it’s conducting regarding cybersecurity.

While the bulk of the 150 banks interviewed, 90 percent, pointed out they used encryption for data they transmit to or from third parties, only 38 percent of them used it for data at rest, when inactive data is stored physically.

Elsewhere, 30 percent of banks surveyed did not require multifactor authentication for vendors to access sensitive data or systems. In this case multi factor authentication is mostly used for third-party vendors that remotely access sensitive banking systems, either on computers or portable devices.

In the event that one of the bank’s vendors suffered a data breach, only half of those asked, had a set strategy. Only 47 percent of banks interviewed stated they have cyber insurance policies that specifically cover information security failures by a third-party vendor. More banks, nearly 80 percent of them, said they had some sort of cyber security insurance however.

NYDFS points out that multiple banks allow vendors, like law firms and HVAC systems, access to their systems but many of them don’t take the security of those vendors as seriously as they should.

“Banking organizations appear to be working to address the cyber security risks posed by third-party service providers, although progress varies depending on the size and type of institution,” the paper reads.

NYFDS’s move comes at a time when banking malware is perhaps the most prolific it’s ever been.

Earlier this month researchers with IBM announced that Dyre, a sophisticated banking Trojan, used social engineering to steal more than $1 million from banks over the last year. Dyre attackers used DDoS attacks to distract banks while they siphoned away funds and also utilizes a faux call center call to trick users into giving up their passwords and two factor authentication codes.

Suggested articles

Discussion

  • swashbuckler on

    Interesting that they talk about third party SERVICE PROVIDERS and not third party products. So, if a bank uses software from some third party company (and they all do) then what do the banks require of the vendors providing those products? What do the service providers require of their software vendors? This stuff only hits the tip of the proverbial iceberg in terms of real due diligence.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.