NYDFS to Conduct Annual Cyber Assessments on NY Regulated Banks
Governor Andrew Cuomo of New York announced on May 6, 2014 that the New York State Department of Financial Services (NYDFS) would begin conducting “new, regular, targeted cyber security preparedness assessments of the banks [NYDFS] regulates.” Governor Cuomo noted,
Targeted cyber security assessments for banks will better safeguard financial institutions from attacks and secure personal bank records from being breached. When consumers sign up for online banking they expect their personal information to be secure and we are working to make sure financial institutions take the proper precautions to safeguard it.
The Governor also announced some findings from a report that was the product of a year-long survey of 154 banks that NYDFS regulates. Some of the findings include:
- The two biggest challenges to building an adequate cyber security program are the sophistication of threats and emerging technologies.
- Methods used to penetrate the surveyed banks’ IT systems included “malicious software (malware) (22%), phishing (21%), pharming (7%), and botnets or zombies (7%).”
- Damage that resulted from a cyber-attack included “account takeovers (46%), identity theft (18%), telecommunication network disruptions (15%), and data integrity breaches (9.3%).”
These new assessments will be conducted as part of the bank examination process. Among the areas examiners will focus on include:
- IT management and governance;
- Incident response and event management;
- Access controls;
- Network security;
- Vendor Management; and
- Disaster Recovery.
NYDFS is also recommending that banks join the Financial Services-Information Sharing and Analysis Center (FS-ISAC) to receive information and timely notifications about physical and cyber security threats.