Banks told to get tough on cybersecurity in 2016


2016 New York state cybersecurity requirements for banks, expected to be applied country-wide, include multi-factor auth, regular audits and pentests, and exacting third-party vendor cybersecurity scrutiny.

New York state regulators are prepping to release new cybersecurity guidelines for banks that are expected to set a status quo for state-level and federal banking regulators.

The guidelines coming from the New York State Department of Financial Services cover required policies for vendor management, breach notification, implementing multi-factor authentication for customers, employees and service providers, and third-party security management policies.

This news will be a breath of fresh air for well-founded fears that banks have fallen behind in cybersecurity, although the new guidelines are expected for release in early 2016 and so far no deadline for complying with the guidelines has been revealed.

This change has strong roots in a November letter from NYSDFS, which called out the financial industry’s weakness with cybersecurity, and its problematic reliance on third-party service providers for critical banking and insurance functions.

The letter cites troubling results from internal security surveys and risk assessments, noting that financial institutions have been unable to keep up with developing attack and defense in infosec, that third-party vendors pose a serious cybersecurity risk, and that the scale of attacks is now of global import.

Regulation is on the horizon. The NYSDFS letter states, “There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions.”


Read the full article here

Credit: ZDNet