New York state has released a cyber
security report that shows the growing
risk and sophistication of cyber attacks
facing New York banks, and directed the
Department of Financial Services (DFS)
to conduct new, regular, targeted cyber
security preparedness assessments of the
banks DFS regulates.
“With today’s growing cyber threats we
need to make sure New Yorkers’ finances
are protected from online predators,” Gov.
Andrew Cuomo said. “Targeted cyber security
assessments for banks will better safeguard
financial institutions from attacks
and secure personal bank records from being
breached. When consumers sign up for
online banking they expect their personal
information to be secure and we are working
to make sure financial institutions take
the proper precautions to safeguard it.”
Superintendent of Financial Services
Benjamin M. Lawsky said, “The fact that
so much of our financial lives are spent
online makes banks increasingly tempting
targets for cyber attacks. Hackers spend
day and night trying to think up new ways
to steal consumers’ personal information
and disrupt our nation’s financial markets,
and it’s more important than ever that we
rise to meet that challenge.”
The cyber security report released May
6 is the product of an extensive, year-long
survey that DFS conducted of 154 banks
it regulates, state officials said. The most
frequent challenge to building an adequate
cyber security program, cited by banks,
included the increasing sophistication of
threats (71 percent) and emerging technologies
(53 percent).
The report said most institutions experienced
intrusions or attempted intrusions
into their IT systems over the past three
years. The methods used to penetrate IT
systems ranged widely, with institutions
reporting incidents involving malicious
software (malware) (22 percent), phishing
(21 percent), pharming (7 percent), and
botnets or zombies (7 percent).
The most frequent types of wrongful
activity resulting from a cyber intrusion
reported by institutions were account
takeovers (46 percent), identity theft (18
percent), telecommunication network disruptions
(15 percent), and data integrity
breaches (9.3 percent).
The report said third-party payment processor
breaches were also reported by 18 percent
and 15 percent of small and large institutions,
respectively. Large institutions also cited mobile
banking exploitation (15 percent), ATM
skimming/point-of-sale schemes (23 percent),
and insider access breaches (8 percent).
The report also found that the vast
majority of banks – large and small – are
planning to ramp up their cyber security
spending in the coming years, which could
represent a key opportunity for job growth
and economic development in New York.
More than three-quarters (77 percent)
of all institutions experienced an increase
in their total information security budget
in the past three years, with most of the
remaining institutions (18 percent) reporting
that information security budgets have
remained the same. Almost no institutions
reported a decrease in spending in the past
three years, according to the report.
The vast majority of institutions–approximately
79 percent industry-wide–reported
that information security budgets were
expected to increase in the next three years.
The report also outlines several measures
DFS will implement to help improve cyber
security at New York banks. These measures
include a new targeted assessment of each
bank’s cyber security preparedness – as part of
the regular DFS examination process – to help
drive a strong, consistent focus on that issue.
The revised examination procedures will
include additional questions in the areas of
IT management and governance, incident
response and event management, access
controls, network security, vendor management,
and disaster recovery.
The revised procedures are intended to
take a holistic view of an institution’s cyber
readiness and will be tailored to reflect
each institution’s unique risk profile. DFS
will release additional details about the
timing and content of these examination
procedures in the coming weeks.
DFS has also recommended that all New
York state-chartered depository institutions,
irrespective of size, become members
of the Financial Services-Information Sharing
and Analysis Center (FS-ISAC ).
Members receive timely notification
and authoritative information specifically
designed to help protect critical systems
and assets from physical and cyber security
threats. In fact, both the U.S. Department
of Treasury and the U.S. Department of
Homeland Security rely on the FS-ISAC
to disseminate critical information to the
financial services sector in times of crisis.
In addition, the FS-ISAC provides an anonymous
information-sharing capability across
the entire financial services industry that
enables institutions to exchange information
regarding physical and cyber security threats,
as well as vulnerabilities, incidents, and
potential protective measures and practices.
Last year, Cuomo formed a Cyber Security
Advisory Board, which is working with the
administration on innovative strategies to
keep New Yorkers safe from cyber threats. The
board advises the administration on developments
in cyber security and makes recommendations
for protecting the state’s critical
infrastructure and information systems.