skip to navigation
skip to content

Financial Outsourcing Solutions

Person Using Technology

FOS Blog

09 Mar

Enhanced Cyber Security: New York State Proposal

Enhanced Cyber Security: New York State Proposal

As cyber crime continues to evolve, many experts are raising caution to new points of attack. In addition to focusing on the consumer, hackers are refocusing their efforts on financial institutions choosing to focus on the operations. The attacks continue to advance in sophistication and automation.   As a result, cyber security awareness continues to be on the rise, which is noted in the November 2014 FFIEC Cyber Security Assessment. See our December 2014 post:  “FFIEC releases findings of cyber security assessment”, which summarizes the results of the assessment.

Some states are taking the matter further. Realizing the evolving risk environment and the potential threat to Bank’s, the New York Department of Financial Services has taken the lead on a hard fast approach to cyber security. In a recent address, the Department of Financial Services Superintendent expressed his continued concern of a significant cyber attack against the financial services industry. For a transcript of the speech, click here. This concern is exemplified by the recent report from Kaspersky Labs showing how malware installed by hackers, was able to steal $1 billion from 100 banks across 30 countries.  Given the increasing threat like those in the Kaspersky report, consideration for enhanced cyberdefenses is being proposed by the New York Department of Financial Services. Some the proposed enhancements include:

  • Multifactor Authentication – No longer will the traditional username and password be acceptable to access Bank systems. Similar to the internet banking requirements, employees would be required to utilize some form of additional authentication (RSA Token, SmartCard, Biometric, out-of-band authentication, etc).
  • Third Party Verification of Security Standards – Enhanced vendor management practices will have to be implemented. This will include a requirement that vendors guarantee that they meet a specified security standard not unlike the FISMA or ISO standards that are utilized for accreditation.
  • Cyber Security Audit Ratings – A stand alone audit rating would be assigned for Cyber Security. Regulatory audit ratings result in the increased frequency of review, growth of the institution through merger or branch locations, etc.

As with most of the current observations, the proposed items from New York could be adopted by other states and/or other regulatory agencies.

Thanks to pressure from the regulators and government, community institutions will be forced to continue to enhance their vigilance with a watchful eye on future threats to the environment. Today’s attacker leverages the latest automation and techniques to reach the largest possible audience. So, no longer can institutions turn a blind eye to the cyber threats, due to their size. These threats are real and need to be addressed on an ongoing basis. Since cyber security transcends the Information Technology department, successful organizations must foster a cultural shift to address the security concerns that starts with establishing the tone and understanding at the top. Establishing this kind of framework will help an organization be better prepared to meet the increasing demands of the growing threat environment and address the potential of more stringent oversight.

For additional information contact the author Jeffrey J. Johns at

| |