New York’s Department of Financial Services (DFS) announced plans to conduct targeted cyber security audits of financial institutions regulated by the state agency following the release of a report documenting an increase in the number and intensity of cyber intrusions.
Days later, federal regulators unveiled plans for a new cyber security vulnerability and risk-mitigation assessment as well as a regulatory self-assessment of supervisory policies and processes. Highlighting key focus areas for senior management and boards of directors in community banks, the regulators indicated that they would start reviewing community banks’ ability to identify and mitigate cyber security risks as early as this summer in the information technology portion of safety and soundness examinations.
The DFS report on bank cyber security preparedness follows a survey of 154 state-regulated banks that found “most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years.”
Not surprisingly, the report stated “[c]yber attacks against financial services institutions are becoming more frequent, more sophisticated, and more widespread.” It noted, however, that “[a]lthough large-scale denial-of-services attacks against major financial institutions generate the most headlines, community and regional banks, credit unions, money transmitters, and third-party service providers (such as credit card and payment processors) have experienced attempted breaches in recent years.”
Third-party processor breaches were reported by 18 percent of small institutions and 15 percent of large institutions, according to the report, with big banks also experiencing cyber threats to ATMs and mobile banking.
In addition to a rise in frequency, the “Report on Cyber Security in the Banking Sector” found an increase in the sophistication of attacks, from malware to phishing and pharming to botnets or zombies, resulting in account takeovers, identity theft, and network disruptions.
The report attributed the increases to “unfriendly nation-states” hacking U.S. systems for intelligence or intellectual property and “hacktivists” trying to make political statements, as well as those just trying to make some money, like organized crime groups or other criminals.
“As the cost of technology decreases, the barriers to entry for cybercrime drop, making it easier and cheaper for criminals of all types to seek out new ways to perpetrate cyberfraud,” the agency wrote in the report. “A growing black market for breached data serves to encourage wrongdoers further.”
To help banks better protect themselves, DFS said it will update its bank examination procedures to conduct the cyber security reviews using additional lines of queries about IT management and governance, vendor management, access controls, network security, disaster recovery, and incident response and event management.
The revised examinations “are intended to take a holistic view of an institution’s cyber readiness and will be tailored to reflect each institution’s unique risk profile,” the report concluded. “The Department believes this approach will foster smarter, stronger cyber security programs that reflect the diversity of New York’s financial services industry.”
Additional details about timing and content regarding the reviews will be released soon, DFS promised. In the meantime, it offered a tip to all state-chartered depository institutions, suggesting that they join the Financial Services Information Sharing and Analysis Center to receive notification about cyber security and physical threats and anonymously share threats with other institutions.
“The fact that so much of our financial lives are spent online makes banks increasingly tempting targets for cyber attacks,” noted DFS Superintendent Benjamin M. Lawsky. “Hackers spend day and night trying to think up new ways to steal consumers’ personal information and disrupt our nation’s financial markets, and it’s more important than ever that we rise to meet that challenge.”
To read the report, click here. To read the FFIEC release, click here.
Why it matters: Cybersecurity clearly has become a high priority supervisory issue for financial institution regulators. The FFIEC suggested a number of areas banks should focus on to prepare for upcoming reviews of their ability to identify and mitigate cybersecurity risks. These should be reviewed carefully and the necessary steps taken to create or enhance and implement appropriate policies and procedures before the next regular or special examination.
