Some of the biggest banks Wall Street are leaving a "backdoor" wide open for hackers by failing to extend security governance to high risk suppliers.
To illustrate the security gap that suppliers pose to banks, the New York Department of Financial Services today revealed that a third of Wall Street financial institutions — which represent some of the largest banks in the world — don’t require suppliers to report information security breaches.
The regulator released the results from a survey ahead of proposed regulations that could extend information security requirements for financial institutions to their outsourced providers.
The survey of 40 banks classified large institutions as having more than $1 trillion in assets, medium as having between $100 billion and $1 trillion and small as having less than $100 billion. It also included a mix of US and foreign institutions.
As it notes, the vendors that banks rely on range from law firms to contractors that operate HVAC systems — a point raised, no doubt, as a reminder that Wall Street could be the next Target, whose massive breach originated via a compromised HVAC contractor, which cost the retailer well over $100m between 2013 to 2014.
The regulator found that just 46 percent of the banks conducted on-site inspections of suppliers, while only 35 percent conducted spot checks on “high-risk” third party vendors such as payment processors, trading and settlement operations and data processing companies.
Meanwhile 20 percent didn’t require suppliers to meet minimum security standards and only half required a warranty that their suppliers’ data isn’t compromised by malware. It noted that larger banks were more likely to ask this of suppliers than smaller banks.
There was some good signs that banks are governing third-party contractors adequately. Around 80 percent required suppliers to state that they met minimum information security requirements. Still, as the regulator notes, 21 percent of them didn’t, suggesting a possible role for regulation over suppliers. It also found that only 36 percent required subcontractors of primary suppliers to meet a baseline level of security.
The story was similar on questions over the right to audit — most did require it, but 21 percent didn’t.
Encryption was another soft spot among the financial institutions that were surveyed. Ninety percent encrypted data in transmission between themselves and their suppliers, but only 38 percent overall encrypted data at rest, while 50 percent of large institutions did.
The use of multi-factor authentication was patchy too, with 70 percent requiring contractors to use it for access to sensitive data or systems. Still, the overall figure was bumped up due to foreign banks. While half of all US banks, large and small, don’t use multi-factor authentication, nearly 80 percent of their foreign banking counterparts did require the additional factor for access.
The survey also revealed some interesting findings about cyber insurance with respect to third-party providers, which may suggest many financial institutions are not adequately covered despite having insurance. While 64 percent overall had insurance that covered information security incidents at their own organisation, only 47 percent reported having insurance that explicitly covered security failures by a supplier.
The next phase of the regulator’s campaign to improve security governance in the financial services sector will target New York’s insurers — another sector that has seen devastating attacks in recent months with the breach of Anthem, one of the US’ largest health insurers, that exposed data of 80 million customers.
Image credit: New York State Department of Financial Services
This article is brought to you by Enex TestLab, content directors for CSO Australia.