Are New York Banks Prepared for a Cyber Attack?

Gov. Andrew Cuomo isn’t waiting for a major cyber attack to find out if New York banks are prepared to thwart or recover from such a disaster.

In early May, Cuomo announced the New York State Department of Financial Services will regularly conduct new, targeted cybersecurity preparedness assessments of all banks that DFS regulates. The revised assessments will provide greater details about banks’ IT management and governance, incident response measures and disaster recovery capabilities.

Banks are up against more sophisticated and numerous attacks. Most of the surveyed institutions have experienced actual or attempted intrusions into their IT systems over the past three years.

The new assessments were promoted by findings from a yearlong survey of 154 New York banking institutions that DFS regulates. “The revised procedures are intended to take a holistic view of an institution’s cyber readiness and will be tailored to reflect each institution’s unique risk profile,” according to the report.

The challenge for any organization is ensuring that security focuses on managing risks, as opposed to meeting requirements on a checklist. This is an area where organizations and regulatory bodies can butt heads if both sides are not taking a risk-based approach to security.

Most of the surveyed banks have policies and procedures to mitigate information security risks posed by mobile devices and social media. Where policies are lacking is in the cloud. Fewer than 27 percent of the institutions in the report have implemented policies and procedures to address risks associated with cloud computing. About 35 percent of the institutions without policies and procedures plan to introduce them within the next three years.

Banks reported account takeovers, identity theft and telecommunication network disruptions as the most frequent types of “wrongful activity resulting from a cyber intrusion.” Account takeovers occur when an attacker uses personal information to gain control of existing bank or credit card accounts and make unauthorized transactions.

Mobile banking exploitation represents 15 percent of the reported cyber intrusions against large banks, which the report classifies as banks that have more than $10 billion in assets. To penetrate banking systems, intruders use malware most often, followed by phishing, pharming, and botnets or zombies.

DFS has also recommended that all state-chartered depository institutions join the Financial Services Information Sharing and Analysis Center (FS-ISAC). Members share and receive timely information from authoritative sources, such as the federal government, to help them defend against physical and cyber threats.

More than 60 percent of large New York banks are members of information-sharing groups, compared with less than 25 percent of small banks.

DFS will release further details about the timing and makeup of the new assessments.

"Targeted cyber security assessments for banks will better safeguard financial institutions from attacks and secure personal bank records from being breached,” Cuomo said in announcing the revised assessments. “When consumers sign up for online banking they expect their personal information to be secure and we are working to make sure financial institutions take the proper precautions to safeguard it.”