Want to hack Wall St? Hit their suppliers

Some of the biggest banks Wall Street are leaving a "backdoor" wide open for hackers by failing to extend security governance to high risk suppliers.

To illustrate the security gap that suppliers pose to banks, the New York Department of Financial Services today revealed that a third of Wall Street financial institutions — which represent some of the largest banks in the world — don’t require suppliers to report information security breaches.

The regulator released the results from a survey ahead of proposed regulations that could extend information security requirements for financial institutions to their outsourced providers.

The survey of 40 banks classified large institutions as having more than $1 trillion in assets, medium as having between $100 billion and $1 trillion and small as having less than $100 billion. It also included a mix of US and foreign institutions.

As it notes, the vendors that banks rely on range from law firms to contractors that operate HVAC systems — a point raised, no doubt, as a reminder that Wall Street could be the next Target, whose massive breach originated via a compromised HVAC contractor, which cost the retailer well over $100m between 2013 to 2014.

The regulator found that just 46 percent of the banks conducted on-site inspections of suppliers, while only 35 percent conducted spot checks on “high-risk” third party vendors such as payment processors, trading and settlement operations and data processing companies.

Meanwhile 20 percent didn’t require suppliers to meet minimum security standards and only half required a warranty that their suppliers’ data isn’t compromised by malware. It noted that larger banks were more likely to ask this of suppliers than smaller banks.

There was some good signs that banks are governing third-party contractors adequately. Around 80 percent required suppliers to state that they met minimum information security requirements. Still, as the regulator notes, 21 percent of them didn’t, suggesting a possible role for regulation over suppliers. It also found that only 36 percent required subcontractors of primary suppliers to meet a baseline level of security.

The story was similar on questions over the right to audit — most did require it, but 21 percent didn’t.

Encryption was another soft spot among the financial institutions that were surveyed. Ninety percent encrypted data in transmission between themselves and their suppliers, but only 38 percent overall encrypted data at rest, while 50 percent of large institutions did.

The use of multi-factor authentication was patchy too, with 70 percent requiring contractors to use it for access to sensitive data or systems. Still, the overall figure was bumped up due to foreign banks. While half of all US banks, large and small, don’t use multi-factor authentication, nearly 80 percent of their foreign banking counterparts did require the additional factor for access.

The survey also revealed some interesting findings about cyber insurance with respect to third-party providers, which may suggest many financial institutions are not adequately covered despite having insurance. While 64 percent overall had insurance that covered information security incidents at their own organisation, only 47 percent reported having insurance that explicitly covered security failures by a supplier.

The next phase of the regulator’s campaign to improve security governance in the financial services sector will target New York’s insurers — another sector that has seen devastating attacks in recent months with the breach of Anthem, one of the US’ largest health insurers, that exposed data of 80 million customers.

Image credit: New York State Department of Financial Services

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags wall sthackersdata encryptionhigh risksecurity governanceIT SecurityNew York Department of Financial ServicesHVAC contractorsecurity gapCSO AustraliaInformation Security Breaches

More about CSOEnex TestLabWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place