NY bank regulator's cybersecurity plan has strong authentication, identity
New York is upgrading its evaluation of banks operating in the state to include specific questions and examinations on use of multi-factor authentication and identity and access management systems.
The changes come as the state shifts focus onto cybersecurity practices as part of evaluating IT operations at the nearly 1,900 banking and other financial institutions in New York state that boast collective assets topping $2.9 trillion.
All banks with a New York state charter or license will fall under the new plan including Barclays, Deutsche Bank, Credit Suisse, BNP Paribas, Standard Chartered and Santander.
Benjamin Lawsky, the head of New York's Department of Financial Services (DFS), asked in a memo that all member institutions view cybersecurity as "an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology."
Besides multi-factor and adaptive authentication, IT/cybersecurity examinations will now cover a litany of checks and balances, including corporate governance, depth of resources devote to information security and risk management, incident detection and response procedures, employee training, management of third-party services, as well as job descriptions and qualifications for current chief information security officers.
Banks will be given a 96-question survey seeking specific details on their cybersecurity efforts.
In its assessment of banks, the New York DFS will include a specific authentication question that asks banks "to identify and describe the current use of mutli-factor authentication for any systems or applications." The specific identity and access management assessment looks at systems for internal and external users and the controls that are in place.
New York is not alone in looking closer at financial institutions in the wake of breaches, including the October attack on JP Morgan Chase, which affected 76 million people and is now one of the largest in terms of customers impacted.
Late last month, Rep. Elijah E. Cummings (D-Md.) and Senator Elizabeth Warren (D-Mass.) sent letters to 16 banks, investment firms, and other financial service providers looking for details on any hacking incidents and seeking briefings with corporate IT security officers.
DFS does not regulate JPMorgan, which is a nationally chartered bank.