Tough rules laid down by New York’s state regulator will see senior executives at some of the world’s biggest banks and insurers vouch for their companies’ resilience to cyber attacks.
A new regulation, which takes effect on March 1, requires companies supervised by New York’s Department of Financial Services to establish and maintain a cyber security programme that can protect consumers’ private data and “ensure the safety and soundness” of the state’s financial services industry – according to an article in the FT.
Executives will be made to submit an annual certification that the company is complying with the various requirements, and agree to notify the DFS of any serious breaches within 72 hours of their discovery.
“This has gone further than any other regulation I’ve seen, and is the most prescriptive,” said Joe Nocera, Chicago-based leader of PwC’s cyber security practice. The new regime comes as financial institutions are under near-constant bombardment from criminals, “hacktivists” and disaffected insiders, all trying to breach their defences.
Attempts range from “watering hole” attacks, where employees gather at spoofed websites that implant malware, to more complex schemes led by state-linked groups. North Korea, for example, was thought to be behind last year’s $101m heist at the Bank of Bangladesh, carried out via an account at the Federal Reserve Bank of New York.
The sum could have been much higher, were it not for a typo in the routing instructions. More attacks from Pyongyang’s army of hackers could be in the offing this year, say experts, as China’s ban on coal imports exacerbates a shortage of foreign exchange in the country.
Banks will need to stay on high alert to threats from other nation-state actors such as China, Russia and Iran, said security experts. “You jiggle enough door handles, you find one that opens,” said one.
The DFS’s regulation affects financial institutions that operate through a New York state charter — a list that includes Goldman Sachs, BNP Paribas, Deutsche Bank, AIG and MetLife.
Analysts say the protocols are mostly in line with those adopted by the Federal Financial Institutions Examination Council, an inter-agency body that sets uniform standards for examinations by regulators including the Federal Reserve and the Office of the Comptroller of the Currency.
But the requirement for an executive to testify that the company’s systems are up to scratch, could expose that individual to liability if the company’s cyber security programme is later found to be non-compliant.
The post Regulators enforce new rules – bank executives to vouch for cyber attack defences appeared first on Payments Cards & Mobile.