A new report highlighting deficiencies in US banks' oversight of suppliers' cyber security should serve to remind financial services companies in Europe of the due diligence they need to undertake, an expert has said.
Financial services and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that regulators in both the US and Europe are increasingly interested in what financial services companies are doing to address cyber security threats.
McFadyen was commenting after the New York State Department of Financial Services (NYDFS) announced its intention to introduce new regulations "strengthening cyber security standards for banks' third-party vendors" in the "coming weeks".
The announcement was made as it revealed that fewer than half of the banks it surveyed said they do not "conduct any on-site assessments" of "high-risk" suppliers, such as data processing companies and other suppliers that typically have access to "sensitive bank or customer data".
The NYDFS report (7-page / 313KB PDF) also said that only about 30% of the banks surveyed "require their third-party vendors to notify them in the event of an information security breach or other cyber security breach".
A fifth of the banks do not require suppliers to set "minimum information security requirements", whilst of those that do only a third "require those information security requirements to be extended to subcontractors of the third-party vendors", it said.
"A bank's cyber security is often only as good as the cyber security of its vendors," Benjamin Lawsky, superintendent of financial services at the NYDFS, said. "Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter."
McFadyen said that although "security is a growing concern on both sides of the Atlantic" the action proposed by the NYDFS is "the most forthright we’ve seen".
"European regulators are also actively looking at security," McFadyen said. "We’ve seen new rules around payment security come out of Europe and the Financial Conduct Authority’s (FCA's) own guidance on bank outsourcing touches on its importance. Security measures are rarely perfect, as we’ve seen with the takedown of the French TV channel TV5Monde, but the risks presented by a compromise in the sector are growing as we are increasingly digitising financial services."
McFadyen pointed to a recent announcement by the FCA on the implementation of new internet payments security guidelines in the UK as highlighting the regulatory focus there is on cyber security.
The FCA has said it will incorporate the new guidelines into its "supervisory framework" at the same time as the new EU Payment Services Directive (PSD2), which is still being negotiated, is transposed into UK law. The internet payment security guidelines were finalised late last year by the European Banking Authority (EBA).
"We are fully supportive of the objectives behind the guidelines and agree with the importance of consumers being protected against fraud when making payments online," the FCA said. "Ensuring the security of payments and the protection of sensitive customer data is a critical part of the infrastructure of robust payment systems."
"Many firms already have in place measures for strong customer authentication, and we would remind payment service providers of their responsibility to ensure consumers’ payments are safe and secure. We will be incorporating the detail of the requirements of the guidelines into our supervisory framework in line with the revised Payment Services Directive (PSD2) transposition timeline," it said.