The cost of preventing cybercrime and improving cybersecurity could be costly, says Joan McGowan, a senior analyst with Celent’s banking practice, and strict regulation will play its part.
New York State Department of Financial Services (NYDSF) is one step closer to releasing cybersecurity regulations aided by the largest security hacking breach in history, against JPMorgan Chase. The attack on JPMorgan Chase is revealed to have generated hundreds of millions of dollars of illegal profit and compromised 83 million customer accounts. On 10 November 2015, the authorities charged three men with what they call ‘pump and dump’ manipulation of publicly traded stock, the mining of nonpublic corporate information, money laundering, wire fraud, identity theft and securities fraud. The attack began in 2007 and crossed 17 different countries.
On the same day as the arrests, the NYDSF sent a letter to other states and federal regulators proposing requirements around the prevention of cyber attacks. The timing will undoubtedly put pressure on regulators to push through strong regulation.
Under the proposed rules, banks will have to hire a chief information security officer with accountability for cybersecurity policies and controls. Mandated training of security will be required. Tuesday’s letter also proposed a requirement for annual audits of cyber defenses. Financial institutions will be required to show material improvement in the following areas:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Capacity and performance planning
- Systems operations and availability concerns
- Systems and network security
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party service provider management
- Incident response, including by setting clearly defined roles and decision making authority.
This will be a huge undertaking for financial institutions. Costs have yet to be evaluated, but will be in the millions of dollars. It will be very difficult to police third-party security because, under the proposal, vendors will be required to provide warranties to the institution that security is in place.
The requirements are in the review stage and financial institutions should join in the debate by responding to the NYDFS letter (PDF).