A Look at the InfoSec of Wall Street’s Third-Party Vendors
Wall Street has a ways to go when it comes to ensuring the information security of vendors it does business with. According to a report by New York State’s top financial regulator, only a third of New York banks require their third-party vendors to notify them of a breach of their networks.
The report highlights concerns about the information security at banks and insurers, and announces that the New York State Depart. of Financial Services is now considering implementing “cyber security requirements for financial institutions that would apply to their relationships with third-party service providers” in response to increasing data breaches.
The NY Financial Dept. identified certain third-party vendors that are classified as ‘high-risk,’ including check/payment processors, trading and settlement operations and data processing companies. If breached, these type of vendors could introduce significant risks to their bank clients.
While 90 percent of financial firms use encryption for data transmitted to or from third-party vendors, only 38 percent use encryption for data at rest, or stored data.
Europe - More InfoSec Progressive than the U.S.?
According to the survey, financial firms in the U.S. lag behind European firms when it comes to information security technology. Almost 80 percent of foreign financial firms require the use of multi-factor authentication to access data, while 70 percent of domestic banks of all sizes, on average, use multi-factor authentication.
According to the report, multi-factor authentication is required for third-party vendors remotely accessing sensitive data or banking systems, using a variety of devices including PCs or mobile devices.
The NYTimes Dealbook also provides a perspective on multi-factor authentication in their article on the NY Financial Dept. report, Wall St. Is Told to Tighten Digital Security of Partners:
Security consultants argue multi-factor authentication should be the norm across a wide range of industries because it makes it more difficult for hackers to break into a network by simply getting their hands on an employee’s stolen login credentials.
The article references the JPMorgan Chase breach last year in which attackers exploited one of the bank’s network servers that wasn’t protected by two-factor authentication. Learn more in JPMorgan Chase Breach: 83 Million Records Breached by Lack of Two Factor.
In support of multi-factor authentication, the NYTimes.com also quoted JPMorgan’s chief executive Jamie Dimon on the fight against cybercrime:
We need to start that fight with certain basic hygiene tests and that involves tightening your security with vendors and tightening your security with multi-factor authentication.
And the numbers don’t lie either - the global mobile multi-factor authentication software and service market will be worth $1.6 billion by the end of 2015, according to an estimate from ABI Research. Password problems have created a market demand for two-factor authentication, moving the technology into the mainstream, as InfoSecurity-Magazine.com reported.
Find out what criteria to look for in a two-factor authentication solution in our Two-Factor Authentication Evaluation Guide.