Thursday, May 4, 2017
"We are notifying affected customers directly although we do not expect any immediate impact to their services as a result of this agreement," Fischer said. "We will formally notify and update customers as appropriate with additional information nearer to the close of the deal. We expect the transaction to close later this year."
Separate security reports published by IBM and Verizon show 2016 was a record year for cybercriminals. Verizon's 2017 Data Breach Investigations Report and the IBM X-Force Threat Intelligence Index 2017 highlight security vulnerabilities in IT infrastructures, ripe for exploitation by sophisticated attack vectors, security analysts noted.
Brian Zeman, Chief Operating Officer at Prevalent Inc. said Verizon report data shows most breaches were perpetrated by outsiders for financial gain, harming consumers, businesses and partners. Concerned that third-party risk management remains a blind spot, years after third-party breach events at Target and Home Depot, Zeman said, compelling breach events and the third-party risk mandates of new regulations … make it clear: third party risk management must be a top-five priority for any security-driven organization."
New regulations Zeman mentioned include the European Union's General Data Protection Regulation (GDPR), and the New York State Department of Financial Services Cybersecurity Regulation, Title 23, Part 500 (DFS 23 NYCRR 500).
Issued March 1, 2017, DFS 23 NYCRR 500 requires businesses and financial institutions to complete a certification process to confirm they have implemented appropriate security measures in compliance with new cybersecurity regulations. Businesses will have up to two years to meet the requirements, which include detailed incident report plans and annual reporting procedures.
"It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs," wrote Maria T. Vullo, Superintendent of Financial Services for New York State. "The number of cyber events has been steadily increasing, and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State."
The GDPR, ratified by the European Union in April 2016, is designed to standardize data protection across the European Union by creating a unified framework for hosting and processing data. It affects businesses with access to consumer data for financial transactions and sales and marketing purposes and is reinforced by stiff penalties for noncompliance.
The GDPR requires companies to implement appropriate technical and organizational measures relating to the nature, scope, context and purposes of their handling and processing of personal data. Companies must also obtain consent from individuals, who have the ability to withdraw consent at any time and have "a right to be forgotten," if their data is no longer required for the initial purposes for which it was collected.
IBM's 2017 X-Force report found the financial services sector has been a primary target for cybercriminals for more than two decades. The sector was attacked more any other industry, increasing from 1,310 attacks in 2015 to 1,684 attacks in 2016, report authors stated.
"Amid these negative findings, there were however some good tidings," they wrote. "The average financial services client we monitored experienced 192 security incidents in 2015, but only 94 in 2016. A 'security incident' is our most serious classification, so this is indeed welcome news."
Pravin Kothari, founder, Chairman and Chief Executive Officer at CipherCloud, said the X-Force report underscores the escalating threat of data breaches in the financial services industry. He said cloud-based financial services applications can remove sensitive data from an organization's direct visibility and control, placing it beyond the reach of firewalls and other legacy cybersecurity defenses.
Kothari urged organizations to embrace data-centric security models and encrypt all data across all network, cloud and mobile channels. If organizations closely control keys and refrain from sharing them with third-party providers, encryption can be tremendously effective, he stated.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.