Page 20 - GS170301
P. 20

Views





                                                                   Capgemini. "While banks are evolving to combat
                                                                   the sophisticated threat cybercriminals pose, public
                                                                   understanding of these threats and challenges remains
                                                                   low."

                                                                   The number of reported data breaches reached an all-
                                                                   time high in the United States in 2016, according to the
                                                                   Identity Theft Resource Center. In all, 1,093 breaches
                                                                   impacting 36,601,939 personal records were reported in
                                                                   2016.
                                                                   With 52 reported cyber-breaches, banks and  other
                                                                   financial services firms accounted for just 4.8 percent of
                                                                   total incidences in 2016; the 72,262 records compromised
                                                                   by those breaches were 0.2 percent of all compromised
                                                                   records, the ITRC said, acing that hacking and phishing
                                                                   were the leading causes of reported hacks. The center
                                                                   defines a data breach as a breach that puts personal
                                                                   consumer information at risk, for example, revealing a
                                                                   person's name and Social Security number.

                                                                   While financial institutions may be faring well against
                                                                   hackers, regulators remain concerned. In September
                                                                   2016, federal banking regulators proposed new
                                                                   marching orders for the institutions they oversee. And
                                                                   on March 1, New York became the first state to implement
                                                                   a cybersecurity regulation specifically targeting banks,
                                                                   insurance companies and other financial services firms
                                                                   doing business in the state.

                                                                   "This regulation helps guarantee the financial services
                                                                   industry upholds its obligation to protect consumers
                                                                   and ensure that its systems are sufficiently constructed
                                                                   to prevent cyber-attacks to the fullest extent possible,"
                                                                   New  York  Governor  Andrew  Cuomo  said  when  the
                                                                   regulation was introduced.

                                                                   The New York regulation (crafted by the state banking
                                                                   department) places the legal might of the state behind
                                                                   existing industry practices, such as encryption,
                                                                   multifactor authentication, cyber-security training
                                                                   for employees and written cyber-security policies. It
                                                                   also mandates the appointment of chief information
                                                                   security officers at covered institutions, yearly audits,
                                                                   and a 72-hour window for reporting identified breaches
                                                                   of customer data.

                                                                   New: third-party oversight
                                                                   Perhaps the biggest news to come out of the New York
                                                                   regulation is that state-regulated financial services
                                                                   firms must assure that third parties (such as merchant
                                                                   acquiring partners) are doing  their  part  to keep safe
                                                                   any  nonpublic  consumer  data  they  handle.  And  the
                                                                   regulation requires ongoing risk assessments of
                                                                   vendors.

                                                                   Cybersecurity is no trifling matter. Any serious effort
                                                                   to get a handle on the problem has to take into account


        20
   15   16   17   18   19   20   21   22   23   24   25