A confidential survey of compliance offers at leading banking companies in the Tampa Bay region concludes they prefer to do business with outside data management vendors who have completed IT security audits and examinations to help protect against potential theft of their customers’ data.
Conducted by phone and e-mail, the survey asked 14 compliance officers to answer yes or no to four questions:
- Thinking about vendors you use to manage your data, do you require those vendors to complete an SSAE 16, SOC 2 or similar data security compliance examination by a third party?
- Do you require vendors to complete a data security questionnaire periodically?
- Do you send your own data security compliance auditors to examine your vendors’ standards of compliance?
- Finally, is successful completion of a third-party examination of data security compliance standards by a vendor a condition of doing business with you?
Only one bank’s compliance officer declined to answer the survey, citing security concerns.
“With nearly 100 percent of compliance officers responding positively to our survey questions, we can conclude there exists genuine concern about potential data breaches in the local banking industry, and that’s good news for local bank customers, because it indicates that banks are monitoring their key vendors,” commented Eric Ratcliffe, Director at 360 Advanced, a national Qualified Security Assessor and Certified Public Accountant firm based in Tampa, FL.
360 Advanced’s data security experts completed the survey using in-house staff to telephone and e-mail bank compliance officers after a January risk analysis report from the New York Department of Financial Services prompted regulators there to begin review of the state’s banks’ incident response and event management, access controls, network security, vendor management, and disaster recovery procedures in evaluating the bank’s overall safety and soundness.
Ben Lawsky, head of New York’s Department of Financial Services (DFS), said in a speech at Columbia University Feb. 25 that he fears a large enough hack on Wall Street firms could “spill over into the broader economy” — not unlike the mortgage meltdown of 2008.
Lawsky said he is considering new rules to protect against “an Armageddon-type” cyber-attack that would devastate U.S. financial markets. “We are concerned that within the next decade, or perhaps sooner, we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time,” Lawsky said. He called such an attack a “cyber 9/11.”
The New York State report notes that cyber-attacks against banks are “becoming more frequent, more sophisticated, and more widespread.” Oftentimes not featured in the news are the attacks against “community and regional banks, credit unions, money transmitters, and third-party service providers (such as credit card and payment processors)” that have experienced attempted breaches in recent years.
Attacks have come from a variety of actors, including unfriendly nation-states, hacktivists, organized crime groups, cyber gangs, and other criminals. The report states that “as the cost of technology decreases, the barriers to entry for cybercrime drop, making it easier and cheaper for criminals of all types to seek out new ways to perpetrate cyber fraud. A growing black market for breached data serves to encourage wrongdoers further.”