Keeping Financial Institutions and Their Customers Secure

Financial institutions face rising cybersecurity threats in the current environment, just as other businesses do. In addition, financial institutions have to comply with regulatory requirements that are necessarily growing as cybersecurity risk also increases.

In a survey published in October 2020, Keeper Security and the Poneman Institute collected data from 2,215 IT and IT security personnel working at companies that have increased telework or reduced personnel due to COVID-19. According to the survey:

  • The number of attacks experienced has risen in nearly every category – only 12 percent of respondents didn’t identify a lease only type of attack as increasing.
  • Respondents who said their organization was effective at mitigating risks fell from 71 to only 44 percent.
  • 56 percent of respondents say the time it takes to respond to a cybersecurity incident has increased, while only 16 percent say it has decreased.

However, there are resources for financial institutions so they do not need to start from scratch when designing or implementing a security program. The New York State Department of Financial Services (DFS) has issued a set of regulations that set expectations and requirements for entities regulated by DFS. Even for entities not regulated by DFS, these regulations identify best practices for financial institutions to mitigate cybersecurity risk and protect customers. DFS has also developed a Cybersecurity Resource Center providing helpful information and links.

Among the most important activities for financial institutions to undertake is to implement the basics – often referred as “cyber hygiene” – first.  If you are not patching your systems, and you are using weak authentication, all the cybersecurity tools in the world will not help you. Fortunately there are resources that can help, especially for small and medium-sized financial institutions. To take immediate steps to be more secure, you can use the Global Cyber Alliance (GCA) Cybersecurity Toolkit for Small Business. This toolkit is a set of free tools, guidance, resources, and training designed to help businesses that are not cybersecurity experts but who want to take key steps to protect their business.

GCA logo
NYS DFS logo

DFS and GCA partnered to bring additional resources to financial institutions. DFS developed a set of policies that are incorporated into the GCA toolkit. While these samples provide a helpful starting point, they can and should be customized based on the needs, risks, resources, and structure of the business.

Some businesses may require additional actions beyond those suggested; likewise, not every action suggested will be required for each business.  Policies based only on the samples therefore may not constitute full compliance with state and federal laws and regulations, including DFS’ Cybersecurity Regulation. The policies cover:

While these policies were developed with financial institutions in mind, they are useful for any small business wanting to have a robust set of policies to guide operations. They can also be customized to meet each small business’s unique needs. The other elements of the GCA toolkit can then be used to help implement these policies.

Other resources can be found in the GCA toolkit and on the DFS website.  Check back with both regularly as each is regularly updated to provide new and better guidance and tools.