Financial regulators are raising concerns about weaknesses in the networks of outside vendors that serve Wall Street's biggest banks, security lapses that might allow hackers to gain access to sensitive financial data.
In a survey of 40 banks, New York state's top bank cop, Benjamin Lawsky, found that fewer than half regularly inspected the security systems of their outisde vendors. About two-thirds of the firms surveyed had no policy in place requiring partners to give notice when their networks have been compromised, the New York Times reports.
The IT firms, big data processors, law firms and other industries that service banking titans provide potentially vulnerable entry points to the vast troves of information stored in financial databases. In recent years, concern over bank cybersecurity has spread to acknowledge these dangers, particularly with law firms. Wall Street banks have also responded by beefing up the walls around their systems. But the survey conducted by Lawsky's Department of Financial Services found that banks have been slow on the uptake.
Last summer, when a breach at JPMorgan compromised 83 million customer accounts, the bank found that hackers had methodically probed numerous JPMorgan vendors seeking access to its networks, including a website for the bank's charity footrace. Though investigators eventually concluded that JPMorgan's own internal systems had been penetrated, the incident was a stark reminder that hackers will pull on any thread, no matter how distant from the bank, to gain entry.
Watchdogs worry that light oversight of third-party firms connected to banking networks could have grave consequences. Hundreds of millions of people have their most sensitive financial and personal information stored in bank accounts, an alluring mark for identity thieves and other cybercriminals.
More troubling, regulators have increasingly sounded the alarm over concerns that hackers could effect a systemic meltdown. The mind-boggling complexity and interconnectedness of financial markets makes them vulnerable to destabilizing attacks, whether from political malefactors or hostile nation-states.
Lawsky, whose office is developing guidelines around bank vendor security, told the Times that these issues are "in a great state of flux" and that banks shouldn't be blamed for a rapidly changing cybersecurity landscape. Even so, American firms are lagging behind their European counterparts in securing third-party relationships, he said. And the consequences could be dire.