As the industry tries and reacts to the massive cyber attack inflicted on JPMorgan Chase, federal and state authorities are pushing banks and brokerage firms to close some gaping holes in their defenses, the New York Times is reporting.
“Top officials at the Treasury Department are discussing the need to bolster fortifications around a critical area of cybersecurity: outside vendors, which include law firms, accounting and marketing firms and even janitorial companies, according to several people briefed on the matter. The sweeping effort began before the hacking of JPMorgan, which compromised some of the personal account information of 76 million households and seven million small businesses, the people said. Under discussion is a requirement that the banks put in place more stringent procedures and safeguards to make sure the outside firms have, at the least, basic defenses,” the Times story said. “The push by government officials is a stark acknowledgment of the vulnerability of financial institutions to an attack — even after they have spent hundreds of millions of dollars to protect themselves — if one of their vendors is not fully prepared.”
For example, New York State’s top financial regulator, Benjamin M. Lawsky, sent a letter on Tuesday (Oct. 21) to dozens of banks requesting that the firms provide ‘any policies and procedures governing relationships with third-party service providers,” the Times said. “In the letter, Mr. Lawsky says that banks must also outline ‘the due diligence processes used to evaluate’ the security procedures of all vendors. ‘It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.'”
The SEC is conducting an audit of 50 firms to assess their readiness for attacks as well as their relationships with vendors, the story said, adding that the Financial Industry Regulatory Authority is conducting its own probe of how American brokerage firms and asset management firms deal with assaults.