Earlier this week, Ben Lawsky, head of The New York State Department of Financial Services (NYDFS), addressed attendees at Columbia Law School where he stated that he is currently considering new rules for banks and insurance companies regulated by NYDFS to raise cybersecurity standards. Lawsky also noted his concern that the financial industry could face a crippling “Armageddon-style” attack that could possibly affect the entire U.S. economy, unless changes were made to the current security status quo.
This proclamation is long overdue from policy makers and is a welcome development. As the financial industry continues to be actively pursued by well-financed and resourced cyber criminals, standards must be raised at this critical time by both regulators and the private sector to stay ahead of these aggressors.
Recent attacks on some of the United States’ major financial institutions and corporations should serve as a strong warning and example of how these increasingly sophisticated cyberattacks can have a major effect on an industry which already has strong security measures in place. In short, these breaches are a “canary in the coal mine” for all institutions, which we must heed.
With threats now coming from organized crime, nation states, terrorist groups and rogue individuals, the stakes couldn’t be higher. More guidelines are needed for organizations to successfully thwart and proactively guard against large-scale attacks. Those set by the Federal Financial Institutions Examination Council are in need of an overdue update to allow for better alignment with today’s threats that bypass traditional security controls. A combined, heightened focus by public and private entities will establish a new mindset, grounded on proactive actions, to stay one step ahead of next-generation threats, especially as they grow in tenacity and volume.
As Trend Micro reported earlier this year with ‘Operation Emmental’ – an attack that circumvented financial institutions’ two-factor authentication – it is evident cybercriminals continue to develop new and increasingly sophisticated attack methods. Therefore, it is imperative banks, credit unions, other financial institutions and insurance companies that not only deal with large amounts of monetary transactions, but also troves of customers’ personal information and intellectual property, evolve in parallel with the cybercriminal threat. A forward leaning institution must expect to be hit and prepare to survive.