A recent survey of 40 banks revealed lax oversight of outside vendors’ cyber security measures, according to the New York State Department of Financial Services (“NYDFS”). 

In a statement released on April 10, 2015, NYDFS chief Ben Lawsky raised the alarm on the risk that bank vendors with unsophisticated cyber security protections can provide a “backdoor entrance” for hackers looking to steal sensitive data from account holders. But according to the NYDFS survey, less than half of the respondent banks conduct on-site inspections of vendor cyber security measures and only 30% require vendors to notify them in the event of a breach. Among larger banks (assets >$1 trillion), while almost 80% have general cyber insurance coverage, fewer than half have policies explicitly covering information security failures by third parties.

Lawsky announced that the NYDFS will issue new regulations to strengthen cyber security standards for banks’ vendors in the coming weeks. U.S. banks are therefore on notice that they may need to tighten up their controls on outside vendors’ cyber security measures, including those of check-processors, trading and settlement operations, data processing companies, and accounting and law firms.