An article in the Times a week ago says that the Feds and States want banks and brokerage firms to close some gaping holes in their defenses.
What is that gaping hole? OUTSIDE VENDORS!
Many people are aware that the suspected source of the Target breach was a small HVAC contractor. They didn’t do anything on purpose; they got phished. It also appears that the JP Morgan Chase attack may have started with a vendor as well.
According to the article, the Securities and Exchange Commission is conducting an audit of 50 firms to assess their readiness for attacks AND their relationships with vendors. FINRA is doing the same with brokerage firms. Other regulators are doing the same with 500 community banks and credit unions.
Benjamin Lawsky, New York’s outspoken head banking regulator, suggested that banks may be required to “obtain representations and warranties” from vendors about the adequacy of their controls to thwart hackers.
Lawsky said “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.”
If I was a vendor – and that includes everyone down to janitorial firms according to Treasury – I would be looking at my cybersecurity readiness and figuring out what the implications of Reps and warranties might be.
Nothing is a done deal until it is a done deal, but there seems to be a lot of “smoke” around this issue right now. Too much to assume there is no “fire”.