New York Tightens Screws on 3rd Party Cyber-Risk*:
- The New York State Department of Financial Services wants banks and related institutions to do their utmost to ensure that any third-party technology firms or other service providers don’t have a cybersecurity breach that affects critical non-public customer data.
- The new rules, effective March 1, call for banks and similar entities to establish a cybersecurity risk management program under the jurisdiction of the chief information security officer (CISO); monitoring third-party vendors must be included in the program.
- The Office of the Comptroller of the Currency (OCC) has already called on all US banks to keep a closer eye on how they monitor outsourced services.
- DFS has imposed steep fines on banks that failed to implement its anti-money laundering rules so it stands to reason it also won’t be lax when it comes to its cybersecurity rules.
- To start, banks need to review their contracts with third-party relationships and amend them to the new requirements if necessary.
- This could be a monumental task given that a bank could have dozens if not hundreds of relationships with counterparties, technology providers, consultants, accountants and even public relations agencies.
- Fortunately, the DFS isn’t expecting banks to use the same level of care for all third parties – the ones holding critical non-public customer data or bank data have highest priority.
- Vendor procurement specialists can help negotiate contract terms with vendors.
- Ultimately, the bank needs to feel confident that the cybersecurity program at its vendor is as solid as its own.
- Once the contract is signed, annual visits and quarterly vulnerability testing should be the minimum standards that banks use to follow up on vendors.
*Source: Finops, March 08, 2017
Personal Data of Saks Customers Exposed
- Saks Fifth Avenue is the latest retailer to report that customers’ personal information has been inadvertently exposed online.
- Email addresses and phone numbers of Saks shoppers were visible on its retail website, and have since been taken offline.
- The company that owns Saks acknowledged that some customer data were exposed, but stressed it is moving to resolve the situation and key personal data, such as credit card numbers and passwords, were not exposed.
- Cyber thieves can use email lists in phishing campaigns or to try to put malicious software on PCs.
*Source: USA Today, March 19, 2017
Cyber Espionage Emerges as Top Data Security Threat*:
- Many organizations are struggling to keep up with the rapidly evolving security threat landscape, citing cyber espionage as the most serious threat to their business.
- The company surveyed 2,402 IT enterprise decision makers in the U.S. and Europe in February 2107, and found that 20% rank cyber espionage as the most serious threat.
- One in five U.S. organizations have suffered a cyber-espionage-related attack in the last year.
- Eight out of 10 countries cited the increasing unpredictability of cyber criminals as one of the three biggest challenges to protecting against cyber threats.
- A further 29% mentioned a lack of understanding of the latest threats and 26% are struggling to keep up with the rapidly evolving landscape and increasing sophistication of cyber-criminal activity.
- The research shows that almost two-thirds of businesses experienced a “known” major cyber-attack in the past 12 months.
*Source: Information Management, March 23, 2017
U.S. May Accuse North Korea in Bangladesh Cyber Heist*:
- U.S. prosecutors are building potential cases that would accuse North Korea of directing the theft of $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York last year, and that would charge alleged Chinese middlemen.
- The U.S. Federal Bureau of Investigation believes that North Korea is responsible for the heist.
- The current cases being pursued may not include charges against North Korean officials, but would likely implicate the country, with the United States accusing a foreign government of orchestrating the heist.
- FBI offices in Los Angeles and New York have been leading an international investigation into the February 2016 incident, in which hackers breached Bangladesh Bank’s systems and used the SWIFT messaging network to request nearly $1 billion from its account at the New York Fed.
- The branch of the U.S. central bank rejected most of the requests but filled some of them, resulting in $81 million disappearing into casinos and other entities in the Philippines.
- The incident exposed bungling and miscommunication between central banks, and left the Fed, Bangladesh, SWIFT, and the Philippine lender that initially received the funds trading blame for months.
- SWIFT recently said it planned to cut off the remaining North Korean banks still connected to its system as concerns about the country's nuclear program and missile tests grow.
- Federal investigators are focusing on Chinese individuals or businesses who allegedly helped North Korea orchestrate the heist, and that the U.S. Treasury is considering sanctions against these alleged middlemen.
*Source: Reuters, March 22, 2017
Google and Sister Company Jigsaw to Offer Cyber Security to Election Groups*:
- Google and sister company Jigsaw are joining forces to defend election organizers and civic groups against cyber-attacks free of charge.
- The growing frequency of politically motivated online attacks – from the recent hacking of Twitter accounts by Turkish nationalists to the U.S. Democratic Party's email breach – has left governments scrambling for ways to thwart hackers and the rising tide of “fake” news.
- Alphabet Inc subsidiaries Jigsaw and Google are offering a free Protect Your Election package to low-budget organizations.
- The service to ward off website attacks has already been offered to news organizations for the past year under what is known as Project Shield.
- The rise of Google and tech rival Facebook was welcomed as a gift to democracy and free speech against autocratic governments, but more recently there has been a growing backlash against fake news on social media.
- Google vowed to police its websites better by ramping up staff numbers and overhauling its policies.
- A spokesman for Jigsaw said it plans to offer the Protect Your Election suite free to individuals and organizations involved in forthcoming national votes in France, South Korea, Germany, and subsequent elections as they occur.
- Jigsaw is funded by Alphabet and remains autonomous from Google, though the sister companies work together on larger-scale projects.
- Project Shield defends against so-called Distributed Denial of Service (DDoS) attacks that have plagued the web since about 2000.
- In addition to Project Shield, Jigsaw is offering Password Alert to ward off attempts to steal Google passwords and Two-Step Verification for an added layer of protection on web and mobile accounts as part of its Protect Your Election toolkit.
- News websites, human rights websites, and election monitoring and information websites are eligible to apply for DDoS protection.
- Candidates and campaigns are eligible for the two-password protection tools, but not the free DDoS protection.
*Source: Reuters, March 21, 2017