New York financial regulator pushes banks to plug gaps in cybersecurity

(Reuters) - Following the massive cyber attack on the biggest U.S. bank JPMorgan Chase & Co JPM.N disclosed in August, and other financial institutions, government authorities in United States are pushing financial institutions and brokerage houses to close glaring gaps in cybersecurity.

In a letter sent to many banks on Tuesday, the New York State Department of Financial Services superintendent, Benjamin Lawsky, expressed concern about the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.”

The New York State’s top financial regulator has requested banks to disclose “any policies and procedures governing relationships with third-party service providers,” according to a copy of the letter obtained by Reuters.

Lawsky said that banks must provide “any due diligence processes used to evaluate” the adequacy of security procedures of third-party service providers.

He has asked financial institutions to outline all methods of protection used to safeguard sensitive data that is sent to, received from, or accessible to vendors.

“It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky said in the letter.

Names, addresses, phone numbers and email addresses of the holders of some 83 million households and small business accounts were exposed when computer systems at JPMorgan Chase & Co were recently compromised by hackers, making it one of the biggest data breaches in history.

Yet the bank has said there is no evidence that account numbers, passwords, user IDs, birth dates or Social Security numbers had been stolen.

Last month Lawsky noted at a Bloomberg Markets event at the Museum of Jewish Heritage in lower Manhattan that, while there's a role for policy makers and legislators to address the issue, the public sector also may be able to prod the private sector to take steps to better handle the risk. (

“We need to think about ways to incentivize the market participants to do more to protect themselves from attacks,” Lawsky said.

A series of prominent cyber attacks this year has underscored how vulnerable much data has become.

In September, Home Depot revealed some 56 million payment cards were likely compromised in a cyber attack at its stores, dwarfing another recent high-profile attack at retailer Target.

Reporting by Karen Freifeld in New York and Ankit Ajmera in Bangalore; Editing by Bernard Orr