This summer's huge cyberattack on JPMorgan Chase and a dozen other financial institutions is accelerating efforts by federal and state authorities to push banks and brokerage firms to close some gaping holes in their defenses.
Top officials at the Treasury Department are discussing the need to bolster fortifications around a critical area of cybersecurity: outside vendors, which include law firms, accounting and marketing firms and even janitorial companies, according to several people briefed on the matter.
The sweeping effort began before the hacking of JPMorgan, which compromised some of the personal account information of 76 million households and seven million small businesses, the people said. Under discussion is a requirement that the banks put in place more stringent procedures and safeguards to make sure the outside firms have, at the least, basic defenses. The push by government officials is a stark acknowledgment of the vulnerability of financial institutions to an attack - even after they have spent hundreds of millions of dollars to protect themselves - if one of their vendors is not fully prepared.
The problem is causing some security consultants to privately consider whether the sprawling financial firms with operations across the globe may be "too big to secure." And smaller firms, the consultants say, may simply not have the ability to adequately defend customer information.
The attack on JPMorgan, along with earlier breaches at Target and Home Depot, has made Americans even more wary about security of their personal information. JPMorgan said that the hackers did not infiltrate the bank's systems through a third party vendor.
Still, in the aftermath of the attack, the issue of data security has gained momentum. At a dinner in New York on Tuesday evening that included the general counsels from JPMorgan, Bank of America and Deutsche Bank on the guest list, New York State's top financial regulator, Benjamin M Lawsky, emphasised the gathering danger to the financial system when vendors' security is lax, according to one of the people briefed on the matter. Lawsky, who delivered his remarks at the University Club in Midtown Manhattan, is considering a new rule that would require banks to "obtain representations and warranties" from vendors about the adequacy of their controls to thwart hackers, the people said.
As part of that proposal, Lawsky sent a letter on Tuesday to dozens of banks requesting that the firms provide "any policies and procedures governing relationships with third-party service providers," according to a copy of the letter reviewed by The New York Times. In the letter, Lawsky says that banks must also outline "the due diligence processes used to evaluate" the security procedures of all vendors.
"It is abundantly clear that, in many respects," Lawsky said in the letter, "a firm's level of cybersecurity is only as good as the cybersecurity of its vendors."
Lawsky's proposal mirrors some of the discussions underway at the Treasury Department, the people said. In July, Treasury Secretary Jacob J Lew highlighted the importance of online security to the global financial system in a speech at an investment conference. In that address, Lew said his deputy, Sarah Bloom Raskin, "would be working with federal and state agencies to reduce cyber-risks to the financial system," but he did not discuss the specific measures being considered.
The Securities and Exchange Commission is conducting an audit of 50 firms to assess their readiness for attacks as well as their relationships with vendors. The Financial Industry Regulatory Authority is conducting its own broad look at how American brokerage firms and asset management firms deal with assaults from hackers and how they oversee their vendors. Other regulators are examining the preparedness of 500 community banks and credit unions for dealing with an attack.
Wall Street's reliance on third-party vendors has come under fire before, most prominently after the financial crisis, when banks used outside law firms to handle mass foreclosures in what turned out to be a flawed process. Those practices led to a landmark $25 billion foreclosure abuse settlement between the government and five major banks two years ago.
The latest scrutiny of vendors signals a new recognition that cybercrime represents one of the greatest threats to the stability of the financial system. In attack after attack, hackers are rebuffed by financial institutions, only to slip through the cracks at vendors, including some that have virtually no security.
The attack that roiled Target last year and exposed the information of 40 million cardholders and 70 million others came from hackers breaking into the security system of a heating and cooling contractor that was doing work for the retailer. The same overseas hackers who breached JPMorgan's network also infiltrated the website for the JPMorgan Corporate Challenge, which is run by an outside vendor for the bank on a server maintained by an Internet firm in Ann Arbor, Mich.
JPMorgan discovered the attack on the Corporate Challenge website on Aug. 7, and learned of the far broader breach of its own system about a week later. The attack on the bank's network - which enabled the hackers to gain a high level of system privileges on more than 90 servers - began sometime in June and went undiscovered by JPMorgan for about two months, said another person briefed on the matter who spoke on condition of anonymity.
The length of the attack - a two-month period when hackers roamed freely through JPMorgan's systems - has not been previously reported. Two months may seem a long time for largely unfettered access, but security consultants note it is not uncommon for hackers to rummage through a big company's network for several months before being detected.
Federal authorities say they believe the hackers, some of whom may be from Russia, were not acting with the backing of a foreign government and were motivated solely by profit. JPMorgan said no financial information was taken and it had not seen any evidence of fraud from the information taken in the attacks on its computers and the Corporate Challenge website, which included names, addresses, phone numbers and email addresses.
Still, it remains unclear just how the hackers got into JPMorgan's network, and the bank has determined that they did not gain access to JPMorgan's computer systems through the Corporate Challenge website.
"We have no evidence to indicate that attackers compromised a third party to gain access to our network as part of this incident," Patricia Wexler, a JPMorgan spokeswoman said, referring broadly to vendor security.
Still, security consultants and government officials are zeroing in on vendors as they work to choke off access to the global financial system.
"I would put vendor security as a top concern," said John Reed Stark, former chief of the S.E.C.'s Office of Internet Enforcement and a managing director at Stroz Friedberg, a data breach response firm. "I am certainly seeing more and more entities being very rigorous when it comes to their relationships with third parties and cybersecurity."
"In some contracts, companies even contractually secure the right to require, in the event of a breach or compromise, that the vendor conduct an independent risk and security audit at the vendor's own expense," Mr. Stark said.
The notion of requiring financial institutions to get "reps and warranties" from vendors about their security might make it difficult for smaller firms to sell their wares and services to banks and brokers and harder for smaller financial firms to pay for them. But at the same time, beefing up vendor security could prove an important way to quarantine an attack.
Susan F. Axelrod, executive vice president of regulatory operations at the financial industry's regulating agency, said financial firms needed to improve their criteria in hiring vendors, continue to monitor the providers for security during the course of a contract and then pay particular attention to what happens when a vendor's work is done. "The process of terminating a relationship is key," Ms. Axelrod said. "You have to immediately terminate vendor access and passwords."
She suggested that contracts with vendors "deal upfront" with the process of ending a relationship and safeguarding access to a firm's computer network. By the end of the year, the agency expects to publish what it considers best practices for dealing with vendors and cybersecurity, a product of its review of 18 large to midsize brokerage firms.
Top officials at the Treasury Department are discussing the need to bolster fortifications around a critical area of cybersecurity: outside vendors, which include law firms, accounting and marketing firms and even janitorial companies, according to several people briefed on the matter.
The sweeping effort began before the hacking of JPMorgan, which compromised some of the personal account information of 76 million households and seven million small businesses, the people said. Under discussion is a requirement that the banks put in place more stringent procedures and safeguards to make sure the outside firms have, at the least, basic defenses. The push by government officials is a stark acknowledgment of the vulnerability of financial institutions to an attack - even after they have spent hundreds of millions of dollars to protect themselves - if one of their vendors is not fully prepared.
The problem is causing some security consultants to privately consider whether the sprawling financial firms with operations across the globe may be "too big to secure." And smaller firms, the consultants say, may simply not have the ability to adequately defend customer information.
The attack on JPMorgan, along with earlier breaches at Target and Home Depot, has made Americans even more wary about security of their personal information. JPMorgan said that the hackers did not infiltrate the bank's systems through a third party vendor.
Still, in the aftermath of the attack, the issue of data security has gained momentum. At a dinner in New York on Tuesday evening that included the general counsels from JPMorgan, Bank of America and Deutsche Bank on the guest list, New York State's top financial regulator, Benjamin M Lawsky, emphasised the gathering danger to the financial system when vendors' security is lax, according to one of the people briefed on the matter. Lawsky, who delivered his remarks at the University Club in Midtown Manhattan, is considering a new rule that would require banks to "obtain representations and warranties" from vendors about the adequacy of their controls to thwart hackers, the people said.
As part of that proposal, Lawsky sent a letter on Tuesday to dozens of banks requesting that the firms provide "any policies and procedures governing relationships with third-party service providers," according to a copy of the letter reviewed by The New York Times. In the letter, Lawsky says that banks must also outline "the due diligence processes used to evaluate" the security procedures of all vendors.
"It is abundantly clear that, in many respects," Lawsky said in the letter, "a firm's level of cybersecurity is only as good as the cybersecurity of its vendors."
Lawsky's proposal mirrors some of the discussions underway at the Treasury Department, the people said. In July, Treasury Secretary Jacob J Lew highlighted the importance of online security to the global financial system in a speech at an investment conference. In that address, Lew said his deputy, Sarah Bloom Raskin, "would be working with federal and state agencies to reduce cyber-risks to the financial system," but he did not discuss the specific measures being considered.
The Securities and Exchange Commission is conducting an audit of 50 firms to assess their readiness for attacks as well as their relationships with vendors. The Financial Industry Regulatory Authority is conducting its own broad look at how American brokerage firms and asset management firms deal with assaults from hackers and how they oversee their vendors. Other regulators are examining the preparedness of 500 community banks and credit unions for dealing with an attack.
Wall Street's reliance on third-party vendors has come under fire before, most prominently after the financial crisis, when banks used outside law firms to handle mass foreclosures in what turned out to be a flawed process. Those practices led to a landmark $25 billion foreclosure abuse settlement between the government and five major banks two years ago.
The latest scrutiny of vendors signals a new recognition that cybercrime represents one of the greatest threats to the stability of the financial system. In attack after attack, hackers are rebuffed by financial institutions, only to slip through the cracks at vendors, including some that have virtually no security.
The attack that roiled Target last year and exposed the information of 40 million cardholders and 70 million others came from hackers breaking into the security system of a heating and cooling contractor that was doing work for the retailer. The same overseas hackers who breached JPMorgan's network also infiltrated the website for the JPMorgan Corporate Challenge, which is run by an outside vendor for the bank on a server maintained by an Internet firm in Ann Arbor, Mich.
JPMorgan discovered the attack on the Corporate Challenge website on Aug. 7, and learned of the far broader breach of its own system about a week later. The attack on the bank's network - which enabled the hackers to gain a high level of system privileges on more than 90 servers - began sometime in June and went undiscovered by JPMorgan for about two months, said another person briefed on the matter who spoke on condition of anonymity.
The length of the attack - a two-month period when hackers roamed freely through JPMorgan's systems - has not been previously reported. Two months may seem a long time for largely unfettered access, but security consultants note it is not uncommon for hackers to rummage through a big company's network for several months before being detected.
Federal authorities say they believe the hackers, some of whom may be from Russia, were not acting with the backing of a foreign government and were motivated solely by profit. JPMorgan said no financial information was taken and it had not seen any evidence of fraud from the information taken in the attacks on its computers and the Corporate Challenge website, which included names, addresses, phone numbers and email addresses.
Still, it remains unclear just how the hackers got into JPMorgan's network, and the bank has determined that they did not gain access to JPMorgan's computer systems through the Corporate Challenge website.
"We have no evidence to indicate that attackers compromised a third party to gain access to our network as part of this incident," Patricia Wexler, a JPMorgan spokeswoman said, referring broadly to vendor security.
Still, security consultants and government officials are zeroing in on vendors as they work to choke off access to the global financial system.
"I would put vendor security as a top concern," said John Reed Stark, former chief of the S.E.C.'s Office of Internet Enforcement and a managing director at Stroz Friedberg, a data breach response firm. "I am certainly seeing more and more entities being very rigorous when it comes to their relationships with third parties and cybersecurity."
"In some contracts, companies even contractually secure the right to require, in the event of a breach or compromise, that the vendor conduct an independent risk and security audit at the vendor's own expense," Mr. Stark said.
The notion of requiring financial institutions to get "reps and warranties" from vendors about their security might make it difficult for smaller firms to sell their wares and services to banks and brokers and harder for smaller financial firms to pay for them. But at the same time, beefing up vendor security could prove an important way to quarantine an attack.
Susan F. Axelrod, executive vice president of regulatory operations at the financial industry's regulating agency, said financial firms needed to improve their criteria in hiring vendors, continue to monitor the providers for security during the course of a contract and then pay particular attention to what happens when a vendor's work is done. "The process of terminating a relationship is key," Ms. Axelrod said. "You have to immediately terminate vendor access and passwords."
She suggested that contracts with vendors "deal upfront" with the process of ending a relationship and safeguarding access to a firm's computer network. By the end of the year, the agency expects to publish what it considers best practices for dealing with vendors and cybersecurity, a product of its review of 18 large to midsize brokerage firms.
©2014 The New York Times News Service