MANHATTAN (CN) - Nearly one in three banks do not require third-party vendors to report information- and cyber-security breaches, New York's financial watchdog found in a startling survey on Thursday morning.
Summarizing the practices of more than 150 banks, the New York State Department of Financial Services found that reliance upon third-party vendors carries an alarming vulnerability for both large and small institutions.
"Banks rely on third-party vendors for a broad-range of services - such as law firms that provide them with legal advice or even companies contracted to run their HVAC systems," the department said. "Those third-party firms often have access to a financial institution's information technology systems, providing a potential point of entry for hackers."
In its seven-page report, the department labels "check/payment processors, trading and settlement operations, and data processing companies" as "high-risk" vendors.
So-called "low risk" vendors include "providers of office supplies, printing services, food catering, and janitorial services," according to the report.
"Thirty percent of the banking organizations surveyed do not appear to require their third-party vendors to notify them in the event of an information security breach or other cyber security breach," the report continues.
Investigators found that "fewer than half of the institutions surveyed require any on-site assessments of their third-party vendors."
Another segment of the report says fewer than 35 percent of "medium" and "large" banks, categories defined as institutions with more than $100 billion and $1 trillion in assets, respectively, perform on-site assessments.
"Nearly half (44 percent) of the institutions do not require a warranty of the integrity of the third-party vendor's data or products," the report states.
The department found that more than one in five banks do not require third-party vendors to meet minimum security standards.
"Most of the institutions surveyed require third-party vendors to represent that they have established minimum information security requirements, although 21 percent of them do not," the report states.
The department's superintendent Benjamin Lawsky urged banks to plug these security holes quickly.
"A bank's cyber security is often only as good as the cyber security of its vendors," Lawsky said in a statement. "Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter."
The confidential survey does not name any names of the security-addled institutions.
There's a good reason for that, department spokesman Matthew Anderson said.
"In line with typical practice regarding supervisory communications between banks and regulators, the report does name particular institutions to help ensure we receive candid answers and so as to not reveal vulnerabilities at specific firms that could be exploited," Anderson said in an email.