SAI Global GRC Community

Building Organizational Integrity.
News >> Information Security

The New York State Department of Financial Services (NYDFS) has made available Update on Cyber Security in the Banking Sector: Third-Party Service Providers (April 2015) (the Update Report), which is based on a survey NYDFS conducted of 40 banking firms about the "cyber security standards those firms have in place for their third-party vendors". The Update Report provides an update on NYDFS's Report on Cyber Security in the Banking Sector (May 2014), which "highlighted the [banking] industry's reliance on third-party service providers for critical banking functions as a continuing challenge".

According to NYDFS, key findings of the Update Report include that:

  • "[n]early 1 in 3 ... of the banks surveyed do not require their third-party vendors to notify them in the event of an information security breach or other cyber security breach";
  • "[f]ewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors";
  • "[a]pproximately 1 in 5 banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements"; and
  • "[n]early half of the banks do not require a warranty of the integrity of the third-party vendors' data or products".

NYDFS's media release (9 April 2015)

Related news item:
The New York Times: Wall St. Is Told to Tighten Digital Security of Partners (8 April 2015)
(Source: NYDFS; The New York Times)

Published in Information Security

The United Kingdom Information Commissioner's Office (ICO) has announced that Racing Post has signed an undertaking (undated) to improve its electronic data security practices following the compromise of 677,335 accounts during a data breach in October 2013.

The United Kingdom Information Commissioner's Office (ICO) has announced that a bank employee responsible for investigating money laundering allegations has been fined after admitting to having read his colleagues' bank accounts.

PayPal has stated that it has "contained" a security issue made public by Australian school student Joshua Rogers, with the online payment processor maintaining that the vulnerability affected only "a small number of customers".

Published in Information Security

The United Kingdom Information Commissioner's Office (ICO) has announced that Thamesview Estate Agents (Thamesview) has signed an Undertaking (undated) after one of the company's outlets continued to dispose of papers containing customer personal information in transparent bags that were left on the street. According to ICO head of enforcement Stephen Eckersley, the information on the papers was clearly visible and included passport copies and previous tax payment details.

Published in Records Management

The American Bar Association (ABA) has made available the biographies (undated) of the panellists at its recent event The Evolution of Cybersecurity and Planning for Response, hosted by the association's cybersecurity legal task force.

The United Kingdom Information Commissioner's Office (ICO) has warned barristers and solicitors to keep files secure, following 15 data breaches related to the legal practitioners reported in the last three months. The ICO noted that "barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process".

Published in Information Security

The United Kingdom Information Commissioner's Office (ICO) has fined (21 July 2014) online travel services provider Think W3 £150,000 after a "serious breach" of the Data Protection Act 1998 c. 29 (UK) that "revealed thousands of people's details to a malicious hacker".

The United States Securities and Exchange Commission (SEC) has ordered (25 July 2014) alternative trading system (ATS) operator and Citigroup unit LavaFlow to pay a total of US$5 million to settle charges that it "fail[ed] to protect the confidential trading data of its subscribers".

The Office of the Australian Information Commissioner (OAIC) has made available a statement (21 July 2014) by privacy commissioner Timothy Pilgrim advising that the OAIC was recently informed by online retailer The Catch Group of a data breach that occurred in 2011.

Published in Information Security
Page 1 of 14

© 2015 SAI Global Limited ABN 67 050 611 642




User Registration
or Cancel