Expert: NY breach report highlights third-party risk

New York reported a record high number of breaches last year, just after a new set of cybersecurity regulations went into effect in the state.

“In 2016, New Yorkers were the victims of one of the highest data exposure rates in our state’s history,” said Attorney General Eric Schneiderman in a statement released last week. “The total annual number of reported security breaches increased by 60% and the number of exposed personal records tripled.”

According to the report, the stolen data consisted overwhelmingly of Social Security numbers and financial account information, and hacking was the leading cause of the breaches. The 1,300 breaches involved the private data of 1.6 million state residents, and 81 percent of the breaches involved the loss of Social Security numbers or financial information.

The largest breach involved Albany-based Newkirk Products, which provides ID cards for health insurance plans. The next-largest breach involved HSBC Bank.

The state started requiring businesses to report breach data in 2005. This report doesn’t yet reflect the impact of the new cybersecurity regulations that went into effect at the start of March for financial institutions doing business in the state.

However, it shows that New York saw the problem was getting worse, said Brad Keller, senior director of third party strategy at Prevalent.

“I suspect that New York was working on these regulations because they were sensing, seeing or hearing that there was an increase in cybersecurity incidents,” he said. “The fact that the numbers support their actions tells me that the New York state regulators are keeping a pretty good finger on the pulse of what’s happening.”

He pointed out that the new requirements, which affect financial firms doing business in the state, require companies to take extra steps to oversee the security at their vendors and business partners.

The Newkirk breach was responsible for nearly 50 percent of the records lost last year.

The new regulations go beyond simple cybersecurity best practices when it comes to third-party security, Keller said.

“A senior executive must be responsible for a third-party program,” he said. “It really reinforces that this third-party risk is a board-level matter.”

And it means that companies need to ensure that their security standards apply to their vendors as well.

“What I’ve been advising people is, as they go about their task of establishing cybersecurity controls, they need to be thinking about how they’re going to impose down on their third-party service providers,” he said. “They really do need to be in sync.”

Smaller and mid-sized companies need to be particularly vigilant, he said, since they are more likely to outsource more of their critical processes.

This is particularly important for financial institutions, he added.

“If I’m a hacker, it’s reasonable for me to expect that it will be harder to break into a top-five financial institutions, than into a medium-sized company that provides services to to financial institutions,” he said. “And if I get into a vendor that providers access to twelve banks, then I get access to twelve banks’ data as opposed to one.”

Keller said that he doesn’t expect the number of breaches to go down immediately as a result of the new regulations.

“With all due respect to security professionals, I think that it’s reasonable to expect reported incidents to go up, only because of the time it takes to go in and make substantial improvements to security controls,” he said.

To add a comment for this story, head to our Facebook page.