What's new

P2.T9.506. Cyber Security in the Banking Sector

Nicole Seaman

Chief Admin Officer
Staff member
Learning outcomes: Describe factors contributing to the rise of cyber crime against financial institutions. Discuss present trends in corporate governance as it relates to cyber security, and explain implications of these trends. Assess the greatest challenges financial institutions face in achieving adequate cyber security.


506.1. In their Report on Cyber Security in the Banking Sector, the New York State Department of Financial Services (DFS) implicitly supports a variety of security technologies aimed at improving systems security and preventing cyber breaches. In this regard, for the average financial services institution, each of the following approaches is a viable recommendation EXCEPT which is the least accurate?

a. Conduct penetration tests that originate from both internal and external sources
b. Participate in information-sharing organizations especially Financial Services Information Sharing and Analysis Center (“FS-ISAC”) membership
c. Employ security technologies including data loss prevention (DLP) tools, two-factor authentication processes, and public key infrastructure systems
d. Avoid biometrics which has demonstrated to be unreliable as a behavioral identifier and has contributed to several breaches reported by survey respondents

506.2. As the DFS report notes, cyber security governance issues tend to center around information technology (IT). Specifically the reports says "When asked which divisions and employees participated in their organizations’ cyber security governance structure, institutions cited IT departments most frequently (92%), followed by Compliance Officer (73%), Risk Management (64%), Chief Executive Officer (61%), Chief Information Officer (60%), and Business Operations (57%)."

However, "notably, certain divisions and employees appeared to be underrepresented in institutions’ cyber security governance structure." Each of the following groups is underrepresented EXCEPT for which is not included?

a. The General Counsel, who should advise on potential legal liabilities arising from a cyber event, as well as any indemnifications of potential litigants following a breach
b. The Chief Administrative Office (CAO), who should ensure the documentation of specific cyber threats and publish remedies in the Corporation's Policies and Procedures and shared to the library for future reference
c. Corporate Insurance, who should evaluate the need for cyber risk coverage or, alternatively, determine the extent to which Directors and Officers liability policies might apply in the absence of a cyber-specific policy
d. The Public Information/Communications team, who should identify potential stakeholders requiring feedback in the aftermath of a cyber attack, as well as anticipate the number and types of inquiries that may arise

506.3. In regard to the greatest challenges financial institutions face in achieving adequate cyber security (aka, barriers to ensuring information security), each of the following ranks as a key challenge but which is the LEAST challenging?

a. Increasing sophistication of threats
b. Industry's reliance on third-party service providers
c. Lack of executive support ("buy-in") that has led to decreasing cyber security budgets
d. Emerging technologies and competitive pressure to develop new products and integrate new technologies into product offerings

Answers here:
Last edited by a moderator: