One best practice missing from the New York State Department of Financial Services’ announcement of potential new cyber security regulation requirements for banks and insurers was the need to develop an approach to monitor internal threats, including the detection of anomalous conduct by employees.
The FBI, SEC, and others have identified dishonest acts by employees as one of the major causes of data security breaches. In fact, it’s one of the areas audited under the FFIEC’s Cybersecurity Assessment Tool. Yet, internal threat monitoring is not specifically called out as a recommendation in what is otherwise a robust list of proposed cyber security requirements.
Banks and insurers should not wait for regulators to begin to monitor internal threats.