Protecting Customers Through a Cybersecurity Control Tower


cybersecurity.png

Citizens National Bank of Texas, the third-oldest independent financial institution in the state, has remained deeply committed to its local community since its founding in 1868. The bank’s hometown, personalized approach to serving customers in the Dallas-Fort Worth area has played an integral role in its success. It was this focus on the surrounding community that led CNB to provide its customers with an extra layer of security by working with DefenseStorm, a Seattle-based provider of cloud based cybersecurity solutions.

As a full-service community bank with $859 million in assets, CNB aims to offer its customers the same service they would receive at any major, nationwide financial institution. This includes technology-driven services like online banking, mobile banking and bill pay. To offer these digital banking capabilities without exposing its network to new security vulnerabilities, CNB invested in security infrastructure and additional safeguards to protect customers and their financial information from potential cyber attacks. Although it had a solid system of security measures in place, the bank needed help monitoring its overall network activity and sought to increase the visibility of security threats.

This is where DefenseStorm comes in.

Heightened Visibility with a Cybersecurity Control Tower
DefenseStorm acts as security control tower for CNB to detect intrusions, investigate threats, take action to stop attacks and report on cybersecurity to regulators and the bank’s board of directors. Additionally, DefenseStorm’s team of security experts provides the bank with 24/7 monitoring support, triaging alerts and working alongside the bank to ensure the strongest security possible.

By constantly monitoring network activity and working with the bank to improve its security posture and quickly resolve incidents, DefenseStorm has helped CNB discover and neutralize at least 10 cyber threats in the past year.

Previously, the bank’s internal team would have to review and analyze all security event data. Now, the bank receives alerts in real time, which allows for a more efficient response and remediation process. Additionally, the bank uses DefenseStorm’s support ticketing feature to provide a clear, documented way to track events and how they are being handled.

Wade Jones, CNB’s senior vice president and chief information officer, values the extra support DefenseStorm provides. “It’s nice, the guardianship—having a security team sitting behind me watching the front line and letting me know if there’s something we need to work on,” says Jones.

Genuine Threat or False Alert?
CNB also leverages DefenseStorm’s search and reporting features, which enable the bank to transform complex and unstructured security event data from separate systems into meaningful, actionable insight. Oftentimes, systems will produce a constant stream of security alerts, many of which are not genuine threats, but which analysts must still review. With only eight hours in the workday, it can be difficult to assess each alert—and that can desensitize employees toward alerts, potentially resulting in a genuine threat being ignored. CNB has overcome this challenge and enacted a more proactive security response by sharpening its ability to interpret large sets of event data, so the bank is only notified if a threat is genuine. Now, the bank can quickly determine the scope of a threat and escalate the event into the remediation process with a click of a button.

The ability to provide a unified, comprehensive view of the bank’s network and systems is vital. “In our journey with DefenseStorm, we’ve brought everything together, log-wise, for all systems in the bank so we can take a more holistic approach,” says Mark Singleton, chief executive officer at CNB.

Enhancing Security without Expanding Staff
Furthermore, DefenseStorm brings a level of cybersecurity expertise that would be difficult for CNB to recruit in its own market. Given the shortage of cybersecurity talent across industries, hiring qualified candidates is challenging, especially for a small community bank, as professionals with advanced security credentials are typically hired by larger corporations. To make it worse, cyber criminals realize this, often assuming that a smaller bank has less sophisticated technology and fewer defenses. However, with DefenseStorm, CNB is able to provide an enhanced level of security, comparable to larger financial institutions, without hiring an extra security expert.

For community banks, business is personal. CNB realizes this and has invested in the infrastructure needed to safeguard its customers’ financial assets.

“Unlike big banks that never see their customers outside of work, we run into ours all the time—at church or at the grocery store,” says Singleton. “If we mess up, it’s our communities, our friends and our grandmothers who are ultimately affected. It’s our job to protect them and DefenseStorm helps us do that.”

Banking on the Cloud: Why Banks Should Embrace Cloud Technology


cloud-technology.png

Cloud adoption has reached critical mass, with roughly 90 percent of businesses employing its technology in some facet of their organization. The cloud presents opportunities for enhanced efficiencies and flexibility—without any security trade-offs—so it’s no surprise that we’re seeing more organizations shift to the software as a service (SaaS) model. But while we’ve seen the healthcare, legal and insurance industries evolve, banks have been more reluctant to adopt new technologies built outside of their own walls.

Why Banks Lag at Cloud Adoption
The banking industry is not known for being nimble. As one of the oldest, largest and most vital industries in the U.S. economy, banking has, in some ways, fallen victim to inertia—relying on traditional technologies and internal networks to disseminate its services. This is in large part due to the widely-held belief that on-premise solutions are inherently more secure than the cloud because data lives in proprietary servers and systems, rather than a service provider’s environment. However, research shows that cyber attacks affect both environments, with on-premise users experiencing over twice as many web application attacks as service provider customers, on average.

Still, for many banks, the perceived risks of the cloud outweigh its forecasted benefits. In fact, 73 percent identified security concerns as the main reason for avoiding it, while 63 percent listed privacy issues as their top worry. That perception is beginning to change, as the cloud’s business advantages have become too significant to ignore. A recent study found big banks are expected to grow from as little as zero percent public cloud adoption to 30 percent by 2019—a dizzying adoption rate for an industry that still relies on legacy systems from the 1960s.

For those still wary of making the switch, here are three of the biggest benefits of moving to the cloud:

Security
Cloud technologies boost your security in ways that on-premise systems are unable to. Traditionally, to use a new offering, you install an on-premise server in your datacenter. Then you must configure network, firewall and secure access to the server. This stretches resources by increasing training requirements, which ultimately detracts from the goal of the offering. Due to economies of scale, cloud companies can own the server, the networks and the processes making the entire offering more complete and secure.

With strict protocols and security certifications like SOC2 and ISO27001 built into many services, banks can ensure that the cloud is accessed and enabled securely for any solution provider they work with.

Understanding the value of security and the benefits that cloud technology brings to banks, a handful of institutions are leading the shift and others are expected to follow. Capital One Financial Corp., an early adopter of Amazon Web Services (AWS), has steadily built its infrastructure in the cloud over the past two years. The company continues to work closely with AWS on specific security and data protocols, allowing the company to operate more securely in the public cloud than it could have in its own data centers, according to Capital One CIO Rob Alexander.

Efficiency and Scalability
The cloud enables teams to be more agile than ever. The SaaS model gives teams the ability to be flexible and enable new interations on-demand. This access to real-time commentary empowers teams to ship updates more quickly and frequently and to push the envelope so they’re constantly improving products to align with what customers are looking for.

By leveraging the cloud to store complex data, organizations can meet ever-evolving regulatory compliance and governance rules mandating data protection. A recent example would be financial institutions working to comply with the EU’s General Data Protection Regulation. The ability to meet regulations can be sped up by a number of the cloud’s features, including built-in auditability for more clarity around your compliance status, and virtual infrastructure that reduces room for error.

On top of addressing infrastructure models, the cloud allows businesses to be elastic. For instance, being able to address the mass amount of credit card purchases on Cyber Monday and expand for that specific demand, rather than having to buy new servers to address the one day-per-year demand.

Overhead Cost Savings
Switching from on-premise to cloud can mean significant savings on overhead costs.

When you work with a SaaS provider, you no longer need to invest in proprietary infrastructure. Instead, you’re able to access and maintain your data through your partner’s established environment. This cuts down on both the up-front capital costs associated with hardware and the continuous costs that eat up budget to keep hardware and software optimized and refreshed.

Rather than pay a flat fee to keep systems up and running, cloud providers offer a variety of metered, pay-per-use options. These include Salesforce and Microsoft Office 365’s pay-per-seat, AWS’ infrastructure as a service (IAAS) pay-per-hour model, and Oracle’s high integration fees.

By outsourcing services to the data center, you can also realize savings on staffing. On-premise technologies can require a team varying in size from one to dozens, depending on the bank’s size. Because your cloud provider takes on the computing, your internal team no longer has to worry about hardware refreshes or server and software updates, freeing up their time to focus on what matters most: your business. Cost savings can also be reinvested into the business to increase headcount, boost wages and drive product innovation.

Cloud technology has already been embraced by businesses in numerous industries, but banks have been slower to acknowledge its benefits. Now, as cloud’s positive impact on security, efficiency and cost come to the forefront, it’s becoming harder for banks to ignore the advantages. Already, we’re seeing early adopters reap the benefits, from a financial standpoint and innovation perspective, and in the coming years, we can expect to see banking in the cloud transition from a “nice-to-have” to a business-critical approach to moving up in the market.

Are Directors Tone Deaf on Cybersecurity?


cybersecurity-3-27-17.pngAre the boards of directors at U.S. banks taking the cybersecurity threat seriously enough?

In Bank Director’s 2017 Risk Practices Survey, 85 percent of the 167 respondents—a group that includes bank directors, CEOs, chief risk officers, and chief information and chief technology officers—identify cybersecurity as the risk category they are the most concerned about. And that heightened level of concern is evident across all sizes of institutions in the survey, from banks under $1 billion in assets to those greater than $10 billion.

After all of the high profile, highly successful and highly publicized cyberattacks that have occurred over the last several years, surely every bank director understands the serious nature of cyber risk today. Hackers are incredibly creative and persistent in their efforts to penetrate bank security systems and steal sensitive customer data, money—or both. A successful intrusion can be costly to the bank, damage its reputation with customers, and become an issue with regulators if they believe the bank has a weak cybersecurity program.

Twenty-six percent of the respondents say their bank has experienced a data breach or some other type of cyberattack since 2015, and another 4 percent were the victims of a breach prior to 2015. In other words, nearly one-third of the respondents have already experienced a breach—an incident rate that should get all directors’ attention regardless of whether their banks have been victmized or not.

So, what is being done about this? Over the past two years, the survey participants’ banks have made a number of improvements to their cybersecurity programs, including:

  • Eighty-two percent have invested in technology to better detect and deter cyber threats and intrusions.
  • Eighty-one percent have improved training for staff.
  • Eighty percent have increased their focus on cybersecurity at the board level.
  • Seventy-five percent have improved their internal controls related to cybersecurity.
  • Seventy-five percent have improved and tested their bank’s cyber-incident management and response plan.

But there is still more that can be done to protect against hackers. According to the survey, 38 percent of the respondents still don’t employ a full-time chief information security officer (CISO). As one might expect, this deficiency is most evident at banks under $1 billion is assets, even though they are still likely targets for a cyberattack. The benefit of having a CISO, rather than giving this responsibility to the chief risk officer or chief information officer, is that cybersecurity has become so specialized that it should be handled full-time by one individual with experience in the field. Fifty-one percent of the survey participants say their bank won’t be hiring a CISO in 2017, and 43 percent say they are unsure. Banks under $1 billion are already less likely to employ a CISO, and the survey data suggests that they’re unlikely to hire one this year.

Most surprising of all is that only 17 percent of the respondents say cybersecurity is discussed at every board meeting. Thirty-six percent say the board reviews the issue quarterly, 19 percent say they discuss it semi-annually and 10 percent talk about cybersecurity just once a year. If cybersecurity is truly the most pressing risk management issue facing bank boards today, then why isn’t it being discussed at every board meeting, at every bank?

If it’s the board’s responsibility to set the tone at the top when it comes to risk governance throughout the bank, then it would seem that a lot of boards are tone-deaf when it comes to cybersecurity.

What You Don’t Know About Network Defenses Can Definitely Hurt You


defense.png

Hackers have many avenues to choose from when it comes to attacking your organization, the most obvious of which is breaking in from the outside, or attacking your network’s perimeter. But they also can choose to attack from the inside-out by targeting your employees and internal weaknesses.

Cyber criminals use tactics like password attacks, session hijacking, exploiting application vulnerabilities and leveraging malware to gain unauthorized access to your network. Once inside, they steal, delete or distort confidential data, and often alter or disable security features to enable larger future attacks and avoid detection.

As revealed in Verizon’s 2016 Data Breach Investigations Report—a yearly study composed of findings from law enforcement agencies, forensic services firms and other entities—external threat perpetrators have been responsible for at least 75 percent of confirmed data breaches in each of the last six years.

To help protect your network, all employees—from the top down—should learn to spot the signs of a possible attack or breach, from suspicious emails and system modifications to unusual network glitches.

Here are some examples of the possible tools in an attacker’s arsenal:

  • Session hijacking: occurs when an attacker hijacks a network session shared by two systems by masquerading as one of them.
  • Password cracking: involves identifying the password of a user or administrator to gain system access.
  • Denial of Service (DoS) attacks: bombard a system, causing it to crash or deny access to legitimate users.
  • Web-application attacks: hackers exploit weaknesses and/or security flaws in a web application, possibly leading to the compromise of the host device or internal network.
  • Malware: includes ransomware that encrypts your files on the network drives and demands payment of a “ransom” to decrypt them; rootkits that embed themselves in your computer’s software, replacing legitimate software or hiding malicious ones; and remote access trojans (RATs), disguised as legitimate programs, but giving attackers an open door into your network.

Toughen Your Defenses with Vulnerability Assessments and Penetration Testing
Two crucial types of security testing offer financial institutions the best protection against these threats: vulnerability assessments and penetration testing. One is focused on finding as many vulnerabilities as possible, while the other can reveal the impact of an attack rather than theorizing about it, and also ensure that controls work as expected.

A vulnerability assessment is designed to yield a prioritized list of the environment’s vulnerabilities, and works best for institutions that already understand they are not where they should be in terms of security. However, recent guidance outlines the importance of regularly performing vulnerability assessments on your network. The scope, in industry terms, is breadth over depth.

This type of assessment, which helps ensure compliance with Gramm-Leach-Bliley Act data guidelines, can be performed using a remote scanning device—configured by a certified provider—that is plugged into an organization’s network. The device scans the entire network, including hardware and software, and performs internal vulnerability, patch management and port-scanning functions.

The provider can then analyze the data and prepare a detailed report with recommendations for securing your network.

By contrast, a penetration test’s ethical hackers seek to achieve a specific, attacker-simulated goal. A typical goal could be to gain access to the internal network and compromise a privileged account, or obtain the contents of the customer database. The test determines whether a mature security posture can withstand an intrusion attempt from a hacker. Here, the scope is depth over breadth.

A thorough penetration test consists of these elements:

  • Reconnaissance: Entails learning about the target using little or no interaction with their systems. This compares to a burglar watching a neighborhood to determine the patterns of its residents as well as their types of possessions and whether they have security systems. Reconnaissance includes Internet searches, website reviews, IP block information and domain name system (DNS) interrogation.
  • Scanning: The first major contact with the target’s systems, which involves looking for potential openings. This is likened to a burglar rattling doorknobs and checking for unlocked windows. Scanning includes network mapping, port scanning, operating system (OS) fingerprinting, service detection and vulnerability scanning.
  • Gaining Access: This is where the hacker comes in, with an attempt to compromise the system. This step is similar to the burglar breaking into the home using the most vulnerable door or window. Gaining access features password and web application attacks and the exploitation of vulnerable software and configuration flaws.
  • Maintaining Access and Covering Your Tracks: Performed only upon successful penetration into the institution’s network. It should be noted that many organizations forego these steps because they involve manipulating systems, applications and files.

It is crucial for your financial institution to maintain cyber-resilient networks and systems. The costs of disrupted business, reduced customer confidence, fines and lower profitability resulting from an attack are simply too great.

Getting Called Out on Cybersecurity


cybersecurity-6-15-16.pngSeventy-seven percent of respondents to Bank Director’s 2016 Risk Practices Survey identified cybersecurity as their number one risk concern—and yet the great majority of them discuss cybersecurity only infrequently during board meetings. This surprising result was confirmed during a presentation at Bank Director’s Bank Audit and Risk Committees Conference, when only 23 percent of the attendees said they discuss cybersecurity at every board meeting during an audience response survey.

The majority of boards still do not review cybersecurity at every board meeting and only a minority do,” said Sai Huda, senior vice president and general manager risk, information security and compliance solutions at FIS Global. “The majority of boards do not review their cybersecurity plan on a regular basis.”

The audit and risk conference was held June 14-15 in Chicago and attracted over 300 bank directors and risk management professionals.

Huda also questioned whether the attendees were spending enough money on cybersecurity. Over 29 percent of the audience said their bank had increased the cybersecurity budget from 10 percent to 25 percent, and roughly 15 percent had increased the cybersecurity budget more than 25 percent. But nearly 56 percent of the respondents had either increased their cybersecurity budgets by less than 10 percent, had made no increase at all or didn’t know what their budgeting practices were in this area.

The nature of cybersecurity spending is expected to change significantly over the next five years, according to Huda. Until recently most of the money has been spent on building secure defenses against intruders, and yet by Huda’s estimate more than 90 percent of all U.S. companies have been successfully penetrated. “A breach is going to happen,” he said. “It’s a questions of when, not if.” Going forward more of the cybersecurity budget will be spent on reacting to intrusions than preventing them. “Timely detection and response are the keys to success,” he said.

When asked during the audience survey which threats they thought their bank was the least prepared for, 40 percent said they were ill prepared to detect malicious insider activity, 21 percent felt they were not receiving the latest intelligence on cyber threats, 19 percent said they were ill prepared to detect anomalous or abnormal activity, 12 percent worried about their ability to block denial of service attacks and roughly 8 percent thought that detecting malware was a deficiency of their bank.

The nature of cyber security attacks has also changed in recent years, according to Huda. Today, the attacks are stealthier, more targeted in that the hackers are after something very specific, and persistent in that the hackers keep at it until they have broken through a bank’s defenses. Today’s threats also tend to be multi-pronged, in that hackers will attack bank systems at a variety of access points simultaneously, and the hackers themselves have evolved over time. Where once they were often individuals acting on their own, “today they tend to be well funded crime syndicates and nation states,” he said. “The whole cybersecurity ballgame has changed.”

Icebergs Ahead: Five Questions Every Board Should Ask the CISO


CISO-questions-5-30-16.pngPicture this: Your chief information security officer (CISO) has arrived at the board meeting to give a rundown on your bank’s latest efforts to mitigate cyber risk. You’d like to take an active role in data governance (kudos for that!), but what are you supposed to ask? You’re not a cyber security expert.

In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the bank’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the organization, as well as the costs of reducing the probability of a cyber-attack to an acceptable level.

Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the elevator. You should demand direct access to the CISO on a formal—and regular—basis.

But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:

1. What are the top information-security threats facing your bank? These are the “icebergs” that have the potential to severely damage the bank’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your bank from operating its business, as well as malware injection and phishing, to name just a few.

2. For each of these major threats, what are your bank’s mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.

3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team re-evaluates which icebergs are out there at least annually, and then examines whether its mitigation strategies are still effective.

4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your bank will experience some form of a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarize the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your bank and as well as at other banks in their efforts to aggressively manage the potential fallout from attacks.

5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.

Remember, you don’t have to be a cybersecurity expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.

How Banks Can Increase Cybersecurity Risk Management


cybersecurity-5-6-16.pngIn mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

  • User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
  • Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
  • Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
  • Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.

The Five Critical Attributes of Effective Cybersecurity Risk Management


risk-manangement-3-15-16.pngThe size, complexity and ever-evolving nature of cyberattacks mean there’s no one-size-fits-all way to respond. Whatever your organization’s plan to mitigate the risk of data breaches, to be effective, it must encompass the five attributes discussed here.

Attribute One: An Effective Framework
An effective, appropriate framework is an essential place to start. The centerpiece of any cybersecurity risk management program, a cybersecurity framework is a standard designed to assist with managing the confidentiality, integrity and availability of data and critical infrastructure.

Many frameworks are now in use in various industries (some common ones include the National Institute of Standards and Technology Cybersecurity Framework, International Organization for Standardization, and ISACA’s COBIT). Regardless of which framework an organization chooses for managing its cybersecurity program, the framework will need to be adapted and fine-tuned to reflect the organization’s size and the nature of the data being protected. The point here is not to advocate for one framework over another; rather, the point is that choosing and implementing a framework is an essential first step in guarding against cybersecurity threats and launching a cybersecurity risk management program.

Attribute Two: End-to-End Scope
The second critical attribute of a cybersecurity program is its scope. An effective program must be comprehensive, or end to end, in scope—that is, the program must address all the critical elements that need to be protected in the institution.

To understand your full scope, you must “follow the data” and identify everywhere sensitive data is created, stored or transmitted. Beyond the immediate system, there might be many unknown data stores, including cloud services and third-party vendors.

Attribute Three: Thorough Risk Assessment and Threat Modeling
Because no institution has unlimited resources to devote to cybersecurity, the multiplying array of threats means risk assessment and prioritization are essential. By monitoring emerging threats and assessing both their likelihood and the damage they could cause, the cybersecurity team can develop a decision heat map that plots the potential risk against the cost and effort that would be required to protect against it.

Attribute Four: Proactive Incident Response Planning
For much of its history, the cybersecurity industry focused on preventing attacks. But today, although prevention remains crucial, the focus is shifting away from prevention alone and is turning instead to being prepared for the worst. Although breach prevention remains paramount, preparing for the worst case is becoming equally important. Preparing an incident response plan—and updating it regularly—is a minimum first step.

Once an incident has occurred, a bank can follow the typical incident response plan, which encompasses certain fundamental steps, including the following:

  • Inventory and understand the data to be protected.
  • Inventory and classify incidents.
  • Understand known threats and monitor new ones.
  • Identify the stakeholders and incident response team—corporate communications, legal, compliance, lines of business, IT and external forensics partners.
  • Set up a command center.
  • Develop and implement a containment and investigation strategy.
  • Develop and implement an evidence preservation strategy.
  • Develop and implement a communication plan for customers, media, regulators and other stakeholders.
  • Conduct a post-mortem and apply lessons learned.

Attribute Five: Dedicated Cybersecurity Resources
The final critical attribute of a cybersecurity initiative is having sufficient resources dedicated to the effort—in particular, a designated cybersecurity team. Many organizations have not yet given adequate attention to this requirement, often neglecting to assign appropriate roles and responsibilities or failing to establish the necessary governance structures called for in the framework being used.

In most companies, the IT team’s day-to-day attention is focused primarily on keeping the system up and running—an understandable priority. After all, service interruptions are noticed immediately and the effects are apparent to almost everyone. On the other hand, security lapses or breaches are less visible than service interruptions—at least at first—and the benefits of prevention and incident planning are not nearly as obvious.

The cybersecurity effort should be led by an experienced team leader for whom IT security is his or her primary duty rather than a secondary function squeezed in among other priorities. If the company is too small to afford a cybersecurity staff member, consider retaining a professional cybersecurity firm to implement the IT security function in order to develop appropriate prevention and response plans.

Three Critical Steps to Launch a Data Breach Response


data-breach-1-8-16.pngAs we look back on 2015, it is easy to see the heightened stakes in data breach response.

The U.S. government’s Office of Personnel Management was hacked, with as many as 22 million Americans’ personal data stolen. This includes fingerprints and background checks. One hacker tapped into the director of the CIA’s personal emails and breached a portal that law enforcement, including the FBI, uses to share intelligence and book those arrested.

It’s not just government agencies that fall victim to attacks. Any company that collects sensitive data can become a target for hackers and nation-state actors.

The risks are getting higher for those whose data is breached, too. Javelin Research predicts that by 2018, some eight million people will experience a credit card breach and identity fraud within the same year. There is no doubt that criminals have become more sophisticated and better able to parlay one successful hack into another. Cyber criminals have crafted more elaborate “social engineering” methods—tricking people into compromising corporate security. Phishing schemes still deceive about one in four people, according to the Verizon 2015 Data Breach Investigations report.

This only reiterates that idea that a cyber attack is likely for almost every organization. There are steps that a smart company can take now to help mitigate the damage should a breach occur. Preparing for a cyber attack must become as ingrained in the company culture as a tornado evacuation plan or a fire drill

One of the key steps to prepare for an effective breach response is to build a data breach response team, which has created—and practiced—a response plan. Make sure that contact numbers for team members—including those for non-work hours and mobile phones—are readily available. A customer support and communication plan should be built into any response and should cover how customers and regulatory agencies will be notified and when, as well as what protections will be offered to those affected.

Proper preparation is only one piece of the puzzle, however. In the event of an actual breach, there are critical steps to take to ensure your organization is able to successfully launch your customer-facing response:

  1. Immediately assemble the breach response team. Your team should include internal experts as well as third-party partners such as communications and legal experts. A partner experienced in the customer-facing aspects—including responding to the surge in customer demand, answering identity theft-related questions, and providing identity protection services—should be part of the team.
  2. Review and update the plan. A plan that has been carefully honed in advance is certainly an advantage. But it may not have anticipated some of the nuances of the particular data breach your organization is facing. So, one of the first action steps for the crisis response team is to look at the documented plan and make any changes needed. If there is one guiding principle in any plan, it should be to keep the response focused on your customers.
  3. Launch the initial response. This includes informing customers, and in some cases, regulatory agencies, about what has happened and how you plan to minimize any damage that results from the event. One significant misstep to avoid: Don’t provide public information that may need to be corrected at some point. Instead, only release the information that is known and confirmed at the time. There is nothing that will breed a lack of confidence more than a constantly shifting explanation of what happened.

As for the customers, this is a good time to let them know exactly how you intend to protect them. Understand, though, that they may be hesitant to provide their information to a third-party service—especially if this data was not compromised in the breach. And they will be suspicious of anything that smacks of an attempt to upsell them. To combat these challenges, lead with the promise that you will repair any harm that comes to them as a result of the incident.

In 2014, there were nearly 80,000 security incidents, according to the Verizon Data Breach Investigations Report. And business news web site ZDNet reported that one billion personal records were illegally accessed in those breaches.

The time for asking “if” a data breach will occur has passed. It’s time to prepare as if one is inevitable.

How Banks Can Improve Crisis Planning


We discovered last month that cyber risk was the thing most directors worried about when we informally polled members of our bank services program. This month, we decided to poll experts on what banks could do to improve crisis planning. Not surprisingly, cyber risk planning came up often as an area that could use some improvement. Several of the people polled think banks could benefit from role playing exercises that would walk employees and the board through possible scenarios. The Federal Deposit Insurance Corp. has a few videos that help banks imagine some scenarios. Although planning documents are widely recommended, one consultant says they are pretty useless in a real emergency. Below are their responses.

How Could Banks Improve Crisis Planning?

Mills-Scott.pngCrisis planning is getting more attention these days because we are constantly reminded of events that could not only impact our business, but have significant impact on our reputations. One data breach and we stand to lose faith in our ability to safeguard our clients’ money. While planning is expected, bankers could really get value from practice in two areas: 1) tabletop exercises and 2) media training. Tabletop exercises are role playing crisis scenarios whereby bank management gets on a conference call and develops responses, assigns roles, identifies tasks and develops timelines. Banks would benefit from doing this on a quarterly basis. Media training allows bank executives to learn how to look and respond appropriately to a tense situation only after they learn how to answer questions and the ground rules for working with the media. Turn on a video camera and see how well your team does. Crisis planning is better if treated as an ongoing discipline.

—Scott Mills is president of the William Mills Agency, a public relations and marketing firm specializing in financial services

Taylor-Nathan.pngTesting, testing and more testing! Banks typically have multiple plans that can be triggered in the event of a significant cyber-related “crisis,” including, for example, a business continuity plan, incident response plan and crisis communication plan. Multiple groups within a bank likely have responsibility for these plans. And, the plans may not be aligned from a response standpoint with respect to significant cyber events. In the event of such a crisis, it is critical for a bank to be able to respond in a uniform and effective way at the enterprise level. Bringing a bank’s various teams together to test or tabletop a significant cyber event can shed light on how the bank’s various plans (and teams) will work together. This will also provide a valuable opportunity for refinement and alignment of the bank’s related response plans.

—Nathan Taylor is an attorney and cybersecurity expert at Morrison Foerster LLP

Miller-RaeAnn.pngBusiness continuity and disaster recovery considerations are an important component of a bank’s business model. In addition to preparing for natural disasters and other physical threats, continuity also means preserving access to customer data and the integrity and security of that data in the face of cyberattacks. For this reason, the FDIC  encourages banks to practice responses to cyber risk as part of their regular disaster planning and business-continuity exercises. They can use the FDIC’s cyber challenge program, which is available on the FDIC website. Cyber challenge was designed to encourage community bank directors to discuss operational risk issues and the potential impact of information technology disruptions.

—Rae-Ann Miller is associate director of the FDIC’s Division of Risk Management Supervision

Sacks-Jeff.pngBanks can improve planning by developing a crisis plan ahead of a data breach or cybersecurity issue. These action plans should include:

  1. Determining data to be protected along with the protection level required.
  2. Classifying incidents or scenarios into categories.
  3. Understanding threats the bank may face, starting with known threats, then creating on-going monitoring for emerging threats.
  4. Determining the stakeholders and defining the incident response team.
  5. Setting up a command center and appointing a command center leader.
  6. Developing an incident plan, including a containment and investigation strategy.
  7. Executing a communication plan to customers, media and agencies.
  8. Testing and training end users in the application of the incident response plan.
  9. Conducting a “lessons learned” session and updating [Incident Response Plan] procedures.

—Jeff Sacks is a principal in Risk Consulting for Crowe Horwath LLP, specializing in technology risk

McBride-Neil.pngThough banks understand the risk of cyberattacks, many are unprepared to act quickly and effectively to mitigate damage when faced with a serious cyber breach. To improve crisis planning, banks should consider conducting simulated cybersecurity exercises involving key personnel. Moving quickly following a cyber breach is critical to limiting unauthorized access to sensitive data and the resulting harm. Such exercises demonstrate why an effective cybersecurity program is more than an “tech issue,” and requires coordinated institutional mobilization across business segments, with oversight from senior management. Most banks will eventually find themselves in a hacker’s crosshairs no matter how advanced their defenses, and a coordinated, rapid response will not only limit short-term data loss and legal exposure, but will also help preserve a bank’s reputation and customer relationships.

—Neil MacBride is a partner at Davis Polk & Wardwell

Carroll-Steve.pngPlanning activities generate lots of documents, which are fascinating to auditors but useless in an emergency. You don’t have to give planning reports to your response team. Your phone is a perfect emergency communications console. Social media, including Twitter, YouTube and even Facebook, are indispensable as communications tools. You can monitor events as they unfold or push messages out to staff and public. Cyber is the new disaster. Compare today’s threat assessment with one from 2010. Notice that blizzards and hurricanes have dropped out of the top ten, replaced by data breaches and identity theft.

—Steve Carroll is a director with Cornerstone Advisors, a consulting firm specializing in bank management, strategy and technology advisory services