Five Big IT Threats Facing Banks

cybersecurity-7-6-15.pngEvery week there is a new headline regarding the latest data breach or newly discovered vulnerability in widely deployed software. Below, we’ve compiled a list of five threats we think will see increased importance in the upcoming year.

Zero Day Attacks
The past year has brought unprecedented levels of mainstream media attention to a number of zero day vulnerabilities including Heartbleed, Shellshock, and Poodle. A zero day vulnerability is a flaw in software, hardware or firmware that is exploited as soon as or before it becomes generally known to the public. These vulnerabilities have taken advantage of long standing but previously undiscovered programming bugs in widely deployed software platforms. Due to the discovery and subsequent exploitation of these vulnerabilities, cyber criminals and nefarious nation state actors have begun to take a much closer look at these previously ignored code bases. The common theme with many of these newly discovered and highly popularized vulnerabilities is that they don’t necessarily target Windows-based systems as many other successful attacks in the past have. Instead, they were discovered on software libraries that are present on a large number of networked devices, which are often overlooked when developing a security model.

Social Engineering
We will continue to see more sophisticated attacks on the most vulnerable part of a financial institution’s network, their employees and customers. With multiple layers of protection from IPS devices and firewalls on the perimeter of most networks, attackers rarely attempt to directly attack properly secured networks directly (with the exception of the previously mentioned zero day vulnerabilities). Instead, they focus their efforts on compromising one or more workstations on the bank’s internal network or the customer’s workstations. From here the path to compromising confidential information is simpler and obtaining even standard user credentials can allow an attacker to run further attacks and escalate their privileges to that of an administrator on the network.

Continued proliferation of social media in the banking environment has greatly increased the amount of information an attacker can gather remotely on individuals within the bank. This information can then be used in creating spear phishing attacks targeted at individual employees who appear to be coming from a co-worker within the bank, but in reality, contains a link to a malicious website or include a malicious attachment disguised as something as innocuous as a spreadsheet. These same spear phishing attacks can be directed towards the bank’s customers, often appearing to come from the bank itself. With the increase in advanced phishing techniques, solid employee and customer training in how to spot a potentially fraudulent message as well as steps that can be taken to verify the authenticity of a message will be important tools this year.

Credit/Debit Card Theft
Banks and their customers were affected by a multitude of breaches at retailers this past year. Retailers seemed to be compromised on a nearly weekly basis, including Home Depot, Jimmy John’s Gourmet Sandwiches, P.F. Chang’s, Michaels, and many more. In October 2014, Special Agent Jason Truppi of the FBI told USA Today that in the previous 12 months, over 500 million financial records had been stolen, thanks in large part to the breaches listed above.

Cyber Extortion
Cryptolocker was a fairly widespread piece of ransomware that made headlines in 2014 and impacted financial institutions and their customers. Instead of covertly infecting a system and attempting to steal confidential information as most malware does, ransomware instead takes the opposite approach, encrypting files and displaying a very visible message on a system demanding payment for decryption.  This type of attack has proven to be successful for criminals, with the creator of Cryptolocker receiving over $3 million in ransom payments for encrypted data.

Attacks on Mobile Devices
With mobile platforms continuing to become more popular for activities such as mobile banking, it’s no surprise that attackers have started focusing more efforts on developing malware that targets mobile platforms. Mobile users often don’t use the same level of caution when downloading applications and accepting windows that pop up that they would when on a personal computer, leading to an environment that is easy for an attacker to take advantage of. This coupled with the relative lack of antivirus solutions available for mobile devices has led to a 112 percent increase in mobile malware samples detected in the past year by McAfee.

Will Cybercrime Erode Confidence in Banks?

cybercrime-risk-6-8-15.pngRecently I was reviewing some material about cybersecurity which contained, among other things, an explanation of how thieves successfully used remote access Trojans and keystroke logging at bank ATMs around the world to steal customer information and ultimately rip off banks for tens of millions of dollars. I was familiar with the incident because we wrote about it in our 1st Quarter 2014 issue, but here’s the thing: I was about to deposit a couple of hundred dollars in checks and cash at one of my bank’s ATMs, and it made me stop and wonder if I should do that. I hadn’t been in a bank branch in a couple of years (and in fact rarely even use ATMs anymore), but I considered whether I should make the deposit in the branch instead to avoid putting myself at risk by using a machine that conceivably has been hacked.

Technology has had a transformative impact on banking over the last couple of decades—and the revolution actually seems to be accelerating with the explosive popularity of mobile access and new concepts like the cloud, and also the emergence of nonbank financial technology companies that rely almost entirely on technology for their user interface. The advance of technology in banking is exciting because of the cost and customer service benefits it promises to deliver, but this same technology has also become something of a Trojan horse (tortured metaphor intended) from a risk perspective. Cyberattacks are occurring with an increasing frequency that is alarming, and banks are hard pressed to keep up with the advanced tactics of the attackers. In fact, if we were to characterize this as an arms race between hostile parties—the banks versus the hackers—the banks are losing.

Eighty-two percent of the respondents to our 2015 Risk Practices Survey identified cybersecurity as the risk category they are most concerned about, compared to regulatory compliance at 52 percent, and credit quality at 37 percent.

Cybersecurity will have an important place on the agenda at our 2015 Bank Audit & Risk Committees Conference scheduled for June 11-12 in Chicago. Any bank board of directors that isn’t worried about its institution’s vulnerability to a cyberattack is asleep at the table. What should directors be doing to make their banks as safe as possible? The first step is to educate themselves on the nature of cyberrisk so they understand the threat well enough to ask good questions. This undertaking will be the very definition of continuing education because the threat is constantly evolving. Boards also need to make sure that they are spending enough money on cybersecurity. Fifty-two percent of the respondents to our risk survey increased their cybersecurity budget by less than 10 percent for 2015, and 21 percent saw no increase for the year—spending levels that probably aren’t enough given how quickly the threat is escalating. Cybersecurity should be a standing topic on every regularly scheduled board meeting so that directors gain an understanding of the topic while keeping themselves well briefed on the latest security developments at the bank. And the board needs to have an incident response plan in place when a cyber intrusion does occur, because it’s simply a matter of when, not if.

As I write this blog, I still haven’t decided how I will deposit those checks and cash that I have.  And that points to one of the most damaging effects of cyberattacks: They have the potential over time to erode confidence in a banking system that relies increasingly on technology. I have read comments of late from people who say they’ve stopped using their debit cards for small purchases, but use cash instead because they’re afraid of having their checking accounts drained if a hacker steals their customer information. That sounds like a step backwards to me at a time when banks should be helping their customers step forward with the help of technology.

The Board’s Role in Confronting Cyberrisk

Heart bleed, DDoS, zero day, malware, NIST, phishing, FS-ISAC. The cybersecurity challenges that banks face today are new, complex, constantly evolving and often confusing to a bank’s board of directors. Tackling these challenges feels daunting. The role of the the directors in cybersecurity defense is not to get involved in technical controls and defenses, but one of oversight and certain calculated steps to comply with their fiduciary duties and to protect themselves, their customers and their employees from a cyberattack. Gary R. Bronstein, a partner, and Kevin M. Toomey, an associate, with Kilpatrick Townsend & Stockton LLP in Washington, D.C., explore the various steps that bank boards should take to protect themselves against a cyberattack.

What are the three things banks and their directors must know when it comes to cybersecurity?
From both a strategic and regulatory perspective, it is imperative that boards become educated on the topic of cybersecurity. How can you possibly ask the right questions and provide the necessary oversight if you don’t have a firm grasp of the underlying issues?

The board should establish a specialized cybersecurity risk committee. With the significant increase in data breach-related shareholder derivative suits, potential D&O liability, the growing threat of cyberattacks and an increase in scrutiny from the regulators, it is imperative that banks establish a board committee specifically designed to address and oversee cyber-related issues and developments.

The board must set the institution’s tone for cybersecurity compliance. Not unlike other areas of risk management, the board is expected to demonstrate attention to and compliance with the particular risk, serving as the example to the rest of the institution.

We do not have a board member with relevant cybersecurity or IT experience. Do we need a director with this particular skill set?
Although IT expertise is not yet required by the regulators, retaining a director with such experience is a prudent, developing corporate governance best practice that will aid the board in understanding this new, complex area. Moreover, for public companies, this topic is likely to receive increased interest from shareholders and proxy advisory firms.

Some banks are establishing cyberrisk committees at the board level. What should these committees look like and how should they structure the charter?
A cyberrisk committee should be structured similarly to your institution’s other committees. Importantly, the charter should: clearly define cyberrisk and the scope of the committee’s responsibilities; articulate the level of oversight required by the board and the committee; and establish reporting lines for cybersecurity issues and developments.

What other steps may a bank take to limit its liability? Does a cyber-specific insurance product exist for banks?
It is imperative that financial institutions review their cybersecurity insurance policies carefully to ensure that the scope, limits, and sublimits of the coverage are appropriate. Consistent with other areas of risk mitigation, the amounts of such cybersecurity insurance coverage should be commensurate with the level of risk involved with the bank’s operations and the type of activities the bank provides. Banks should also understand that not all cyber-insurance products are the same—the scope of coverage can vary dramatically among products offered by insurance carriers. We advise banks to work with their brokers, coverage attorneys and IT professionals to analyze their risks and whether they have sufficient insurance to cover them.

My bank just experienced a data breach–now what?
If your bank experiences a data breach, the board, senior management and employees must work together quickly and collectively in carrying out their response. Simultaneously, the institution must initiate an investigation, consult with counsel, contact law enforcement, hire consultants and determine required notice obligations; evaluate remedial options; comply with insurance coverage policies; and distribute notices and press releases.

Thinking about these questions before a breach occurs reduces compliance costs and headaches for companies and their boards. Establishing sufficient controls at the board level will help mitigate reputational and monetary damages to your bank, board, employees and customers. Do not wait until the breach occurs. Having sound policies and plans in place should help minimize risk.

Planning Helps Institutions Survive a Cyberattack

4-8-15-AllClear.pngThe list of notable organizations who have suffered a cyberattack is all too familiar. The likelihood of joining that list—whether by malware, ransomware or data breach—increases almost daily.

While the hazards are higher, so too is the cost of an attack. According to the Ponemon Institute, the price tag for each lost or stolen record containing sensitive or personal information rose to $201 in 2014, up from $188 in 2013.

And that’s just the beginning. When a cyberattack occurs, how an organization responds will determine whether there is long-term fallout and irreparable damage to the brand.

Ultimately, there is one audience who makes that determination: your customers.

Ponemon research saw customers are more likely to terminate their relationship with an organization that had experienced the security breach. Financial institutions top the list of industries most affected.

The key to maintaining customer loyalty during a time of increased anxiety is thoughtful preparation. Organizations that survive data breaches often have these three principles in mind during the preparation process.

Put Plans in Place
There are numerous steps to mitigate risk factors. Being prepared allows you to reap the benefits of a quick response, including relieving customer concerns. After a breach, customers want to know what happened and how your organization will assist to relieve any harm that may occur.

To be truly effective, an incident response plan must operate across all functions and involve key stakeholders. Hacking is not just an Information Technology issue; in the event of a breach, response efforts extend well beyond the IT department. A well-crafted plan will begin with the customer in mind and will be carried out by virtually every department in an organization.

A stagnant plan will be of little use. Hackers are constantly evolving their methods—and plans should be updated regularly and flexible enough to deal with new types of threats. Additionally, plans must undergo end-to-end testing using data breach simulation exercises. A critical component of a successful response involves simulation testing with internal stakeholders and external partners that have a role in a live breach response.

Realize that Success Depends on Openness
Making public statements without a clear understanding of the facts can create confusion and mistrust while opening up further risk. However, remaining silent is not the answer either.

In 2010, the town of Poughkeepsie, New York, lost $378,000 when its accounts were hacked. The Town Supervisor blasted the bank on two counts. The first was obvious: failing to detect the breach. Nine attempts were made, four were successful. But equally galling to town leadership: No one from the bank explained the hack in person.

More recently, retail giant Target saw customer satisfaction with service drop more than 3 percentage points in the six months after its data breach. Among its high-end customers—who are more likely to use the company’s credit cards—that drop was 9 percentage points. Target was dinged for its slow response and its failure to point out how it would prevent such an attack in the future.

Companies in the midst of a data breach must be honest, open, and accurate in sharing available information. Having to go back and correct information that was previously released often escalates the situation further.

Put Customers First
Customers rely on the organization affected to make things right. Although frustrations associated with the attack are high, individuals frequently do not take steps to protect themselves. A survey found that only 27 percent of consumers had taken steps to protect their information in the wake of the Target attack.

Customers will judge harshly if they feel the organization has failed to protect them. This judgment can have a lasting impact on customer loyalty and the bottom line. That’s an important realization—one which should drive all of an institution’s cybersecurity efforts.

Free credit monitoring often is offered immediately to customers when a firm’s data has been breached. Yet customers continue to show that they resent being forced to register with an outside organization to receive the credit monitoring service. Explore all solutions and select the one that makes accessing protection as simple as possible for your customers.

Companies that put their customers first will make the right decisions every time. A cyberbreach response must be built with the customer in mind first.

What Does a Cyber Policy Cover?

7-29-19-AHT-Insurance.pngA recent report by Prolexic Technologies documents that cyber attacks, including denial of service attacks, have increased by as much as 20 percent during the second quarter of 2013 compared to the first quarter. Partly in response to these increased attacks, the Securities Industry and Financial Markets Association conducted a voluntary test of the security systems of various financial institutions. During the week of July 13th, 50 banks of all sizes were going through the exercise to see how they would respond to coordinated cyber attacks against them. Add to this the exponential rise of mobile devices, and it is no wonder that bank boards are discussing cyber risk at an ever increasing rate.

Board Level Discussions

More and more often, my board presentations include a cyber-risk component. I am no longer surprised to hear directors question the protection of the bank’s non-tangible assets (such as client personal information) as much as they do the money in their vaults. The most common question I get from the board room is, “What can we do to minimize these new risks?” The first discussion is regarding an implementation of a detailed and outlined response plan in the event of a breach of network security. This plan should incorporate all of the people who touch cyber security including the chief security officer, CFO, GC, IT director, and Insurance broker/carrier. We then discuss people, process, technology, and insurance. Remember that hiring a top-notch chief security officer, implementing iron-clad processes around breach avoidance/response and purchasing the newest network security solutions will definitely put the bank at decreased risk of attack. But there is no silver bullet that can guarantee that the cyber criminals will not find a way to access your network. And as it is with all risk management, the way to encapsulate and mitigate that slice of liability exposure is through insurance. In the case of cyber exposure, the insurance product is typically referred to as network security and privacy liability or simply: cyber liability.

What is Covered by a Cyber Liability Policy

Believe it or not, this is actually not an easy question to answer. Unlike many other insurance products which cover one exposure, the typical cyber liability policy is almost like a restaurant menu where an insured has a lot of options as to what modules they want included in their policy. At a summary level, a cyber policy can include some or all of the following coverage:

Third Party Coverage (i.e. a lawsuit by a customer or other third party). This policy covers defense costs and ultimate settlement or damages relating to:

  • Network Security: Covers customers bringing suit arising from a breach in network security.
  • Privacy Liability: Covers claims from clients that typically arise from a release of their personal information through a non-cyber breach (i.e. dumpster dive, lost laptop, exposed customer list).
  • Media Liability: Gets involved when a party brings suit alleging online copyright infringement.
  • Regulatory: Provides coverage for governmental or regulatory claims arising from a data breach.

First Party Coverage. This policy reimburses the insured to make the company whole:

  • Crisis Management: Covers public relations services needed in response to a breach.
  • Breach Remediation: Covers costs for credit monitoring, forensics and restoration of data.
  • Notification Costs: Covers costs to notify all customers (as dictated by most state laws) of a breach. This continues to be the single largest frequency of covered cyber claims. One carrier estimates an average notification cost of $30 per customer.
  • Cyber Extortion: Potentially covers the investigation and actual extortion of breach or credible threat of a breach.
  • E-business Interruption: Covers the loss of income and extra expense resulting from a computer attack (after a waiting period).

Each of these components has a cost associated with them. Based on the coverage selected and the size of the bank (often measured in revenue and/or number of records managed), we see premiums range from $5,000 to $20,000 per $1 million of coverage. So, we recommend a level of due diligence between the broker and the bank to best determine the appropriate cyber coverage for that institution.

Cyber Attacks: The Three Most Important Steps a Board Can Take

Bank Director asked legal experts to address a question that is top-of-mind in bank boardrooms lately: cyber security. What really is the role of the board in overseeing this potential threat? Big banks are getting hit with denial-of-service attacks that are taking down their web sites for hours. Even smaller banks are getting reports of constant attempts to hijack their online security. It seems time to address that question. 

What are the three most important steps that banks should take to protect themselves from cyber attacks?

Podvin_John.pngFirst, the board of directors must be well informed as to the risks of cyber attacks, the mitigating steps taken by the bank to address the risks, and very importantly, the results of any testing performed on the controls that the bank deployed. Second, the board must make sure that qualified management is in place with the appropriate level of competence, staffing and resources to address the ever-evolving risks of cyber attacks. Finally, the board should study all the enterprise’s insurance policies to make sure that there is in place insurance coverage and/or riders to protect the enterprise (this includes the holding company and all affiliates and subsidiaries) if it becomes the victim of a cyber attack.

—John Podvin, Haynes Boone LLP

Lamson_Don.pngIn December 2012, the Office of the Comptroller of the Currency issued an alert about the recent cyber attacks. The OCC’s alert said that banks need to have a “heightened sense of awareness” about cyber attacks and take actions that include: Ensuring sufficient staffing for the duration of an attack; ensuring that the response effectively involves appropriate personnel across multiple lines of business and external partners; and, conducting due diligence on service providers to ensure that these providers have taken steps to identify and mitigate risks from attacks. The OCC also emphasized that banks should consider the recent attacks as a part of their ongoing risk management program, and should be prepared to provide timely and accurate communication to their customers. The OCC expects banks that are victims of attacks to report the information to law enforcement authorities, to notify their supervisory office, and file suspicious activity reports if appropriate.

—Don Lamson, Shearman & Sterling LLP

Turnage_Bobby.pngBanks should review current systems, physical facilities and processes for vulnerabilities, and adjust as needed. Some important changes might not be that difficult to implement. Consider hiring an outside specialist for this—someone who knows the latest threats and methods. Review the security practices of your vendors, and review vendor contracts to ensure appropriate representations and warranties (and indemnification) around security. Invest in regular training for employees, including what to look for and what to avoid. The bad guys are constantly changing their methods, and regular training helps address new threats and also keeps security top-of-mind. Bonus Answer: Maintain a top-down emphasis on security. Emphasis must come from the C-suite and not just from the technology department.

—Bobby Turnage, Venable LLP

Maese_Vivian.pngThe biggest threat to banks today is still the insider threat. Banks should be thoroughly checking the backgrounds of their employees before they are employed.  Banks should continue to supervise and be alert to activities once employed. In parts of the world where background checking is not possible, banks should conduct extensive validation using personal local sources and social media sources. Access to systems should be carefully protected, taking into account the sensitivity of the systems and access should be provided only on a “need to know basis.” Data silos need to be broken down. Systems were originally designed to solve particular problems. Criminals have figured out that these silos prevent organizations from seeing the true picture of fraudulent activity. Big data tools are available in the market that can help organizations thwart potential problems without the massive data warehousing effort that was required just a few years ago.

—Vivian Maese, Dechert LLP

Mushahwar_Amy.pngEarlier this year, the Australian Department of Defense, Intelligence and Security released a statement that 85 percent of targeted cyber intrusions that it responds to as an agency could be prevented if companies did the following: 1. Application whitelisting (or preapproving of mobile and traditional applications used by employees). 2. Operating system and application patching (ensuring that the software in use by your organization has the latest security fixes). 3. Administrative password management (minimizing the number of users in the organization with administrative privileges). However, in cyber security, we can’t simply note the technical fixes required. We also ask organizations to become security-aware and foster a meaningful cross-expertise dialogue between business units, legal, IT and security. The technical fixes will only get organizations so far and do not fully protect against social engineering, rogue employees, or customer/employee phishing. At Ballard Spahr LLP, we created a helpful checklist for organizations to improve the cyber security dialogue within their organizations. An effective cyber security program and dialogue will not protect against all cyber theft, but it will help put your organization in a better position to detect, respond and control costs once events occur.

—Amy S. Mushahwar, Ballard Spahr LLP