Cybersecurity remains a top concern for the bank executives and board members surveyed in Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. What can bank boards do to combat this threat? In this video, Sai Huda of FIS reveals best practices that boards can implement, based on the survey results.
As we look back on 2015, it is easy to see the heightened stakes in data breach response.
The U.S. government’s Office of Personnel Management was hacked, with as many as 22 million Americans’ personal data stolen. This includes fingerprints and background checks. One hacker tapped into the director of the CIA’s personal emails and breached a portal that law enforcement, including the FBI, uses to share intelligence and book those arrested.
It’s not just government agencies that fall victim to attacks. Any company that collects sensitive data can become a target for hackers and nation-state actors.
The risks are getting higher for those whose data is breached, too. Javelin Research predicts that by 2018, some eight million people will experience a credit card breach and identity fraud within the same year. There is no doubt that criminals have become more sophisticated and better able to parlay one successful hack into another. Cyber criminals have crafted more elaborate “social engineering” methods—tricking people into compromising corporate security. Phishing schemes still deceive about one in four people, according to the Verizon 2015 Data Breach Investigations report.
This only reiterates that idea that a cyber attack is likely for almost every organization. There are steps that a smart company can take now to help mitigate the damage should a breach occur. Preparing for a cyber attack must become as ingrained in the company culture as a tornado evacuation plan or a fire drill.
One of the key steps to prepare for an effective breach response is to build a data breach response team, which has created—and practiced—a response plan. Make sure that contact numbers for team members—including those for non-work hours and mobile phones—are readily available. A customer support and communication plan should be built into any response and should cover how customers and regulatory agencies will be notified and when, as well as what protections will be offered to those affected.
Proper preparation is only one piece of the puzzle, however. In the event of an actual breach, there are critical steps to take to ensure your organization is able to successfully launch your customer-facing response:
Immediately assemble the breach response team. Your team should include internal experts as well as third-party partners such as communications and legal experts. A partner experienced in the customer-facing aspects—including responding to the surge in customer demand, answering identity theft-related questions, and providing identity protection services—should be part of the team.
Review and update the plan. A plan that has been carefully honed in advance is certainly an advantage. But it may not have anticipated some of the nuances of the particular data breach your organization is facing. So, one of the first action steps for the crisis response team is to look at the documented plan and make any changes needed. If there is one guiding principle in any plan, it should be to keep the response focused on your customers.
Launch the initial response. This includes informing customers, and in some cases, regulatory agencies, about what has happened and how you plan to minimize any damage that results from the event. One significant misstep to avoid: Don’t provide public information that may need to be corrected at some point. Instead, only release the information that is known and confirmed at the time. There is nothing that will breed a lack of confidence more than a constantly shifting explanation of what happened.
As for the customers, this is a good time to let them know exactly how you intend to protect them. Understand, though, that they may be hesitant to provide their information to a third-party service—especially if this data was not compromised in the breach. And they will be suspicious of anything that smacks of an attempt to upsell them. To combat these challenges, lead with the promise that you will repair any harm that comes to them as a result of the incident.
In 2014, there were nearly 80,000 security incidents, according to the Verizon Data Breach Investigations Report. And business news web site ZDNet reported that one billion personal records were illegally accessed in those breaches.
The time for asking “if” a data breach will occur has passed. It’s time to prepare as if one is inevitable.
“The responsibility for properly overseeing outsourced relationships lies with the institution’s board of directors and senior management. Although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue.”
Target corporation had 40 million credit card numbers exposed and eventually settled with Visa for $67 million. In 2014, we saw bigger companies in the headlines such as Home Depot and Sony fall victim to the same fate.
Target’s breach came through an HVAC vendor that had access to the retailer’s internal network. That means the bad guys only had to figure out how to sneak by the HVAC company’s security, not Target’s. This was a perfect example of how more robust vendor management practices could have prevented unauthorized access.
Think about all the people who need access to your building, systems, network, hardware, telephone lines, lighting, security, and so forth. How diligent are those other businesses about security?
If it’s time to ask your vendors for their annual SOC reports, reports that deal with organizational controls related to security and process integrity, insurance documents and financials, and you’re just checking boxes to satisfy an audit requirement, then you are doing it wrong.
Follow these seven steps to reinvent and strengthen your vendor management process.
Step 1: Obtain Executive Sponsorship Vendor management should start at the top. You will need someone leading the charge and who has access to your bank’s board leaders.
Step 2: Create a Vendor Management Committee These people should be from different departments and have different backgrounds, such as IT, legal, compliance, finance and senior leadership. Diversity here is crucial; everyone sees threat differently.
Step 3: Create a Centralized Vendor Management program No single person can possibly be responsible for the entire program. It’s imperative that it becomes a collaborative effort.
Step 4: Gain Buy-In Involving the staff creates a sense of ownership. It’s no longer just IT’s problem; it’s everyone’s responsibility.
Step 5: Create a Vendor Inventory Make sure you know who your vendors are. Do you have multiple vendors doing the same function? Work with accounts payable to determine active vendors. The normal time span is 12 to 24 months.
Step 6: Categorize All Vendors Does this vendor have access to customer data? Do they have facilities access? What is our risk if this vendor is compromised? This is where you identify critical and high-risk vendors.
Step 7: Remove the Silo Save the documents to a shared resource. Everyone involved should have access.
How Would These Steps Prevent the Target Scenario? Step six says to categorize all vendors and identify the risk. The HVAC vendor seems like it would be a low risk vendor, but when you dive into the level of access it had, you would quickly discover the HVAC should be a high risk vendor. The HVAC vendor was allowed access to the internal network which gave the hackers a way in. Although the HVAC didn’t have access to the customer data, they did have the keys to open the door.
Another day, another data breach. Breaches have become so commonplace that most companies now realize it is a question of “when,” not “if.”
To successfully execute a response, every company must create a plan of action to guide the company through the crisis. But it’s important to remember that any plan will be executed by people—and regardless of who they are, those people bring human factors into an already stressful situation.
Research shows the impact that stress can have on an employee’s performance. One British study found that those experiencing short-term stress use decision-making techniques similar to small children. In other words, they may “react to problems they don’t quite understand with an emotional (snap) response, rather than a considered logical solution.”
Executing a successful breach response amid the chaos requires close attention to people and their stress, fatigue and other emotions.
Even the most seasoned executives may crack under pressure. Remember the BP executive who made an unscripted remark, wishing he could have his life back during the height of the BP oil disaster? Perhaps more than any recent example, that slip of the tongue showcases the peril in making one high-stakes decision after another for multiple days.
Building the right crisis response team and incorporating safeguards that protect against human failings can prevent that kind of PR disaster and enable efficient and effective execution of the incident response plan.
Plan for Emotional Reactions A few emotions likely will affect every member of the team at some point during the response. The first of these emotions is often denial, refusing to believe that this can happen to your institution. Moving the crisis team beyond this feeling quickly is key.
The team also may experience tunnel vision, an inability to consider outside viewpoints. Research shows that decision-making under stress causes people to focus on the positive and potentially ignore any downsides of decisions they make. This lopsided decision-making can bring about devastating consequences. That same research notes the difference in how men and women respond. Men are likely to take bigger risks when under stress, while women become more conservative.
All of these are important factors to weigh as you begin to build a team. But personalities aside, there are ways to blunt the impact of these emotions on executing a successful response.
Tips to Minimize Mistakes First, build the team and discuss strategies for how you will respond. How will you keep a customer-centric response at the forefront?
Then, practice by creating scenarios that mimic an actual data breach. This will give the crisis team an opportunity to practice decision-making when the stakes aren’t so high.
The simulations also may point out where the team could use outside assistance. For example, your call center is used to dealing with specific customer requests and is not trained to handle calls about a data breach and identity theft. That’s where a customer response and notification provider proves invaluable. Other outside experts to consider include crisis communications, forensics and privacy counsel.
These outside experts should have plenty of experience in dealing with crises or data breaches. Look for partners, particularly in high-visibility areas like customer response, who have the expertise and capacity to handle the increased customer demand that a data breach announcement generates—a key bit of experience that your team likely does not have.
It is important to design response plans that play to the strengths of your internal crisis team, then fill gaps with outside experts and begin to simulate actions you’ll take when—not if—a data breach occurs.
Any crisis response plan that merely sits in a file cabinet won’t prove nearly as effective as one that is honed and practiced by the very people charged with executing it. While no breach is an easy event, your team can manage the human factor through practice.
We discovered last month that cyber risk was the thing most directors worried about when we informally polled members of our bank services program. This month, we decided to poll experts on what banks could do to improve crisis planning. Not surprisingly, cyber risk planning came up often as an area that could use some improvement. Several of the people polled think banks could benefit from role playing exercises that would walk employees and the board through possible scenarios. The Federal Deposit Insurance Corp. has a few videos that help banks imagine some scenarios. Although planning documents are widely recommended, one consultant says they are pretty useless in a real emergency. Below are their responses.
How Could Banks Improve Crisis Planning?
Crisis planning is getting more attention these days because we are constantly reminded of events that could not only impact our business, but have significant impact on our reputations. One data breach and we stand to lose faith in our ability to safeguard our clients’ money. While planning is expected, bankers could really get value from practice in two areas: 1) tabletop exercises and 2) media training. Tabletop exercises are role playing crisis scenarios whereby bank management gets on a conference call and develops responses, assigns roles, identifies tasks and develops timelines. Banks would benefit from doing this on a quarterly basis. Media training allows bank executives to learn how to look and respond appropriately to a tense situation only after they learn how to answer questions and the ground rules for working with the media. Turn on a video camera and see how well your team does. Crisis planning is better if treated as an ongoing discipline.
—Scott Mills is president of the William Mills Agency, a public relations and marketing firm specializing in financial services
Testing, testing and more testing! Banks typically have multiple plans that can be triggered in the event of a significant cyber-related “crisis,” including, for example, a business continuity plan, incident response plan and crisis communication plan. Multiple groups within a bank likely have responsibility for these plans. And, the plans may not be aligned from a response standpoint with respect to significant cyber events. In the event of such a crisis, it is critical for a bank to be able to respond in a uniform and effective way at the enterprise level. Bringing a bank’s various teams together to test or tabletop a significant cyber event can shed light on how the bank’s various plans (and teams) will work together. This will also provide a valuable opportunity for refinement and alignment of the bank’s related response plans.
—Nathan Taylor is an attorney and cybersecurity expert at Morrison Foerster LLP
Business continuity and disaster recovery considerations are an important component of a bank’s business model. In addition to preparing for natural disasters and other physical threats, continuity also means preserving access to customer data and the integrity and security of that data in the face of cyberattacks. For this reason, the FDIC encourages banks to practice responses to cyber risk as part of their regular disaster planning and business-continuity exercises. They can use the FDIC’s cyber challenge program, which is available on the FDIC website. Cyber challenge was designed to encourage community bank directors to discuss operational risk issues and the potential impact of information technology disruptions.
—Rae-Ann Miller is associate director of the FDIC’s Division of Risk Management Supervision
Banks can improve planning by developing a crisis plan ahead of a data breach or cybersecurity issue. These action plans should include:
Determining data to be protected along with the protection level required.
Classifying incidents or scenarios into categories.
Understanding threats the bank may face, starting with known threats, then creating on-going monitoring for emerging threats.
Determining the stakeholders and defining the incident response team.
Setting up a command center and appointing a command center leader.
Developing an incident plan, including a containment and investigation strategy.
Executing a communication plan to customers, media and agencies.
Testing and training end users in the application of the incident response plan.
Conducting a “lessons learned” session and updating [Incident Response Plan] procedures.
—Jeff Sacks is a principal in Risk Consulting for Crowe Horwath LLP, specializing in technology risk
Though banks understand the risk of cyberattacks, many are unprepared to act quickly and effectively to mitigate damage when faced with a serious cyber breach. To improve crisis planning, banks should consider conducting simulated cybersecurity exercises involving key personnel. Moving quickly following a cyber breach is critical to limiting unauthorized access to sensitive data and the resulting harm. Such exercises demonstrate why an effective cybersecurity program is more than an “tech issue,” and requires coordinated institutional mobilization across business segments, with oversight from senior management. Most banks will eventually find themselves in a hacker’s crosshairs no matter how advanced their defenses, and a coordinated, rapid response will not only limit short-term data loss and legal exposure, but will also help preserve a bank’s reputation and customer relationships.
—Neil MacBride is a partner at Davis Polk & Wardwell
Planning activities generate lots of documents, which are fascinating to auditors but useless in an emergency. You don’t have to give planning reports to your response team. Your phone is a perfect emergency communications console. Social media, including Twitter, YouTube and even Facebook, are indispensable as communications tools. You can monitor events as they unfold or push messages out to staff and public. Cyber is the new disaster. Compare today’s threat assessment with one from 2010. Notice that blizzards and hurricanes have dropped out of the top ten, replaced by data breaches and identity theft.
—Steve Carroll is a director with Cornerstone Advisors, a consulting firm specializing in bank management, strategy and technology advisory services
The unthinkable has happened: Data security measures have failed and sensitive customer information was taken. The next steps your company takes to respond are crucial. A poorly executed response to a data breach event can further anger customers, increase regulatory scrutiny, generate a media storm and have a lasting impact on customer loyalty.
AllClear ID has been working with companies to effectively prepare for and respond to data breaches for over a decade. During that time, there has been a noticeable shift in consumer expectations after a breach. Today, consumers expect—if not demand—a well orchestrated response. And they expect it to begin soon after the breach is made public. Data breaches are constantly evolving: Already in 2015, financial institutions account for about 9 percent of all data breaches, according to the Identity Theft Resource Center. That compares to about 3.7 percent in 2013. Whether that figure will hold up throughout the year remains to be seen.
The demands placed on businesses to get a breach response right are more intense than ever, as is the scrutiny when a response is perceived as mismanaged.
Because of the high pressure to get it right, a customer-centric approach to preparation is paramount. If you fail your customers, one in four may leave, according to a study from Javelin Research & Strategy. So financial institutions cannot rest upon past great customer service and relationships with clients in the event of a data breach.
When a breach is discovered, what to do? Companies that keep the focus on customers before, during and after a data breach fare far better than those that do not.
Minimize Brand Damage: With customers at the forefront of any response, it is likely that both the institution and your brand will survive long-term. Granted, that doesn’t mean an institution won’t encounter a few negative headlines from the outset. But if the response is bungled, the damage will be far greater. Unhappy customers may speak out on social media. Some may leave. And the breach could tarnish your image for years to come and ultimately can affect your bottom line.
Plan in Advance: To successfully manage a breach with a customer focus, companies must first have a plan in place. The plan should incorporate elements of crisis and or incident management such as likely breach scenarios, key decision makers, and key partners who will assist in the response. This will help diminish delays and costly mistakes during the response, and facilitate a return to normal business operations more quickly. Now that we have witnessed multiple destructive cyberattacks against U.S. companies, it’s clear that having an incident response plan in place is no longer optional. A recent blog post discussed the need for preparation in advance of a breach.
Questions to consider when preparing for a breach response operation:
When and how will customers be notified?
How will we answer customer questions?
Do we have the customer service capacity to manage the calls we receive from angered or fearful customers? Will we be able to train them to address customers’ concerns and alleviate their fear?
What identity protection will we offer?
How will we make things right if a customer is negatively harmed?
Quality Customer Support During a Breach: As breaches increase in scale and complexity—and 2014 was a watershed year for that as well—consumers have seen a lot of breaches, but still may react in anger or fear. Their first stop for information is the hotline and webpage you publish. Clear, consistent communication and messaging is key in restoring customer confidence. Scripts and Q&As must be available to trained, expert call center partners immediately. Responsible and knowledgeable front-line employees can do much to diffuse the situation and lessen customer anxiety.
And make it easy for your customers to have access to the most important protection – identity repair. The 2015 Javelin Strategy & Research Identity Fraud Study found the link between data breaches and identity fraud has increased. In 2014, 12.7 million consumers lost $16 billion to fraud—and two-thirds of them had received a data breach notification within the same year.
As McKinsey & Company says, “Much of the damage results from an inadequate response to a breach rather than the breach itself.”
Put yourself in the customers’ shoes: They have trusted you with their most valuable information – their identity. Whether you keep their trust depends, in part, on how they rate your performance in the face of a crisis.
Every week there is a new headline regarding the latest data breach or newly discovered vulnerability in widely deployed software. Below, we’ve compiled a list of five threats we think will see increased importance in the upcoming year.
Zero Day Attacks The past year has brought unprecedented levels of mainstream media attention to a number of zero day vulnerabilities including Heartbleed, Shellshock, and Poodle. A zero day vulnerability is a flaw in software, hardware or firmware that is exploited as soon as or before it becomes generally known to the public. These vulnerabilities have taken advantage of long standing but previously undiscovered programming bugs in widely deployed software platforms. Due to the discovery and subsequent exploitation of these vulnerabilities, cyber criminals and nefarious nation state actors have begun to take a much closer look at these previously ignored code bases. The common theme with many of these newly discovered and highly popularized vulnerabilities is that they don’t necessarily target Windows-based systems as many other successful attacks in the past have. Instead, they were discovered on software libraries that are present on a large number of networked devices, which are often overlooked when developing a security model.
Social Engineering We will continue to see more sophisticated attacks on the most vulnerable part of a financial institution’s network, their employees and customers. With multiple layers of protection from IPS devices and firewalls on the perimeter of most networks, attackers rarely attempt to directly attack properly secured networks directly (with the exception of the previously mentioned zero day vulnerabilities). Instead, they focus their efforts on compromising one or more workstations on the bank’s internal network or the customer’s workstations. From here the path to compromising confidential information is simpler and obtaining even standard user credentials can allow an attacker to run further attacks and escalate their privileges to that of an administrator on the network.
Continued proliferation of social media in the banking environment has greatly increased the amount of information an attacker can gather remotely on individuals within the bank. This information can then be used in creating spear phishing attacks targeted at individual employees who appear to be coming from a co-worker within the bank, but in reality, contains a link to a malicious website or include a malicious attachment disguised as something as innocuous as a spreadsheet. These same spear phishing attacks can be directed towards the bank’s customers, often appearing to come from the bank itself. With the increase in advanced phishing techniques, solid employee and customer training in how to spot a potentially fraudulent message as well as steps that can be taken to verify the authenticity of a message will be important tools this year.
Credit/Debit Card Theft Banks and their customers were affected by a multitude of breaches at retailers this past year. Retailers seemed to be compromised on a nearly weekly basis, including Home Depot, Jimmy John’s Gourmet Sandwiches, P.F. Chang’s, Michaels, and many more. In October 2014, Special Agent Jason Truppi of the FBI told USA Today that in the previous 12 months, over 500 million financial records had been stolen, thanks in large part to the breaches listed above.
Cyber Extortion Cryptolocker was a fairly widespread piece of ransomware that made headlines in 2014 and impacted financial institutions and their customers. Instead of covertly infecting a system and attempting to steal confidential information as most malware does, ransomware instead takes the opposite approach, encrypting files and displaying a very visible message on a system demanding payment for decryption. This type of attack has proven to be successful for criminals, with the creator of Cryptolocker receiving over $3 million in ransom payments for encrypted data.
Attacks on Mobile Devices With mobile platforms continuing to become more popular for activities such as mobile banking, it’s no surprise that attackers have started focusing more efforts on developing malware that targets mobile platforms. Mobile users often don’t use the same level of caution when downloading applications and accepting windows that pop up that they would when on a personal computer, leading to an environment that is easy for an attacker to take advantage of. This coupled with the relative lack of antivirus solutions available for mobile devices has led to a 112 percent increase in mobile malware samples detected in the past year by McAfee.