Banks and other financial institutions are prime targets for hackers because criminals can gain access to financial and personal information that leads them to additional sources of funds. For the same amount of effort, corporate accounts give hackers access to much more data. Criminals are working hard to stay a step ahead of security experts, who are trying their best to protect corporate accounts.
Hackers are looking at the interconnectivity of mobile devices and other systems to find ways to squeeze in viruses and capture information. IT experts are also looking at how they can use interconnectivity to incorporate security tools for banks and other industries.
No system is as secure as banks would like for it to be, which makes it difficult for them to know how much insurance would be sufficient in the event of a breach if they are considering the purchase of coverage.
Any way you approach it, protecting against cyberattacks is an expensive proposition.
Banks and other financial institutions stand to lose more than funds and data. Other potential costs include the loss of brand reputation and losses due to exposure for not complying with security regulations.
Several different things make corporate banking accounts difficult to protect. Corporations usually have multiple people listed on their accounts who need to be able to deposit, transfer and withdraw funds. Having different employees accessing the account on a regular basis, either in person or remotely, opens up opportunities for fraud. Transactions also tend to be larger on corporate accounts than on personal accounts, so there is more to lose.
Senior executives and directors don’t always understand the information that their tech departments provide about how they are protecting the bank’s various computer systems, so they have no way of assessing whether the security programs are effective. A 2017 report by MediaPro surveyed 809 employees working in the financial services industry and classified 80 percent of their employees as “risks” or “novices” relative to cybersecurity. Lack of awareness among financial services employees increases the risk of work practices that could lead to a security breach.
Cybersecurity expert Ariel Evans cautions managers at financial institutions to be aware of IT departments that take a “bottom-up approach” to cybersecurity, which only describes the implementation status of the control and stops at the system level, lacking the ability to detect vulnerabilities within the system. When these cybersecurity systems fail to tie in the business processes to the data assets and systems, the security essentially stops at the system level. A bank may have the most sophisticated, mature security system available, but its effectiveness is nil because it’s not being measured at all.
Evans recommends a top-down approach that ties the business impact of the assets and processes to cyber risk. This approach measures the risk posed to the assets and prioritizes remediation efforts. This information is also helpful to insurance providers since it provides them with more accurate information to offer cyber-risk insurance policies that cover adequate amounts in the event of a breach. (To learn more about why cybersecurity should be a concern for your organization, read this white paper written in conjunction with the NYSE to improve your cybersecurity practices.)
Financial institutions can protect their consumers with cyber risk insurance policies. Many experts question if banks are considering the full cost of what they would risk in the event of a cyberattack. Directors need to carefully assess if they have enough cyber risk insurance. Discussions will no doubt include weighing the cost of the insurance with the amount of protection it provides, due to the large amounts that could be lost in the event of a breach.
Having data about the effectiveness of cybersecurity systems is instrumental in keeping insurance premiums low enough to offset large liability limits.
Directors have a huge task in front of them as they make decisions about cybersecurity. They need to have assurance from the IT department that the security tools they use are mature and effective. They also need to understand all the layers of security, including making sure that they’ve taken steps to make employees aware of their responsibilities in keeping accounts secure. Finally, directors need to understand what their cyber risk insurance policies cover, as well as any limits, conditions and exclusions that apply.
For many bank chief executive officers and their boards, it could be one of their worst nightmares: Hackers have penetrated their bank’s computer systems and possibly made off with highly sensitive customer information, and a series of decisions will have to be made very quickly under a great deal of pressure. What remedial action should be taken, and by whom? Who else should be involved as the bank responds to the situation? And what should the bank tell its customers and its regulators?
The author J.R.R. Tolkien once mused in his popular novel “The Hobbit” that “It does not do to leave a live dragon out of your calculations if you live near him.” The metaphorical dragon that bankers need to include in their calculations is a global army of hackers—some representing nation states, some just crooks and some a combination of the two—that has emerged as one of the greatest threats facing the banking industry today. As even the smallest, most conservative banks in the country continue to adopt an increasing array of digital strategies, the industry’s cyber risk exposure has increased accordingly. And that’s why when the cyber dragon attacks, bankers need a remediation plan that they can activate quickly.
It doesn’t have to be an enormously complex plan—and in fact, the simpler the better. Jena Valdetero, a partner at the law firm Bryan Cave who has lots of experience working with companies, including banks, that have been the target of cyber attacks, says she has seen incident response plans that were 35 pages long that become an encumbrance when responders have to move quickly. “We always say that it’s better to have a three- to five-page incident response plan that hits the highlights and that your team can easily learn, remember, absorb and train on than to have a much larger plan,” she says.
Dave McKnight, a senior manager who leads consulting firm Crowe Horwath’s incident management services, says that he follows the National Institute of Standards and Technology’s Computer Security Incident Handling Guide, which was issued in 2012. “Basically, what this says is, the lifecycle of an incident response program should be preparation, detection and analysis, containment, recovery and then a post-incident review,” McKnight says.
How a bank responds to an incident often depends on its size. Large banks will probably rely on an in-house cybersecurity team, possibly augmented by resources from an outside consulting team that it has on retainer. Most smaller banks that lack the necessary funding to support an in-house response team will rely more on outside firms to handle any incidents that occur. Typically, the response team would operate from what McKnight calls a “playbook,” which is essentially a set of reference materials that would lay out the steps that the response team should take depending on what kind of incident has occurred—ransomware versus denial of service, for example—guiding the team through the various stages including containment, removal and recovery.
“Then there should be some type of look-back activity on how that was handled,” says McKnight. “Was there an opportunity for improvement in either our documentation or our skill set? How do we enrich the rest of our process so that next time around, we do it better, faster and more inclusively?”
If the bank does expect to rely on outside consultants to assist in the remediation effort, McKnight says it’s important to have those arrangements made well in advance, in part because the bank can’t necessarily count on having immediate access those firms when an incident occurs. “Without a retainer, you don’t have a guarantee that someone is going to be available because these aren’t scheduled events,” he says of an attempted or successful hack. But merely having an outside firm on retainer isn’t enough, adds McKnight. The outside firm also needs to be thoroughly familiar with the bank’s operations, networks and cybersecurity defenses before an incident occurs. “I want [them] to understand what our plan and program and capabilities are,” he says. “That way [they’re] addressing my problems… [they’re] doing so swiftly and accurately and you’re not asking for stuff that you should know I don’t have. You’re asking for things I do have as soon as you need them.”
For banks that have a chief information security officer (CISO), this individual would typically quarterback the remediation effort, or, in the absence of a CISO, that role might be assigned to the chief information officer. But in a situation where a hacker has gained access to a bank’s computer systems, the remediation effort entails more than simply kicking them out, assessing the damage (including any loss of data) and putting a recovery plan in place. There often are stakeholders and customers to inform, as well, and possible impacts on the bank’s business. This means that the incident response team should include a wide range of executives throughout the organization.
In addition to the data personnel, members of the remediation team would typically include the bank’s chief executive officer and possibly the chief operating and chief financial officers, as well as members of the public relations team since it will most likely be necessary to communicate with the media in the event of a serious incident. “It really depends on how your organization is set up, but you want key stakeholders in the room—people with senior-level decision-making ability,” Valdetero says.
The board of directors typically does not have a hands-on role in the remediation effort, although the non-executive chairman (or lead director if the CEO also serves as board chairman) should be kept apprised of the remediation efforts as they unfold. Serious data breaches that involve the loss of funds or significant amounts of customer data can pose both a financial and reputational risk to the bank, which is of primary concern to the board of directors.
“I think the role [of the board] is typically overseeing from a high level the management team and making sure they are responding adequately,” Valdetero says. This would include making sure the investigation is being conducted in a thorough manner, that the team has adequate resources and the bank is complying with all applicable laws.
Another important member of the team is the bank’s general counsel if it has one, or outside counsel if it doesn’t. This is critically important if the incident involves the loss of customer information. Valdetero says it’s desirable that banks conduct their investigation under the protection of attorney-client privilege, and a lawyer will provide that protection. “I approach these types of breaches… from my background as a litigator, and as a litigator you’re always thinking worst case scenario,” she explains. “If we are sued down the road as a result of this breach… what do you want to be able to protect from disclosure, if at all possible?” Valdetero adds that while underlying factual information cannot be protected from disclosure, “you can protect legal advice and specific communications that took place for the purpose of getting legal advice, and you need legal advice in these situations because there is a myriad of laws that might be implicated by a breach.”
The bank’s remediation team may also want to reach out to law enforcement agencies such as the Federal Bureau of Investigation or Secret Service in the event of a serious data breach. Phyllis Schneck, managing director and global leader of cyber solutions at Promontory Financial Group, advises banks to establish a relationship with these agencies in advance so a communication link already exists when an incident occurs. “Typically, you want your law enforcement relationships [established] ahead of time,” Schneck says. “You want to know who to call by first name, and they’ll do that for you. You do not want to be calling 1-800-law enforcement when your hair is on fire.”
Banks are required to inform their primary federal regulator when “the institution becomes aware of an incident involving unauthorized access or use of sensitive customer information…,” according to interagency guidance on data security issues. The guidance defines sensitive customer information as a customer’s name, address or telephone number, account number, credit or debit card number, or a personal identification number or password that would permit access to a customer’s account.
Banks also have a legal obligation under the guidance to inform their customers when a serious data breach has occurred. “Financial institutions have an affirmative duty to protect their customer’s data against unauthorized access or use,” the guidance states. “Notifying customers of a security incident involving the unauthorized access or use of the customer’s information… is a key part of that duty.”
What should customers be told and when should they be told it? “In my opinion, you should tell them exactly what’s going on and if you’ve run a good cybersecurity program that will be a good message,” Schneck says. “Everybody understands that these events will happen and that we can’t prevent them 100 percent. If you have a good program, you’ll be able to bounce back.” However, in the event of a serious data breach, the bank may find itself trying to balance the need to communicate to customers quickly that an incident has occurred that could negatively impact them, with the need to communicate the correct information.
When Target Corp. was hit with a massive data breach in December 2013, it originally estimated that approximately 40 million customers had been effected. But as Target dug deeper into the breach it was forced to announce later that approximately 70 million customers had been impacted, which suggested that the company was not in full control of the situation. Says Valdetero, “We usually advise clients, if they’re going to make public-facing statements, that generally you should not commit to a specific number of affected individuals.”
Booz Allen Hamilton, a consulting firm serving federal, nonprofit and commercial clients, recently had this report on the top ten financial services cybersecurity trends for 2012:
The exponential growth of mobile devices drives an exponential growth in security risks. Every new smart phone, tablet or other mobile device, opens another window for a cyber attack, as each creates another vulnerable access point to networks.
Increased C-suite targeting. Senior executives are no longer invisible online. Firms should assume that hackers already have a complete profile of their executive suite and the junior staff members who have access to them.
Growing use of social media will contribute to personal cyber threats. A profile or comment on a social media platform—even by the CEO’s son or sister—can help hackers build an information portfolio that could be used for a future attack.
Your company is already infected, and you’ll have to learn to live with it—under control. Security should remain a priority, but today’s risks and threats are so widespread that it will become impossible to have complete protection—the focus of cybersecurity tactics increasingly must be to analyze, detect and expunge threats inside your system.
Everything physical can be digital. The written notes on a piece of paper, the report binder and even the pictures on the wall can be copied in digital format and gleaned for the tools to allow a hacktivist-type of security violation, and increasingly this will be a problem.
More firms will use cloud computing. The significant cost savings and efficiencies of cloud computing are compelling companies to migrate to the cloud. A well designed architecture and operational security planning will enable organizations to effectively manage the risks of cloud computing.
Global systemic risk will include cyber risk. As banks and investment firms continue on the path to globalization, they will become increasingly inter-connected. A security breach at one firm can create negative ripple effects that greatly impact systemic risk in financial markets.
Zero-day malware (malicious software) and organized attacks will continue to increase. Like a vicious, insidious virus that mutates, the tools of cyber criminals adapt and change constantly, rendering the latest defenses useless. Firms need to be prepared to adapt quickly as well to zero-day malware and the tactics of organized crime and foreign adversaries that are increasingly used today.
Insider threats are real. The accidental insider breach will continue to be the primary source of compromise for the Advanced Persistent Threat (APT) and other attacks. Organizations need to focus on security awareness training and internal monitoring to detect intentional and accidental insider access.
Increased regulatory scrutiny. Recently, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material.