How Banks Can Increase Cybersecurity Risk Management

Written by


cybersecurity-5-6-16.pngIn mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

  • User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
  • Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
  • Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
  • Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.

Are You at Risk for a Trading Fraud?

Written by


stock-fraud-9-11-15.pngYou’ve probably read recently about trading-related frauds where individuals manipulated markets for their own gain. Several of these frauds were highly organized affairs, with traders using alternate channels to communicate with one another in order to manipulate individual trades and market conditions. The most recently settled foreign exchange action came to light once a reporter from a national business publication published the details of the collusion.

Most of the entities involved are relatively large organizations, with sophisticated governance and internal control programs. One has to ask, how could this occur, especially in this world where virtually anything done on a system can be tracked, stored, and retrieved? With hindsight, we can look at these frauds and glean some lessons by walking through the internal audit process at a high level. What can directors do to help make sure something like this does not happen at their organizations?

Risk Assessment
Are trading operations and similar functions scored high enough in the periodic risk assessment? By similar functions we mean any job function such as procurement or sales that has the following characteristics:

  • has a high level of discretion and is regularly in the market
  • has the de facto checkbook of the company
  • is under significant pressure to make revenue or save expenses
  • requires a specialized skill set to execute the role.

The lesson here is that these market roles, in many cases, have a risk profile higher than anticipated.

Audit Planning and Execution
Do you expect internal audit to master every function within your organization? Obviously, internal audit functions best when the auditors have knowledge of the business and the controls around that business. However, is it realistic to expect that internal audit can cover every risk with internal resources? Some prudent borrowing or “renting” of resources with specialized skill sets might be needed to adequately cover some types of risk.

Ongoing Monitoring
Virtually every organization in the U.S. with its own systems has some sort of user computing policy that describes the acceptable use of technology. Also prevalent is the use of monitoring tools to continuously track how employees are using systems. For some time now, organizations have been keenly aware of the damage that can be caused by employees going to inappropriate websites. Yet traders executed one of the well publicized trading frauds during normal business hours, using “back channel” means such as chat rooms provided through third parties. Certainly, the technology to monitor usage has existed for some time, however the connection between the usage and the risk was just not recognized.

Conclusion
Certainly, collusion is inherently difficult to detect or prevent. However, recent frauds highlight the fact that those with an organization’s checkbook can present a risk much greater than previously thought, and detecting or preventing similar frauds will require diligence throughout the risk management cycle.

Are Your Board Communications Secure in a Changing Regulatory Landscape?

Written by


risk-assessment-process-7-15-15.pngAs recently as March 2015, Hillary Clinton’s use of private email on multiple devices while serving as secretary of state hit the media. Clinton commented, “. . . I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.”

Every board member can fall prey to the Clinton communication example—take the necessary steps to educate your board.

We continue to live in a changing business environment with a backdrop of increasing regulatory pressures and a heightened focus on improving board oversight and communication. Current guidance and regulatory policies and practices are designed to force improvement in risk management and compliance. Along with that comes the responsibility of how we securely communicate and exchange confidential information at the board and committee level.

Technology and security are playing an important role in this change as leadership demands more mobility, flexibility and speed. Armed with multiple mobile devices and an “on-the-go” attitude, some stakeholders, who may not have grown up in the world of IT, are constantly exposing company information to risk.

Practices for managing board communication suggest we may not be keeping up with the requirements for security and compliance.

Take into account the following:

The Organization

  • Think about how many board members are still receiving board and committee information in their personal email accounts. Then layer in the amount of changes and document version control that need to be communicated before the actual meeting. This information often is not encrypted.
  • Interactions with management and the board is continuous. Monthly, quarterly and annual meetings give the board and committee members an opportunity to review company performance, and provide a forum for governance. Information is still being printed, exposing huge amounts of confidential information as directors travel between meetings and between locations.
  • Unsecure dissemination of confidential documents from regulators, investors and management flows from administrators to the board.

The Individual

  • Critical documents are still being stored and shared on a variety of personal devices – computers, tablets and phones.
  • Directors and committee members are still sending their packets to their personal emails so they can print the materials, thereby breaching security.

What do you do?
Security issues continue to be on the front page of the news. How do you prevent a perfect storm from happening where directors with personal communication devices are not handling confidential information in a proper format? Below are four practical steps to address this.

Education: Board members should be educated on a periodic basis as to what their roles and requirements are, from a board and a bank perspective. If you are public, Securities and Exchange Commission regulations should also be reviewed often.

Process: To help prevent damage from occurring, it is also important to setup a process whereby the directors are getting the necessary information in a secure fashion. There should be sufficient documentation of the process in establishing and monitoring board members. Appropriate personnel, including risk-management and IT personnel, should have input.

Review: The risk department should conduct a review and test the entire process to ensure the loop is secure. This should include management, committee members and the entire board.

Evaluate: Evaluate the risk factors affecting the current process. How does it impact the organization overall?

As technology continues to evolve at breakneck speed, the race is on for leaders to move fast enough to deliver a secure environment. It is clear that not enough attention is being focused on the process that is necessary to foster this environment. Board members will need to think ahead before they communicate, and leaders will need to make sure director communications are secure. And there is no magic formula for creating this—it is an ongoing, “live” process that you will need to keep reviewing. While the process needs to constantly be monitored and refreshed, it also must reflect new behaviors and new preferences: look to the success of the Apple Watch. 

This real-time process will aim to keep you secure at all times. And that may end up in your favor as regulators may soon turn their focus to communication within the board room.