Getting past the sound and fury of cybersecurity
This article is based on a panel discussion that included representatives from RSM US LLP as well as the Federal Bureau of Investigation, the Federal Reserve Bank of Chicago and the Office of the Comptroller of the Currency.
No organization is immune to cyberattacks, especially in the United States. According to Statista.com, in the second quarter of 2017, more than two million web application attacks were directed towards websites in the United States, a figure that is well ahead that of other countries. In the NetDiligence® 2016 Cyber Claims Study, the median loss incurred from data breaches and other kinds of cyber events was $60,000; the financial services sector experienced the highest average breach costs at $1.8 million.
With banking and financial institutions serving as prime targets for hackers, it is important to look beyond the statistics and learn who these hackers are, what institutions can do to prevent an attack and how to proceed if there is an unauthorized data breach.
Who is behind the cyberattacks?
The bad actors in data breaches fall into a few distinct groups, none of which can be easily dismissed:
- Hacktivists: Whether they are driven by a cause or the need to impress their peers, they attempt—and often succeed—to breach systems because they have the time and access to resources to test an institution’s system vulnerabilities.
- Criminal enterprises: Like any legitimate business venture, organized crime wants to make money and will use an institution’s data to do so. Whether through social engineering, spoof email or other means, these groups will go after personally identifiable information, bank account numbers and other sensitive data in order sell it.
- Industrial spies: Corporations looking to improve their own processes without dedicating the time and expense to do so on their own may try to obtain pricing information, intellectual property, management efficiencies, best practices and other resources in order to give themselves a competitive edge over their competitors.
- Nation states: Although computer network intrusions often cannot be directly attributed to foreign entities, many threats originate from overseas as under-resourced governments may look to obtain information or technology or to be economically or politically disruptive.
- Internal threats: Up to 70 percent of identity thefts begin with an internal employee. The number of company personnel who have access to this information can determine the level of risk.
Some of these groups—such as nation states—may be less of a threat to community banks, but they are a risk nevertheless. The attackers are looking for targets of opportunity and will exploit vulnerabilities where they find them. That is why financial institutions need to have a comprehensive strategy to protect their systems, detect when a breach takes place and then make corrections in order to limit the scope of unauthorized activity.
Develop a security strategy
Financial institutions must manage new expectations for protecting critical data amid a quickly evolving threat environment. There is no one-size-fits-all approach to applying security controls. Implementing the right strategy, however, can make a financial institution more difficult for hackers to exploit and limit potential damage.
To be effective, incident response planning needs to be mature and fully defined, not developed ad hoc and on the fly. Elements of effective cybersecurity and data breach preparedness include:
- Governance: Formal policies and controls are critical for a successful security program. Institutions should have effective change management procedures in place, as well as user access reviews, patching programs, and thorough, consistent and documented security policies.
- Management: Implementing a full-time information security officer is essential to developing and monitoring policies.
- Education: The most common and effective form of cyberattack is through social engineering—that is, through contacting personnel and duping them into disclosing confidential information. An ongoing training program is necessary to help employees, senior management and boards understand these sorts of threats and to communicate proper procedures.
- Testing: Vulnerability testing can show where your systems are most at risk and where patching may be necessary, while penetration testing can demonstrate how far an external party can get into your network before being stopped.
Learn more about how banks can increase cybersecurity risk management.
Work with regulators and law enforcement
It is not uncommon to read stories about corporations notifying law enforcement and regulatory officials of system breaches months after the incident has taken place. While the reason for the delay is not always clear—on average, it takes eight months to realize a breach has taken place—officials recommend institutions develop relationships with regulators and law enforcement before an incident takes place. Knowing the specific person to contact when an unauthorized breach is discovered is part of a robust security strategy, and will go a long way to getting the support needed. If notified within 72 hours of an unauthorized wire transfer, for example, the FBI can terminate transactions above $75,000. Management should be prepared to provide forensic information that can quantify the institution’s exposure. Law enforcement can tell you whether your issue is common or unique which can drive your remediation strategy.
Learn more about the key steps to take to respond to information security incidents.
Banks may be able to outsource some areas of cybersecurity, but management will still need to play a role. Managing the security of information systems can seem daunting, particularly for smaller institutions with limited resources. While banks can take advantage of scalable, cloud-based solutions, understanding the institution’s specific business needs and the appropriate level of security is required—and this demands a certain level of internal management. To determine a financial institution’s risk and readiness, a cybersecurity assessment tool provided by the Federal Financial Institutions Examination Council (FFIEC) can help.
Outsourcing is particularly attractive to many financial institutions because it is a flexible solution. However, due diligence is important when selecting an outsourcing solution and provider. The FFIEC guidelines note that the use of third parties does not diminish the responsibility of bank boards and management to ensure that these key functions are conducted in a safe and compliant manner. Banks should be cautious when choosing vendors and understand what the vendor is protecting—and how effective that protection can be.
Learn more about emerging technology trends for financial institutions.
Cyberattacks have become an everyday part of life. But cybersecurity is risk management, and implementing an effective control environment can reduce the likelihood of a breach, enhance incident detection and response, and accelerate recovery efforts to limit damage. Implementing preventative measures can help secure data and processes, and ultimately support sustained success and profitability.
Learn more about maximizing your investment in cybersecurity and data breach preparedness.