ViewPoint: Spotlight: Banking and Emerging Cybersecurity Risks

Introduction | Spotlight: Banking and Emerging Cybersecurity Risks | Spotlight: A Dodd-Frank Milestone: Enhanced Prudential Standards Adopted | Spotlight: The Dwindling Size of Small Business Lending and the Impact of Bank Failures | State of the District| National Banking Trends

Cybersecurity risks have been elevated for financial institutions since the September 2012 denial of service attacks. These attacks were an unprecedented coordinated, large-scale attack on the financial services industry. In these attacks, an extremely high volume of web traffic was directed at the largest U.S. banks in an attempt to bring down bank websites. Although the disruption to operations was minimal, the size and scale of these attacks were unprecedented and served as a reminder that banks must be diligent in creating a cybersecurity framework that enhances the firm's ability to manage risks and adapt quickly to address emerging security threats. The following cybersecurity threats should be monitored closely, especially over the next year, as risks in these areas continue to emerge. These threats include: vendor risks, malware, data leakage, and further distributed denial of service, or DDoS, attacks.

Vendor risks
Financial intuitions have continued to enhance their risk-management practices over the last 10 years. Regulatory standards such as the Basel Accords and the Dodd-Frank Act have increased the maturity of risk-management practices at financial institutions. These practices have enabled firms to proactively identify, monitor, and manage emerging threats. Unfortunately, many vendors and service providers have not had the same pressures to enhance their risk-management practices, resulting in risk-management programs that are at a lower level of maturity, posing an increased risk as financial intuitions continue to rely on these vendors to provide critical services. Financial institutions must understand the risks associated with outsourcing an activity. If firms do not manage these risks effectively, the service providers can expose financial institutions to risk that can result in regulatory action, financial loss, litigation, and loss of reputation.

Financial institutions also need to be aware of vendor risks On February 18, the Federal Reserve Board approved beyond technology service providers. These firms must manage cybersecurity risks to include all vendor relationships, including those that provide other operational services. As the data breach at the retail chain Target demonstrated, it is not only the high risk or technology service providers that pose a risk to the institution. Firms must ensure that any vendor that has connectivity to their network is monitored and controlled. Financial institutions must also stay aware of changes to the risk environment. Prior to the mortgage crisis, most financial intuitions considered mortgage-servicing vendors low risk. As the crisis grew, these vendors posed significant operations, legal, and reputational risks to the banks they serviced. Financial institutions need to be able to react quickly to a changing risk landscape, as low-risk banking services can become unexpectedly high risk overnight.

Malware is any malicious software used to disrupt computer operations, gather sensitive information, or gain access to private computer systems. Malware has been used by fraudsters to directly control clients' computers as well as manipulate browser interactions through online channels. The Zeus Trojan, although a few years old, is a good example of this software, and derivatives of this type of Trojan horse continue to emerge. Most financial institutions have mature practices in place to manage and mitigate malware risks within their network. The challenge lies in managing these risks at the firms' commercial and retail customers, which are outside the scope of their control environment. More products and services continue to be offered through online channels such as internet and mobile banking, remote deposit capture, and treasury management applications. Moving more operations and services outside of the controlled environment to the customer elevates the risk of malware, as customers are often a weak link in security. Firms should ensure that they have controls in place to combat this threat and should be able to identify suspicious activity.

Data leakage
Internal threats continue to be one of the greatest weaknesses in managing cybersecurity threats. Whether malicious or unintentional, trusted employees can be a weak link in any security program. What makes data leakage so difficult to manage is that employees must be given access in order to perform their duties. There are very few automated controls to prevent an employee from leaving a confidential printout on a bus or for a malicious call-center employee to sneak in a pen and paper pad to write down customer account information. Social engineering of employees is also a challenge when these employees are encouraged to be helpful and provide a high level of customer service. Instances like these are where firms must create an effective security awareness training program to remind employees to be diligent in protecting sensitive data. There have been advancements in data loss prevention tools to prevent employees from either emailing sensitive account data or prevent employees from transferring data to storage devices. Firms are encouraged to explore these controls to determine whether they would be effective in their environment.

Distributed denial of service attacks
During the DDoS attacks of 2012 and 2013, firms reacted quickly to identify mitigation strategies for these types of attacks. Most financial institutions engaged third party vendors to scrub and filter their internet traffic, which allowed firms to continue their operations and service customers with legitimate traffic and block the hostile activity. Although firms have emerged from these events with minimal disruption, the risk remains that these attacks can be used as a diversion so that other vulnerabilities can be exploited. Financial institutions must not let down their guard during these events and continue to maintain their security safeguards. Financial institutions must also ensure that their critical vendors have processes in place to mitigate these events. A DDoS event at a critical vendor could be equally disruptive to operations.

Managing emerging cybersecurity threats
So what can firms do to help manage cybersecurity threats? This question is an especially challenging one, as new threat vectors emerge every day, often in unexpected areas. Financial institutions should work to develop a prudent cybersecurity risk management framework that can adapt to any threat that emerges. A good start in developing such a framework comes from the National Institute of Standards and Technology (NIST): Framework for Improving Critical Infrastructure Cybersecurity. This framework provides a guide for firms to create a flexible and cost-effective process for managing cybersecurity risks that can be tailored to the business needs of the organization. This framework was developed through collaboration between government and the private sector and is based on industry best practices.

The cybersecurity framework is a risk-based approach made up of three parts: the framework core, the framework implementation tiers, and the framework profile. The framework core organizes the cybersecurity activities at their highest level.

The framework core's functions include five functions: identify, protect, detect, respond, and recover. These functions are then divided into the subcategories and tied to particular activities such as asset management, governance, access control, and information protection processes.

The second section of the framework is the implementation tiers. The implementation tiers are a self-assessment of how the organization views cybersecurity risk and the process currently in place to manage those risks. This self-assessment measures the maturity of the cybersecurity risk management program at the firm and rates the framework's core as: partial, risk informed, repeatable, and adaptable.

The third section of the framework is the framework profile. The profile is the alignment of function and categories identified in the framework core with the business requirements, risk tolerances, and resources of the organization.

Firms looking to create a cybersecurity risk management program or enhance their current framework should consider the elements of the NIST framework and adopt any of these elements that make sense for their organization.

Regulatory guidance The Federal Financial Institutions Examination Council (FFIEC) is also taking steps to combat cybersecurity. In 2013, the FFIEC formed the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on the existing efforts to strengthen the activities of other interagency and private sector groups. Further regulatory guidance is expected to emerge from this FFIEC working group.