The proposed Federal Cybersecurity framework broadly address five cybersecurity categories:
- Cyber Risk Governance – A cyber strategy must; identify cyber risk, address mitigation strategies, establish reporting structures of cyber incidents, and provide a means of testing the effectiveness of the cyber strategy.
- Cyber Risk Management – requires institutions to adopt “three lines of defense”;
- Assess risk and report incidents,
- Independent risk management function that would identify, measure and monitor the effectiveness of cyber risk controls and report exceptions to senior management, and
- Independent audit function to assess whether the cyber risk management framework complies with applicable laws and regulations and is appropriate for the financial institution.
- Internal Dependency Management –maintain a current and complete list of all internal assets and business functions, including mapping the connection and information flow between those asset functions.
- External Dependency Management – maintain complete lists of all external dependencies, to analyze the risks associated with external relationships, and to identify and test alternative solutions in the event an external partner is compromised or otherwise fails to perform as expected.
- Incident Response, Cyber Resilience, and Situational Awareness – an effective plan for, responding to, and quickly recover from disruptions caused by cyber incidents, including incidents targeting external service providers. The rules would require the institution to provide backup storage for critical records; establish contingency plans if unable to perform a service due to a cyber incident; testing for cyber events; and identify and gather intelligence on potential threats (Global, USA, 2017).
For now, it seems there is scattered guidance available for financial institutions at the federal level in terms of expectations for a cybersecurity framework. The National Institute of Standards and Technology (NIST) is also in the process of developing a “Framework for Improving Critical Infrastructure Cybersecurity.” The Cybersecurity Enhancement Act of 2014 (CEA) updated the role of the NIST to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators. The Framework was initially established under Executive Order 13636 in February 2013 and continues to evolve according to CEA. The Framework Core Functions are currently outlined as; Identify the risks, Protect with appropriate safeguards, Detect the occurrence of a cybersecurity event, Respond regarding a detected cybersecurity event, and Recover with a plan for resilience. The last revision to the Framework plan was on December 5, 2017 (National Institute of Standard & Technology, 2017).
The United States is trailing behind its European counterpart in the arena of Cybersecurity. On April 27, 2016, the European Union adopted the General Data Protection Regulation (GDPR) which will be effective May 25, 2018. The rule was intended to strengthen and unify data protection for all individuals within the EU and will affect all enterprises doing business in the European Union, even if they aren’t headquartered in the EU. Cybersecurity is an issue that usurps borders and politics. Data protection is a time sensitive matter that should be at the forefront of every nations list of growing concerns.
Social engineering is still the biggest threat to data security. The best way a financial institution can protect itself is to stay educated and current on all the scams and hacking techniques that are out there. Social engineering is the act of tricking people into divulging confidential information (such as passwords or ID numbers) or taking actions (such as clicking on an attachment to an email that contains malicious code) that gives the attacker access to computer systems that include valuable personal data. There are dozens of known social engineering tactics both in-person and online. Criminals work on the premise that all employees have some access or corporate knowledge, and they seek to exploit an employee’s trusting nature.
In person, a social engineer tries to “blend in,” “lurk,” or simply “impersonate.” With the proper fake credentials, people are easily duped. Impersonators usually play one of the following roles: a fellow employee (especially a new employee, seeking help), someone from another office in the company, a vendor, someone in authority (i.e., building “management” or “security”). Online and telephone social engineering tactics include fake phone calls and messages, phishing emails and face texts (SMiShing) seeking to deceive or scare users into divulging personal data or credentials or clicking on links that contain malware that will compromise the security of the computer or electronic device. Common scams include: a forgery of the standard message notification received when a Google Doc or Dropbox doc is shared; a message appearing to come from a bank or favorite payment app telling you that your account has been frozen and to “click here.” People are still being duped by these schemes and evidence suggests that more and more are falling for the scams every year. According to Verizon’s 2016 Data Breach Investigation Report, 30% of phishing messages were opened, and 12% of recipients went on the click the malicious attachment or link, and these stats were worse than the previous year. There’s always the passive or Low-Tech scams to worry about as well including dumpster diving and shoulder surfing (USA, 2017). Ultimately, ignorance is not bliss and education is the key to cutting down on the types of data breaches stemming from social engineering tactics.
The best way financial institutions can mitigate their risks is to listen and learn from past missteps of their peers. Banks should consider the Equifax breach as a loud wake-up call. The Equifax hack took place between mid-May and July of 2017, and the breach was discovered on July 29, 2017. Where Equifax failed and managed to make matters even worse was the manner in which the company responded to the discoveries. Company executives waited six weeks before letting the public know about the breach, and in that time three Equifax execs sold off a combined $1.8 million in company stock days after learning of the breach. Equifax is offering free credit monitoring for a year but given the magnitude of the breach and its long-term impact, a year isn’t enough. Disturbingly, this was the third time Equifax had been hacked in 2017. This breach was massive, but the two previous breaches within a year should have told Equifax executives they had vulnerabilities they needed to patch up (Editorial, 2017). The 2013 Target breach settled costing the $140 million to financial institutions, consumers, and government bodies. Target reports it has incurred costs of over $292 million from the data breach, partially offset by insurance recoveries of $90 million (Cybersecurity Bits and Bytes, 2017).
These are hardly unique events. As depicted nicely here, there have numerous major and recent data breaches. In case you forgot, here are some others, just to name a few breaches that have occurred since 2013:
- 2014 Neiman Marcus: 1.1 million credit cards exposed
- 2014 J.P. Morgan Chase: 76 million households accounts exposed
- 2015: SWIFT international bank network heist resulted in millions of dollars being stolen
- 2015: US Office of Personnel Management: 22.1 million individual Social Security numbers and other sensitive information were exposed (~7 percent of the U.S. population)
- 2016: Yahoo!: 1 billion accounts compromised since 2013
- 2016: Uber: 50+ million users and drivers account information exposed. Uber attempted to cover this up until they confirmed the hacks in 2017.
Long story short, the costs of data breaches can be immense, the hits are both financial and reputational, and they are not restricted to specific industries.
Not only should we take breaches seriously, and react swiftly and efficiently, but we should also stay in “the know” regarding the evolving industry specific cybersecurity guidelines, frameworks and specifications We should closely follow regulatory activity related to cybersecurity and privacy topics, specific to our industry. Obviously there is a lot of noise and chatter in the mainstream news, and tracking relevant agency activity can be cumbersome. No organization can say with certainty that it has completely safeguarded itself from cyber threats, yet. We are all learning from one another and implementing defense safeguards as we go. As with most things, staying informed is critical. Keeping track of cybersecurity and privacy related updates from regulatory agencies and standardization bodies, and keeping an eye on industry activities and trends at a global level, is an important first step.
Compliance.ai allows financial services organizations to focus on consequential regulatory content relevant to their business.. Try a free 30-day trial to see how Compliance.ai can help you monitor regulatory activity related to cybersecurity and privacy topics. Sign-up only takes a few seconds and you’ll get immediate access to the full product.
Sign up now or check-out a product demo video.