By Mark Scholl
Financial institutions can expect even more regulatory guidance this year in response to the growing threat vector for cybercrime. Thieves have gotten smarter, and technology has gotten more complex. We have evolved from worms, viruses, spyware, and botnets to more targeted cyber espionage involving advanced, persistent threats, dynamic trojans, and stealth botnets. Attacks have become blended, involving combinations of physical, technical, and social engineering techniques. Many industry experts believe that there are even more sophisticated scams to come. To learn more about Cybersecurity, click here.
Cyber Risk Management and Oversight
The tone should be a top-down approach for building a security culture. Your financial institution should develop a strategy at the board and executive levels for ongoing awareness and understanding of cybersecurity threats. The Federal Financial Institutions Examination Council (FFIEC) has provided a clear message that it expects senior management and the board of directors to understand that cybersecurity is part of everyday business. Banking executives should be getting more directly involved with security and risk assessments. Consider making cybersecurity a standing topic for every IT committee and board meeting.
There should be timely reports to senior management that include meaningful information addressing your institution’s vulnerability to cyber risks and ability to mitigate those risks. The information should allow senior management to prioritize resource allocations and inform the board of directors.
Threat Intelligence and Collaboration
To understand and stay current on cybersecurity issues for your financial institution and industry sector, you should take advantage of resources for threat intelligence and collaboration. This may include subscribing to bulletins, alerts, and guidance from the FFIEC, the Department of Homeland Security, CERT, industry data breach reports, and other relevant sources.
A resource that many regulatory examiners are expecting financial institutions to use is the Financial Services Information Sharing and Analysis Center (FS-ISAC). FS-ISAC is an industry forum for collaborating on critical security threats facing the financial service industry. It can be found by going to www.fsisac.com.
For combating cyber threats and developing effective risk mitigation tactics, financial institutions are recognizing the need for cooperation among their peers. Information sharing should not be seen as a competitive issue but as an essential strategy. Peer groups and relevant banking association conferences are a great way to network.
Your business strategy should be aligned with your cybersecurity strategy. Operational risk issues must be viewed in terms of their impact on the entire enterprise, not just IT. You should account for how risk will be managed now and in the future.
Your financial institution should continue to identify, measure, mitigate, and monitor risks. The risk assessment should adequately address all reasonable internal and external threats. The controls in your policies and procedures should be driven by the risk assessment. Stronger emphasis should be put on monitoring so that attacks can be detected in the early stages to mitigate the impact. Independent testing of these key controls can determine whether they adequately mitigate cybersecurity threats.
External Dependency Management
Even if you outsource your IT operations, your financial institution is still responsible for protecting customer information. With increasing reliance on third parties, you need to do proper due diligence when selecting service providers and performing ongoing monitoring of existing service providers. Both the Federal Reserve Board of Governors and the Office of the Comptroller of the Currency released guidance in late 2013 pertaining to risks of outsourcing and working with third-party relationships.
Incident Management and Resilience
Prepare your incident response program for potential cyber attacks. Then, test it using a common event such as malware or spear phishing.
Very few financial institutions have qualified staff for incident response involving sophisticated cybercrime. In haste, you may inadvertently destroy evidence that could identify the methodology of the attack or help you to identify the cyber criminals. Make sure you have contact information and arrangements with certified and experienced professionals for fraud and forensics services. Companies offering these services often have guaranteed response times to help investigate the attack or compromise, mitigate exposure, and limit reputational damage. Their job is to help you recover to normal operations.
In conclusion, cyber threats are not a fad, but the new normal. Financial institutions will have to decide where they will spend their dollars for stronger detection and monitoring of sophisticated malware. We must realize that this is not an IT problem, but an enterprise problem involving senior management and the board of directors.
Mark Scholl, CISA, CISSP, MCSE, CEH, is a partner at Wipfli LLP.