At a recent banking conference, it became clear that the topic keeping CEOs and CFOs up at night is cybersecurity. Boards and their audit committees are also troubled about cybersecurity with good reason. With all the breaches, from Target to Home Depot, banks have been significantly affected. Banks are taking a financial beating due to use of bank credit and debit cards in these breaches, and some examiners believe hackers will target community banks increasingly because their controls seemingly are weaker than those of large banks.
According to a recent Wall Street Journal (WSJ) Risk and Compliance blog, a LexisNexis study noted that consumers are more willing to share personal information with banks. This consumer confidence puts banks at higher risk when retaining this data, especially if they don’t need it for business purposes — all the more reason banks must educate customers and ask them to play a role in protecting their own data.1
The WSJ blog also noted that a survey of financial industry executives performed by the Depository Trust & Clearing Corporation found a record 84 percent of respondents identified cyber risks as one of their top five concerns, with 33 percent ranking a cyber attack as the top systemic risk to the broader economy.
A bank’s most important “asset” is its reputation. But, banks are also in the risk-taking business. Therefore, the bank’s board and senior management must determine their risk tolerance — the level of risk the bank is willing to accept. Once risk tolerance is decided, there are several ways to mitigate risk. Three key ways are to transfer risk outside the organization, limit risk within the organization, and avoid risk as an integral part of decision making.2
FFIEC Cybersecurity Pilot Program Intelligence
At the 2014 TBA Strategic Technology Conference in April, examiners advised banks to expect a cybersecurity risk assessment package from the FFIEC. These packages contain information and suggestions for preparing a cyber risk assessment. This risk assessment is the initial “gap analysis” for your bank to start developing a cybersecurity program.
In addition, on November 3, 2014, the Federal Financial Institutions Examination Council (FFIEC) released the “FFIEC Cybersecurity Assessment General Observations” and the “Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement.” These documents address findings from the 2014 cybersecurity assessment pilot examinations performed at approximately 500 community banks throughout the country in the spring of 2014. Through this information, the FFIEC is providing more information on their expectations and recommendations, as well as more resources to help banks implement a sound cybersecurity program. In addition, they are updating current guidance to align with changing cybersecurity risk. See the November 3, 2014, press release and documents at http://www.ffiec.gov/press/pr110314.htm.
Initial reports, based on an August 4, 2014, BankInfoSecurity News interview, indicated that examiners want a “show and tell.”3 Therefore, banks need to demonstrate the specific details and procedures related to their plans, not just tell the examiner what they have in place.
Early feedback indicates a primary gap: banks do not fully understand the specific threats that face them. Key program indicators the examiners appear to be looking for include, but certainly are not limited to:
- The program is well documented.
- You can demonstrate that you have identified and put the right people in place.
- You can demonstrate that the program is specific and relevant to your organization.
- You can show why this is the right approach for your bank.
- You have identified and outlined third parties’ responsibilities during a cyber attack.
- You share information — i.e., internally and with other banks through various means, but specifically through the Financial Services Information Sharing and Analysis Center, better known as FS-ISAC. By sharing information and threats with FS-ISAC, better threat intelligence can be maintained for all banks to use in their risk management programs.
In the future, banks can expect examiners to incorporate a new work program and assessment tool for cybersecurity to coincide with your regular IT exam. This new program and assessment tool also will be used at a number of the most critical third-party technology service providers.
In a recent FFIEC webinar, Doug Johnson, vice president of risk management policy for the American Bankers Association, said, “The overall message from bank examiners is that C-level executives and boards of directors must ensure that cybersecurity is part of everyday business processes.” And, Bill Nelson, president of the Financial Services Information Sharing and Analysis Center, said C-level banking executives should be more directly involved with security and risk assessments.4
So, how do we do that? One suggested approach is outlined on the next page.
Cybersecurity Risk Assessment — Where to Start
Risk assessment is the first phase in the risk management process. The basic tenets of risk assessment can be applied to the process of performing a cybersecurity risk assessment. Risk is generally assessed by identifying threats and vulnerabilities and then determining the likelihood of occurrence as well as the potential impact of an occurrence. In order for this process to be successful, it will require leadership and organization along with input and commitment throughout the organization to ensure all business components and information assets can be identified.
In order to assess risk, determine its impact, and determine the potential cost to manage the risk, the suggested initial steps of the process include:
1. Identify and Classify Information Assets
It is important to identify and classify sensitive, critical information assets that need to be managed. Information assets include various categories of data — both automated and nonautomated, including, but not limited to, data contained in records, files, and databases. The bank is responsible for protecting the confidentiality, integrity, and availability of information assets.
Generally speaking, information assets are critical systems, customer interfaces, automated tools and source code, proprietary systems, and confidential records. Classification is a designation given to the information asset based on sensitivity and criticality to the bank. This value is normally determined by the information owner.
2. Identify Threats
A threat can be a person, organization, or even an act of nature that could compromise information security. Threats can be malicious, intentional, unintentional, natural disasters, hardware failures, or viruses, among other things. We must look at the nature of threats, their capabilities, and resources to determine the likelihood of their occurrence. For this purpose, we assess risk and threats in terms of the probability of an attack or breach. Threat intelligence plays a key role in developing and maintaining your cybersecurity risk management program.
3. Identify Vulnerabilities
Vulnerabilities could be weaknesses in a network, a particular system (i.e., lack of segregation of duties within an application), inadequate physical security, etc. Weaknesses potentially can be exploited to gain access and affect system and/or data integrity. Vulnerabilities should be assessed based on the type of weakness and the information asset(s) that would be affected. Auditors often look for vulnerabilities associated with confidentiality, integrity, and availability (CIA) of information.
4. Analyze Risk – Likelihood and Impact
There are inherent risks for any process. Information security has more inherent risks and, therefore, requires more controls. Information that banks manage is highly sought after by threat actors, hackers, and even unethical employees. There is also the potential for unintentional and accidental breaches to information, as well. So, analyzing the risk to information assets based on the impact or criticality to the bank is key. Risk for a given asset generally can be determined using the following equation: Risk = Likelihood of a threat occurring against the asset x Value of the asset
Based on this equation, the higher the likelihood of occurrence and the higher the value of the asset to the bank, the higher the risk level — and the cost of a successful breach.
Limiting Risk: Integrating a Cybersecurity Program
Cybersecurity touches almost all aspects of the bank. Once the bank has prepared the cybersecurity risk assessment, you must implement a cybersecurity program. To implement a cybersecurity program, banks will have to address those threats identified in the risk assessment by defining the mitigating factors affecting the processes and programs within the bank. Other critical areas a cybersecurity program ties to include the bank’s:
- Gramm-Leach-Bliley Act (GLBA) Information Security Program,
- Business Continuity and Disaster Recovery Plans,
- Incident Response and Crisis Management Plans, and
- Third-party Vendor Management Program.
Integrating a cybersecurity program means weaving it throughout these and other key areas of the bank. Specifically, it will be important to identify and document how the following will be addressed:
- Protecting data — Document your data protection program such as logging and monitoring probable attacks, quarantining systems, encrypting data in-transit and at rest, as well as managing third parties who affect the bank’s systems and data (noted as External Dependency Management in the November 3, 2014, FFIEC documentation).
- Backups and recovery — Minimize loss and downtime by incorporating recovery time objectives (RTOs) for backups and testing backups for fast and efficient recovery. In addition, incorporate tests for cybersecurity incident scenarios into your regular business continuity and disaster recovery testing.
- Upgrades and patches — Have a process to maintain systems with the most current upgrades and patches in a timely and consistent manner.
- Anti-virus and malware detection — Have a process to ensure the most current anti-virus and malware detection software are on both servers and employee workstations.
- Threat intelligence — Document how you will gather and deal with threat intelligence. Identify specific threats your bank is facing.
- Detection and incident response — Determine how your bank will identify and respond to breach attempts, threats, etc. (i.e., document various threats and potential responses, who will be involved, what steps will be taken, and in what order, etc.)
- Continuous monitoring — Institute procedures to identify and alert key personnel when a possible attack or breach is indicated and provide a means for monitoring logs and reports in a timely, consistent manner.
- Periodic network assessments and social engineering — To ensure cybersecurity procedures are working, incorporate an independent third-party network vulnerability assessment, social engineering, and internal and external network penetration tests. Scanning is helpful, but a full penetration test should be performed at least every 6 to 12 months.
- Training and education — Annual employee security training is a requirement of GLBA, but customize training to address specific threats to your bank. Customer education is crucial, especially for commercial customers. Continue to develop training and provide information to customers often. Incorporate customer responsibilities for security and communicating possible breaches into internet banking, mobile banking, remote deposit capture, and other programs.
By no means is this an exhaustive list, but it is a set of crucial items to be considered and documented. In addition, identifying and communicating with all the players and documenting their responsibilities is key.
Transfer Risk — Cyber Liability and Insurance
Traditionally, we think of insurance as a means to transfer risk to a third party. Cybersecurity risk is somewhat different. We must portion and partition off pieces of risk. Cyber insurance is one element of transferring risk. Other elements may include utilizing third–party vendors — as long as the bank performs adequate due diligence in selecting vendors, clearly outlines expectations and responsibilities of the vendor, and has a consistent and thorough vendor management program — and obtaining other insurance policies related to physical structures, equipment, and so on.
As for cyber liability insurance coverage, there are approximately 50 major insurance providers that provide some level of liability policy. But these policies vary widely from provider to provider, due, in part, to the lack of experienced underwriters.5 Therefore, policies tend to have to be custom designed, and companies are not sure what their policy should cover. Often, there will still be coverage gaps, so coordination of coverage is important. In some cases where the cyber liability policy does not cover an area, professional liability insurance, which should include directors and officers (D&O) and errors and omissions (E&O), may address the risk. Finally, a fidelity bond, which protects the company against acts of individual employees, whether intentional or negligent, may cover certain aspects of a cyber incident.6
Currently, there are four main types of cyber liability coverage: Data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability.7 Regardless of type, the better your organization has implemented risk management processes and procedures, the lower the premiums should be. Insurance companies will need to see these processes and procedures in action, including the identified mitigation plans and third–party vendor management documentation.
Policies will include clauses that limit or waive coverage if certain controls and procedures are not in place and limit liability for breaches or losses caused by third parties. There will also be a large deductible. Consider the Target breach. Although Target had approximately $100 million in cyber liability coverage with a $10 million deductible, the estimated cost of the breach is $1 billion.
Risk Avoidance in a Cyber World
Some of us are natural risk takers; others avoid risk at all cost. Avoiding risk in business is important, but there must be balance. The discernment required for risk management is developed over time, which is why most organizations limit critical decision making to experienced management personnel. Even then, the most critical and potentially costly decisions are made by multiple parties. Regardless of how decision making is handled at your bank, risk management should become an integral part of making business decisions.
In the cyber world we live in, continuous vigilance, monitoring, and training are critical. Leading by example at the executive level and sharing how employees can help the bank avoid and limit risk will ingrain these concepts — for instance, maybe that means a reward system or adding to bonus criteria.
Finally, customer education and knowledge sharing, especially with high-risk commercial customers, is a must. Getting customer buy-in and encouraging them to use alerts and other banking tools will help to make them an extension of your risk avoidance model.
In the end, we cannot completely manage risk out of the business, or the business will be stifled. But, developing a cybersecurity risk assessment, implementing a cybersecurity program, and designing a risk avoidance model will help significantly to manage and mitigate the risk of cyber related incidents.
For more information on the cybersecurity assessment and other cyber-related issues, visit the FFIEC cybersecurity awareness page at www.ffiec.gov/cybersecurity.htm.