Banks Told To Beef Up Cyber Security via FDIC
Due to the increase in number and sophistication of cyber threats, cyber security has become a critical issue facing the financial services sector. This article discusses the cyber threat landscape and how financial institutions’ information security programs can be enhanced to address evolving cyber security risks. The article concludes with a discussion of actions taken by the federal banking agencies in response to the increase in cyber threats.
A Framework for Cyber Security
During the past decade, cyber security has become one of the most critical challenges facing the financial services sector due to the frequency and increasing sophistication of cyber attacks. In response, financial institutions and their service providers are continually challenged to assess and strengthen information security programs and refocus efforts and resources to address cyber security risks.
This article describes the evolving cyber threat landscape and the U.S. government’s response to enhance the security and resilience of the nation’s critical infrastructure sectors. The article discusses how components of financial institutions’ information security programs, including corporate governance, security awareness training, and patch-management programs, should be enhanced to address cybersecurity risks, and concludes with an overview of actions taken by the federal banking agencies to respond to cyber threats.
The Evolving Threat Landscape
Historically, a bank’s primary security concern centered on protecting physical data assets such as posted ledger cards, promissory notes, and critical documents in the vault as well as securing the perimeter of the bank premises. In today’s banking environment, business functions and technologies are increasingly interconnected,requiring financial institutions to secure a greater number of access points. Innovation has resulted in greater use of automated core processing, document imaging, distributed computing, automated teller machines, networking technologies, electronic payments, online banking, mobile banking, and other emerging technologies. At the same time, physical data assets have been automated and a bank’s sensitive customer information stored on computers has become as valuable as currency–a different kind of asset that needs safeguarding.
Cyber criminals use a variety of tactics. Some more common attack strategies in recent years include malicious software deployment, distributed denial-of-service (DDoS) attacks, and compound attacks.
Malicious software, commonly referred to as “malware,” is a broad class of software generally used to gain access to or to damage a computer or system. Malware may infect a computer from a variety of access points. Perpetrators often include malware as an attachment to an email, or it is delivered from websites referenced in emails. The perpetrator tricks the email recipient into reading the email and opening the attachment or clicking on the link by crafting the email to look as though it came from a trusted source.
These emails that deliver the malware are often referred to as “phishing” emails as they are fishing for victims. A “spear phishing” email campaign is a subset of phishing in which the email content is tailored to the interests of a smaller group or a single recipient. Phishing and spear phishing campaigns mislead targets into providing sensitive information such as user names, passwords, credit card details, or personal sensitive information, such as date of birth and Social Security number, that can be used to commit identity theft against the individual or gain access to bank systems for theft, disruption, or destruction.
Examples of malware include ransomware and wiper programs. “Ransomware” generally restricts all access to a computer and demands a ransom be paid for access to be restored. “Wiper” programs destroy data from the infected computer’s hard drive and, in some cases, may be used to cover the attacker’s tracks.
A DDoS attack attempts to make a machine or network connected to the Internet unavailable to its intended users by overloading it with excessive Internet traffic. Given the nature of these attacks, DDoS attacks cannot be prevented, but they can be successfully mitigated. The ability to effectively manage a DDoS attack comes from the target’s ability to control and recover from the attack, possibly by redirecting Internet traffic to a different server or engaging a DDoS mitigation service.
Another attack strategy is the use of “compound attacks,” in which more than one method of attack is deployed simultaneously. For example, criminals have used DDoS attacks to distract a target organization while perpetrating another form of attack. Or a phishing email may contain an attachment or link that, if clicked by the target, downloads a seemingly harmless file that contains hidden malicious software with delayed execution commands.
As the banking industry necessarily innovates to take advantage of new technologies and delivery channels, it needs to be alert to any related new avenues of cyber attacks. Banks can help mitigate these attacks by developing an effective cyber security awareness campaign for employees and customers, a comprehensive patching program, and a strong detection program. A sound risk-management program and corresponding controls will help mitigate the threat of cyber attacks.
A Critical Infrastructure Perspective
On February 12, 2013, the President issued Executive Order 13636, “Improving Critical Infrastructure Cyber Security,” which established that “[i]t is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” The Executive Order directed the National Institute of Standards and Technology (NIST) to develop a risk-based cyber security framework to serve as a set of voluntary consensus standards and industry best practices to help organizations manage cyber security risks. The NIST1 defines cyber security as “the process of protecting information by preventing, detecting, and responding to attacks.”
The NIST Framework for Improving Critical Infrastructure Cybersecurity2 was created through collaboration between industry and government and consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The first version of the cyber security framework was released on February 12, 2014, and consisted of five core areas: Identify, Protect, Detect, Respond, and Recover.
The cyber security definition and the components in the framework are similar to the concepts found in Appendix B to Part 364 of the FDIC’s Rules and Regulations. Appendix B was established as a result of the enactment of the Gramm-Leach-Bliley Act in 1999 and required each financial institution to develop an information security program. Use of the cyber security framework is not intended to replace a bank’s traditional information security program, but rather modify the program to address emerging cyber risks. A bank’s information security program should evolve as the operating environment and the threat landscape change. An effective information security program is not static and should be regularly evaluated and updated.
Bank management must incorporate cyber security into the bank’s overall risk-management framework; design and implement appropriate mitigating controls; update respective policies and procedures and, ultimately, validate the intended control structure through an audit program. When designing a cyber risk control structure, four components of traditional information security programs are critical: Corporate Governance, Threat Intelligence, Security Awareness Training, and Patch-Management Programs.
Corporate Governance of Cyber Security
An institution’s executive management and Board of Directors (board) play a key role in overseeing programs to protect data and technology assets and establishing a corporate culture consistent with the bank’s risk tolerance. A bank should evaluate and manage cyber risk as it does any other business risk. It is not simply