March 2015 - Cybersecurity has moved to the top of the agenda for financial institutions around the world and chief among their concerns is guarding their systems against a data security breach. According to Verizon's 2014 Data Breach Incident report, web application attacks and unauthorized data transfer are the most widespread types of data loss. The report lists phishing through malicious email, the installation of crime-ware, and the exploitation of stolen credentials as the most common types of data loss.
The targets of these cybercrimes are often small- to medium-sized businesses because they have fewer resources to invest in protection and, as a result, typically have more vulnerabilities in their systems than larger institutions. Even so, a financial organization's size does not protect it from the exposure that comes with day-to-day business. System interconnectedness with vendors and service providers can create access points for hackers to breach an institution's IT infrastructure.
Robert Bennett, FHLBank Atlanta Chief Information Officer, says companies can be divided into two general categories: companies that are aware that their computer systems have been hacked, and companies that are unaware that their systems have been hacked. A frightening statistic in 2013: a computer breach took an average of 229 days to be discovered, according to Mandiant's annual "M-Trends" report. "The damage to a bank's IT infrastructure is not the biggest expense," Bennett explains. "It's the recovery afterward."
Accordingly, best practices for safeguarding an institution's IT systems focus on detection and not solely on prevention. "In today's environment, it may be unrealistic to expect that security tools can prevent all cyber incidents," says Joe Watkins, FHLBank Atlanta's Director of Technology Risk Management. "Maintaining strong proactive controls and detective controls are equally important." Industry guidance and frameworks such as Sans Top 20 and the Federal Financial Institutions Examination Council (FFIEC) examination handbook provide a reference point for building cybersecurity key controls. Those controls include proactive, reactive, and governance frameworks.
The FFIEC recommends that a strong cybersecurity framework include processes to identify, prevent, detect, respond to, and recover from technology-based attacks. "Our security areas of focus include governance, operations, and evaluation," Watkins says. "Those include establishing good governance policies and risk management strategies, monitoring threat information, implementing preventative controls, identifying external dependencies, and establishing incident management procedures."
Cybersecurity: Security Areas of Focus
Governance (Program foundation, oversight, and reporting - ISO)
• Executive reporting
• Risk assessments, strategy, tactical plan
• Reporting/check processes (ex. access controls)
• Metrics reports
Operations (Detect and respond to attacks)
• Monitoring/response to security alerts
• Vulnerability management
• System design/architecture reviews
• Incident response
• Third party evaluations of security controls (penetration tests, vulnerability assessments, maturity assessments)
• SOX, PCI, Federal Exams, Internal Audit
• Numerous frameworks or approaches
As cyber threats continue to evolve and increase, financial institutions will have to invest more time and resources into anticipating, identifying, and responding to cyber threats. A comprehensive approach will help protect your organization from the operational, reputation, and financial risks that cyber threats can cause.
Tips for Shareholders
• Use industry guidance and frameworks as you think through the three security areas of focus.
• Build a cyber risk-aware culture within your organization so that employees understand that cybersecurity is an enterprise-wide business problem.
• Study breaches that have occurred inside and outside of the financial services industry for lessons about attackers' patterns, tactics, and how other companies and industries are handling attacks.
FFIEC Cybersecurity Assessment Questions to Consider
• What types of connections does my financial institution have?
• How are we managing these connections in light of the rapidly evolving threat and vulnerability landscape?
• Do we need all of our connections? Would reducing the types and frequency of connections improve our risk management?
• How do we evaluate evolving cyber threats and vulnerabilities in our risk assessment process for the technologies we use and the products and services we offer?
• How do our connections, products and services offered, and technologies used collectively affect our financial institution's overall inherent cybersecurity risk?
Join us at the Annual Member Conference to Learn More about Cybersecurity
FHLBank Atlanta's 2015 Annual Member Conference will feature an informative session on cybersecurity and crisis management best practices. Join us June 4-7 at Lake Oconee in Greensboro, GA. Learn more.
"Transforming cyber security: New approaches for an evolving threat landscape." Deloitte Center for Financial Services, 2014.
Verizon's 2014 Data Breach Investigations Report
"Three Top Cyber Security Risks for Banks." American Banker, September 23, 2013.
FIFE Cyber security Assessment General Observations. 2014.
M-Trends® 2013: Attack the Security Gap™