It is no secret that malicious cyberattacks are increasing dramatically. Morphisec Technologies, a global cybersecurity firm, released its 2019 Consumer Financial Cybersecurity Threat Index in June 2019. The report states that financial institutions, globally, are targeted 300 times more often than other business sectors. That breaks down to about 2,000 attacks a day.
Verizon’s 2019 Data Breach Investigations Report indicates that in the U.S. alone, financial institutions are a top target. Only public sector agencies and the entertainment industry now experience more attacks. Lexis Nexis’ 2018 Cybercrime Report confirms that the financial services industry is bearing the brunt of cybercrime attacks. In North America, these attacks increased by 48% from 2017 to 2018, and by 116% when mobile transactions are taken into account. This trend is growing as more customers use mobile banking.
Government response to the growing threat
The U.S. government is taking action, albeit belatedly, to combat this growing threat. On May 22, 2019, the Federal Reserve Board announced that it will proceed with previously proposed upgrades to cyber risk management standards in the fall. The upgrades were originally outlined in 2016 by a joint Advance Notice Of Proposed Rulemaking (ANPR) by the Federal Reserve, Office of the Comptroller of the Currency, and FDIC: “As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”
The OCC and FDIC declined to proceed with the proposed regulations in 2017 and left the Fed to act alone.
The final shape of these regulations is unclear, but the ANPR indicates that financial institutions with $50 billion or more in total assets will be affected. These firms will likely be required to have protocols in place that will allow them to resume operations within two hours of a cyber attack, and to develop strategies to stop hacks from spreading to interconnected institutions. Finally, the boards of directors and senior management will likely be required to take a direct role in managing cybersecurity oversight and response.
The Fed is considering a two-tiered approach with more stringent “sector-critical standards” for firms that are vital to the financial sector, or firms that consistently handle at least five percent of the value of transactions in critical markets. Critical markets are defined as those handling federal funds, foreign exchange, commercial paper, U.S. government and agency securities or corporate debt and equity securities.
Five-point plan for enhanced standards
The 2016 joint ANPR addresses five categories of cyber standards:
- cyber risk governance,
- cyber risk management,
- internal dependency management,
- external dependency management, and
- incident response, cyber resilience, and situational awareness.
Category 1: Cyber risk governance
The boards of directors of affected financial institutions will be required to take an active hand in developing a cybersecurity strategy for the institution, for responding promptly to security breaches and for continuously monitoring cybersecurity threat levels. The boards will be expected to require senior management to create and enforce appropriate policies to prevent and manage breaches. This may be a response to the 2017 Equifax breach which, according to Fortune, lasted 76 days and spiraled out of control largely due to the negligence of senior officials.
Category 2: Cyber risk management
Institutions will be required to adopt a “three lines of defense” cybersecurity risk management model. This would create a three-branch system of checks and balances. A financial firm’s business units would each be responsible for continually assessing risk. The second branch takes the form of an independent officer or team reporting to the board of directors and senior management. This “independent risk manager” would assess and monitor risk across the institution. The third line of defense is regular internal auditing of the other two branches.
Category 3: Internal dependency management
Under the Fed’s proposal, relevant financial institutions must conduct an internal infrastructure assessment to ensure that all business assets are prepared to deal with cyber risks. Everything from workforce training to computer hardware must be periodically reviewed and updated to meet current threat levels. Legacy technology and improperly trained employees are typical attack points for cybercriminals. This will perhaps require the most work and vigilance by financial institutions. A key aspect, says the ANPR, “is having current and complete awareness of all internal assets and business functions that support a firm’s cyber risk management strategy. The agencies are considering a requirement that covered entities keep an inventory of all enterprise-wide business assets prioritized according to the criticality of the assets to the functions they support, the institution’s mission and the financial sector in which it is located. Thus, covered entities would be required to maintain a current, complete listing of all internal assets and business functions, including mappings to other assets and other business functions, information flows, and interconnections.”
Category 4: External dependency management
This requires financial institutions to be responsible for their relationships with third-party vendors, customers, and suppliers. Cybercriminals often target small vendors that work with larger institutions, taking advantage of their smaller budgets and weaker cybersecurity. Once these smaller vendors are compromised, it becomes easier to find backdoors and systems vulnerabilities in their larger partner institutions. Even customers can serve as vulnerabilities of the institution if they neglect to properly secure their accounts. This point requires institutions to develop strategies to mandate that external partners meet a set of security standards throughout the life of the institution’s relationship with those partners.
Category 5: Incident response, cyber resilience, and situational awareness
This point ties together the other four points in the ANPR and primarily requires institutions to acknowledge the potential domino effect of their interconnectedness: “The agencies are considering a requirement that covered entities establish and implement plans to identify and mitigate the cyber risks they pose through interconnectedness to sector partners and external stakeholders to prevent cyber contagion.” Affected institutions must ensure they are capable of quickly containing damage and recovering from breaches and attacks. Institutions must be able to operate critical business functions and anticipate ongoing risks and vulnerabilities before, during and after attacks.
While the Fed is moving without the FDIC and OCC, it is not the only government agency upgrading cybersecurity standards. At the state level, New York’s Department of Financial Services began enforcing new regulations in March 2017. The regulation, 23 NYCRR 500strongly resembles the standards proposed by the Fed: 1. institutions are required to upgrade equipment, 2. train personnel on best practices, 3. perform regular audits, 4. designate a risk compliance officer, 5. encrypt non-public information, and 6. require multi-factor authentication to manage the risk of customer accounts being exploited.
In addition to the Federal Reserve and NYDFS, the Federal Trade Commission is proposing upgrades to its 2003 Standards for Safeguarding Customer Information (Safeguards Rule). It is still seeking public comment on amendments to the rule. The public comments are due by August 2, 2019. The FTC has proposed upgrades to the Safeguards Rule that would “require financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data.”
The FTC has also proposed improving compliance with these programs by requiring companies to submit periodic reports to their boards of directors and broadens the coverage of the new rules to include vendors and affiliates.
While much remains to be done to shore up the cybersecurity of United States financial institutions, it is clear that a growing number of government agencies are committed to creating solutions. In a February 2018 address to the Federal Reserve Board of Governors, the Vice Chairman for Supervision, Randal K. Quarles, touched on the commitment to firm up the financial sector’s cyber resiliency: “The Federal Reserve is committed to strategies that will result in measurable enhancements to the cyber resiliency of the financial sector. Given the dynamic and highly sophisticated nature of cyber risks, a collaboration between the public sector and the private sector toward identifying and managing these risks is imperative. While we know that successful cyberattacks are often connected to poor basic information technology hygiene, and firms must continue to devote resources to these basics, we also know that attackers always work to be a step ahead, and we need to prepare for cyber events.”