Chief Investment Officer
cyber-security - what can you do?
Cyber security is a hot topic these days. Recent breaches such as Target, Jimmy John's, and Home Depot jarred consumers and the banking world alike. The cost of these breaches, borne almost exclusively by the banks, involves not only the hard cost of massive card reissues, but also the intangible of customers losing faith in the bank card and not using the reissued card (about 3-5% of card customers based upon SCB Forums' member information).
Some bleeding edge pundits may dismiss the issue as temporary given the upcoming NFC technology, tokenization, and ApplePay. But those will not eliminate the use of cards, which is incredibly wide-spread and embedded in our economy. Further, they'll eventually simply move hacking to the cards-not-present category. Either way, this is a serious problem for banks, who continue to work hard to migrate customer transactions to plastic and its derivatives, both credit and debit.
CIOs at our forums have discussed the situation at length, but there is no easy way to get around the cost of recovery and cost of compliance when it comes to cyber-security. At a recent OCC forum I was inspired by one of my readers to offer some thoughts on the subject. The topic is complex and detailed, but some general observations are offered below. First, consider the following questions paraphrased from the FFIEC Cyber-security Assessment document:
1. What types of connections does my bank have? The most common connection types are:
- Virtual private networks
- Wireless networks
- Telnet, File Transfer Protocol
- Bring your Own Device
- Local area networks that are connected to other networks or to internet service providers
Each connection represents a potential entry point for attack, so you should consider whether you need all the current connection types you have.
2. Products and services also create additional vulnerabilities through your own customers and their use of the products.
3. Technologies used by the bank, such as your core systems, ATMs, internet and mobile applications etc., all offer hackers an opportunity to penetrate your defenses.
Management's job is to assess the cyber-security risks to which the organization is susceptible, and how prepared the bank is to handle those risks. The cornerstone of the process is risk management and oversight.
- Start with the basics. IT risk management is founded on a set of basic principles which should be the foundation of any cyber-security program (these are available from regulatory sources and communications).
- Establish strong governance. Clearly identify roles and responsibilities that assign accountability to identify, assess, and manage cyber-security risks across the enterprise.
- Be proactive. We know with certainty that data breaches will continue. Avoiding the position of being easy prey is the first step to an effective cyber-security program. Continue updating your systems as well as fraud and hacking prevention software as new applications come to market, and don't forget those patches. Currency of software and technology are the first line of defense.
- Be proactive with information sharing and threat intelligence. Install a process to gather and analyze threat and vulnerability information from multiple sources, and develop a process to analyze the information to improve your risk management practices. This sharing occurs intensely at our CIO, ERM and Compliance Forums, and should take place even beyond these platforms. Include law enforcement in your circle of data providers for early warnings.
- Be proactive by instituting preventive controls. These can include excluding unpatched devices from the network, encrypting customer information in transit, etc. Early detection using tools available in the marketplace is another vehicle for prevention and early detection of anomalies in customer behavior and data flows.
- Plan swift and inexpensive recovery processes. Preparing for recovery is key, since we know breaches will happen. The current recovery processes are very expensive and clunky. The typical customer experience is negative, as reflected by their card abandon rate, and the cost to the bank overwhelming. Automated fraud prevention systems are emerging which significantly improve the customer experience and obviate the need to reissue the card. Such creativity can improve recovery from breaches for all participants.
The board should discuss how the bank plans to respond to a breach and other cyber threats and in general be apprised of cyber-security risks and developments.
- Manage third party vendor cyber security risk. Banks need to periodically assess the information security exposure and controls of their third-party vendors. Pay special attention to how you connect with external vendors and clarify in advance what their responsibilities are in cases of cyber-attacks.
- Identify the bank's risk profile and assess whether cyber-security related resources are appropriate to handle the banks IT risks. Such resources include people, systems and policies which reflect the board's risk appetite and then match that risk tolerance to the bank's current data management practices.
- Cyber incident resilience. Ultimately, cyber-attacks are inevitable. The real question is, how will the bank respond to all constituencies, and how well these responses are incorporated into the bank's disaster recovery and business continuity plans. Expand your DR activities to incorporate cyber-attack scenarios and ensure you have resources on hand to deal with the ramifications of such situations (e.g. mass-reissue of cards capabilities).
- Credential management/multifactor authentication. Raising the bar on authentication has many negative implications on both internal and external customers, but it is unavoidable. Help your customers improve authentication resiliency by offering simple tools for password protection, such as the move to phrases from complex passwords that find their way into yellow stickies hanging on the desktop screen...
Cyber-risk is a fact of life. Younger people almost shrug it off, and yet our banks are the ones held accountable when others suffer from the breaches. Further, the data that resides on our systems is (almost) priceless to the hackers, and they continue to look for ways to get it. Our challenge and opportunity is to stay ahead of them and look for ways to become less vulnerable to attacks. At the same time, we must remain prepared for attacks as they occur and plan for a swift and less expensive recovery process that will minimize customer and shareholder impact. For better or for worse, this is the new reality of banking information security.