In its Spring 2013 Semiannual Risk Perspective Report, released in the summer, the Office of the Comptroller of the Currency (OCC) highlights the increasing sophistication of cyberthreats and the increased reliance on technology as a key operational risk for banks under its supervision.
The OCC report specifically notes that “increasingly sophisticated cyberthreats, expanding reliance on technology and changing regulatory requirements are heightening operational risk,” and posing a threat to “confidentiality, integrity and availability of [bank] systems.”
Cyberthreats, the report notes, require “heightened awareness and appropriate resources to identify and mitigate the associated risks,” and the costs and resources required to mitigate the risks are growing with the scale of such risks.
The costs of failing to address cyberattack risks, however, are greater, including compromised availability or diminished response times for online banking services, as well as data security issues, fraud, identity theft and criminals seeking to disrupt, degrade or deny access to bank information systems. All of this can “strain bank resources and can cause financial, operational and reputational harm,” the report adds.
Raising the stakes even higher, a recent Pew Research survey indicates that more than half of all U.S. adults (representing 61 percent of Internet users) bank online. The survey also notes that more than a third of cellphone users engage in mobile banking. And the numbers for both categories are expected to continue to climb.
As the industry strains to keep up with the demand for online and mobile banking services — and newer and more sophisticated cyberthreats continue to emerge — banks, in an effort to reduce operating costs, are adopting newer and “less market-tested applications” and increasing outsourcing.
This raises another hot button issue for federal bank regulators — the ability of banks to understand the risks associated with third-party vendor strategies and to provide effective oversight of cybersecurity outsourcing solutions.
According to the OCC, regulators are reviewing “programs for assessing the evolving cyberthreat environment and continuously adjusting controls, as well as for robust vulnerability assessments and timely correction, access management and incident response.”
Rather than issue new regulations, for now it appears that the regulators are focusing on corporate governance tools to monitor and address cyberthreats and related bank operational risks. It is clear, however, that the banking agencies stand ready to take policy and supervisory actions in response to increasing cyberthreats.
Cybersecurity Efforts at the Federal Level Increases
Congress is also focusing on cybersecurity issues, with the House passing the Cyber Intelligence Sharing and Protection Act (CISPA) in April. The legislation would facilitate the exchange of information among corporations and between the private sector and government intelligence agencies regarding cybersecurity risks.
Critics argue CISPA should require personal data to be stripped from information that companies share with the government. While the Senate has yet to hold a vote on CISPA, another bill, the Cybersecurity and American Cyber Competitiveness Act of 2013, was introduced in January by Sen. John D. Rockefeller (D-W.Va.) and seven in the Senate Democratic Caucus.
The bill includes a “Sense of Congress” that says “Congress should enact, and the president should sign, bipartisan legislation to improve communication and collaboration between the private sector and the federal government to secure the U.S. against cyberattacks, to enhance U.S. competitiveness and create jobs in the information technology industry, and to protect the identities and sensitive information of U.S. citizens and businesses by,” among other things, “establishing mechanisms for sharing cyberthreat and vulnerability information between the federal government and private sector.”
The executive branch is engaged on cybersecurity issues, too, with President Barack Obama, in February of this year, issuing an Executive Order in which he asserts that “repeated cyberintrusions into critical infrastructure demonstrate the need for improved cybersecurity,” and noting that “cyberthreat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”
The Executive Order calls for cybersecurity information-sharing consistent with privacy and civil liberties protections, and instructs the Secretary of Homeland Security, the U.S. Attorney General, the Secretary of Defense and the Director of National Intelligence, among others, to implement the President’s cybersecurity plan, including the identification of critical infrastructure at the greatest risk of cyberattack.
Efforts to implement the Executive Order have been spearheaded by the National Institute of Standards and Technology (NIST). However, there has been some resistance, particularly from the financial sector, to NIST’s initiatives. Of note has been concern regarding duplicative and overlapping standards that could potentially conflict or create additional burdens to financial institutions already subject to comprehensive laws, regulations and supervision directed at managing and minimizing cybersecurity threats and risks.
Nonetheless, in July, NIST issued a draft outline of a voluntary framework to improve cybersecurity and assist institutions in preparing for cyberthreats and their impacts, with the outline continuing to be developed and refined with input from critical infrastructure industries, including the financial sector.
The increase in attention to cybersecurity among various branches of government is a response, in part, to the string of distributed denial of service (DDoS) attacks against major U.S. banks over the last year. In a DDoS attack, thousands of computers attempt to contact the target website simultaneously, overwhelming the site and leaving it inaccessible.
Such attacks have affected most of the major U.S. banks, including several significant recent attacks, as well as various other financial firms and major industry participants. In many instances, cyberattacks have resulted in significant disruptions, including shutting down online and mobile banking systems for hours.
Prevalence of Banks As Cybertargets
In a rare revelation to the consumer public of the federal banking agencies’ heightened sensitivity and concern with cybersecurity issues, the FDIC discussed recent cybersecurity [DDoS] attacks on banks in the agency’s Spring 2013 edition of the FDIC’s Consumer News publication. In addressing potential fallout to banks from such cyberattacks, the FDIC notes that the motive of the attacks was to damage the targeted institutions’ reputation by making it appear as if something was “seriously wrong with the bank.”
Highlighting that federal bank regulators require institutions to notify customers when sensitive data has been accessed without authorization, the FDIC went on to commend the industry’s handling of the recent cyberattacks thus far, noting that federal banking regulators are continuing to monitor how financial institutions handle these attacks and associated prolonged service interruptions to bank customers. According to several industry observers, this was the first time a federal bank regulator directly addressed DDoS attacks with the public.
The federal banking agencies supervision and oversight of cybersecurity issues was also bolstered recently by the formation, in June, by the agencies’ supervisory coordinating council, the Federal Financial Institutions Examination Council (FFIEC), of the FFIEC Cybersecurity and Critical Infrastructure Working Group. The FFIEC Working Group is intended to “enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups.”
To increase awareness of cyberthreat issues for the industry, earlier last summer the OCC held a Web conference for community banks on cyberthreats and vulnerabilities. The webinar stressed that the risk of cyberattack is not just a technology issue, emphasizing that bank “senior management needs to get involved to ‘set the tone from the top’ and ensure they approach preparedness as a bank-wide endeavor and consider the risks from cyberthreats when contemplating strategic business decisions.”
Though the largest U.S. banks present the largest targets for cybersecurity criminals, smaller community-based banks may be more vulnerable to cyberattacks due to the limited resources that many of these institutions have to dedicate to cybersecurity issues and the many other regulatory and compliance burdens that compete for their limited resources.
Notably, cybersecurity issues and resource concerns are not only front and center for domestic institutions, but also institutions internationally. According to a recent global risk management survey issued by Deloitte & Touche LLP, while approximately two-thirds of banks have increased spending on risk management and compliance, “there is a divergence when it comes to the spending patterns of different-sized firms.” (See the feature article by these authors, “A Strategic Approach to Cybersecurity,” which appeared in the March 2013 issue of Financial Executive magazine.)
Interestingly, notwithstanding the greater resources and experience of larger banks in dealing with technology and cybersecurity issues, technology used to monitor and manage risk is a concern across the board. According to the Deloitte survey, there need to be significant improvements in risk technology.
Of the 86 institutions surveyed, fewer than 25 percent of institutions rated their technology systems as extremely or very effective, while 40 percent of institutions are concerned about their capabilities in the management of risk data.
Threats Continually Evolving
Complicating the picture for the industry is that cybersecurity issues and threats are continuing to evolve, with at least one group, the self-described Cyber Fighters of Izz ad-din Al Qassam, specifically and methodically targeting U.S. financial institutions. The group has claimed credit for the wave of recent DDoS attacks, which are collectively known as Operation Ababil. A so-called “Phase Four” of the group’s operations was initiated against several U.S. banks in July. Underscoring the seriousness with which the U.S. government is focusing on cybersecurity threats, earlier this year, the U.S. Federal Bureau of Investigation (FBI) granted temporary clearances to security officers and executives at banks in order to brief such individuals on developments regarding the recent attacks.
The federal banking agencies will continue to use and refine their supervisory and policymaking authority and approach to ensure that banks are cognizant of and taking appropriate precautions to minimize the risks posed by cyberattacks. Banks should expect regulators to continue their scrutiny of cybersecurity risks, including increased supervision activity in areas related to data security, privacy and Internet-facing access.
To address cybersecurity risks and the regulators’ response to such risks, institutions should consider implementing an information security plan that includes the following elements (based on criteria from the Information Security booklet of the FFIEC IT Examination Handbook):
• Implement a Security Process. Include appropriate governance for the security function and assign clear and appropriate roles and responsibilities to the board, management and employees.
• Maintain an Information Security Risk Assessment Program. Gather and analyze data relevant to risks and threats to the organization and prioritize those risks and threats.
• Develop an Information Security Strategy. Define control objectives and establish a plan for implementation.
• Effectively Administer Access Rights. Ensure that users are appropriately restricted in access, access rights are regularly reviewed updated and that acceptable-use policies are agreed to in writing.
• Use Effective Authentication Methods. Authentication mechanisms should be risk-based and multi-factor systems should be considered.
• Restrict Network Access. Multiple layers of access controls should be implemented to protect against unauthorized access and servers, applications, data and users should be segregated into appropriately restricted and monitored security domains.
• Secure Operating System Access. This includes securing system utilities, restricting access, updating security patches and securing devices with access to the operating system.
• Control Access to Applications. Use authentication controls appropriate to application risk, monitor access rights, implement time-of-day limitations, log access and security events, implement software-based monitoring and analysis of user activities.
• Secure Remote Access. Evaluate the business need for remote communications, control and audit access, implement controls at both ends of the remote connection, monitor remote access, secure remote access devices and use effective authentication and encryption.
• Protect the Physical Devices. Define physical security zones and implement controls to protect against physical penetration by unauthorized people, damage from environmental contaminants and unauthorized electronic penetration.
• Employ Encryption. Encryption should be appropriate to mitigation risks to sensitive information in storage and transit, and should be reliable and gauged to match the risk involved.
• Develop, Acquire and Maintain Systems with Appropriate Controls. Enable security features, review software for trustworthiness and establish patch processes.
The FFIEC booklet includes additional recommendations regarding personnel security, data security, service provider oversight, business continuity considerations, insurance and security monitoring.
Given the increasing prevalence of cyberattacks, the increasing proliferation of online and mobile banking, the increasing regulatory focus on cybersecurity issues and the increasing reliance on third-party vendors and outsourcing to provide solutions to cybersecurity risks, a well-developed and well-executed cybersecurity risk management program is critical for institutions of all sizes.
Certainly, a critical aspect in successfully addressing cyberrisks is the involvement of senior management in understanding, monitoring and responding proactively to minimize potential vulnerabilities and in taking the appropriate steps to mitigate damage when a vulnerability has been exploited, including engaging with law enforcement and regulators expeditiously to address and contain potential fallout and prevent contagion.
Ultimately, management and the board of directors of an institution are accountable and, thus, must take an aggressive role both to be informed of cyberrisks and vulnerabilities at an institution and to actively oversee and manage issues when a cybersecurity breach occurs.
Kevin L. Petrasic ([email protected]) is a partner in the global banking and payments systems practice of law firm Paul Hastings in Washington D.C. and Ryan Chiachiere ([email protected]) is an associate in the practice.