By Daniela Guzman
dguzman@acfcs.org
Apr. 23, 2015
Cybersecurity is a term that has developed in response to “cyber-warfare.” The internet has created a new domain for attacks on nation-states, private corporations, financial institutions and other entities that operate in this global network.
Governments of the world are urging companies, including banks, to reinforce their protective barriers to prevent hackers from infiltrating their systems and stealing information or directly siphoning funds as breaches become a daily disaster, one that often goes undetected.
Breaches have occurred all over the world, through the exploitation of vulnerabilities in security networks or even social engineering. The new globalized threat also presents a tool for terrorists to achieve their nefarious purposes at a distance and virtually anonymously. State-sponsored attacks have also created a cyber-battleground by using dexterous hacker groups as proxies to steal important government intelligence or trade secrets.
However, as speakers at the ACFCS conference in New York City this week emphasized, cybersecurity is a global problem, but it is also an individual responsibility. While there is a universal network that stores information vital to national security and the financial system, there is no universal watchdog keeping that data safe.
The duty falls on the shoulders of the private companies and financial institutions that are restructuring their organizations to fall in line with the new expectations of regulators.
The focus on cybersecurity is not a passing trend, nor does it only apply to financial institutions. Every business is a technology business now, thus, every business needs an effective cybersecurity strategy that focuses on preventing breaches just as much as a cogent response to an attack that involves the government and its clients.
Regulators as well are adding more expectations to cybersecurity protocols for financial institutions under their governance, including a focus on third-party vendor virtual data security.
Due diligence on third parties will be a key point for financial institutions as they strive to align with regulator examinations.
The New York Department of Financial Services announced in 2015 that their examinations would include tests to prove these new protocols. The Federal Financial Institutions Examination Council also updated its priorities for 2015 with a focus on banks identifying and responding to cyber-attacks.
The Federal Financial Institutions Examination Council, the interagency body that also puts together the anti-money laundering exam manual, updated its priorities for the rest of 2015 with a focus on banks.
The Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology in February 2014, with the aid of government, military, the intelligence community, academia and industry professionals, is being used as a guide to institutions in the event of an attack. The framework is composed of five steps:
Identify critical data
Protect
Detect
Respond
Recover
Experts from the legal field, the military and the financial services industry talked about the explosive nature of data breaches at the annual ACFCS Financial Crime Conference in New York City this week.
One of those speakers, John Walsh, CEO of SightSpan Inc. in Charlotte, North Carolina, is a highly regarded industry leader on the subjects of risk management, financial crime management and other relevant security topics.
He highlighted the importance of the NIST framework as to how institutions can learn to protect themselves from cyber threats.
“This cybersecurity framework is very important. If you learn this framework, you will learn the future,” Walsh said at the ACFCS conference. “There is no one protecting us and we have a false sense of security in our homes and businesses.”
Walsh said that although cybercrime has become a global problem, it is up to each individual firm to protect themselves against intrusions.
“This is a new problem and we need a new solution. We don’t have a decade to solve this problem. No firm in the US is safe right now in my opinion,” Walsh said.
“The problem extends much further than the financial services industry or corporations. It also affects governments of the world. The threats to the medical community are beyond imagineable,” Walsh said.
Joseph DeMarco, partner at DeVore & DeMarco LLP in New York, specializes in counseling clients on complex issues involving information privacy and security, theft of intellectual property, computer intrusions, on-line fraud, and the lawful use of new technology.
He founded and headed the Computer Hacking and Intellectual Property Program as the Assistant United States Attorney for the Southern District of New York, where he handled cybercrime investigations.
DeMarco, with his experience in the private sector and the government, has a unique perspective on how to handle cyber-attacks. He said it is important for institutions to remember that they are a target for hackers, but also for regulators.
“Breaches are going to have a significant legal component to them,” DeMarco said at the ACFCS Conference.
“In the interests of government regulators, they won’t tell you what you need to do. They will point you to prior enforcement actions, but most of those companies have settled because they don’t want the negative publicity. The minute they tell you what standard to apply, they have set the bar, and they don’t want to set it low,” DeMarco explained.
As companies and banks struggle to prepare themselves for attacks, they also have to design an efficient strategy post-breach to avoid trouble with regulators.
A number of states have passed laws requiring companies to disclose data breaches. The Sarbanes-Oxley Act of 2002 and post-financial crisis Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 have also imposed significant disclosure requirements on data breaches.
“The first question you need to be prepared to answer isn’t what happened, but why did you take so long to tell us? What did you know and when did you know? If you have good answers to those questions, regulators can be pretty reasonable,” DeMarco explained.
In 2014, cyber breaches dominated headlines.
Major banks, corporations and even national governments were victims of attacks, some of which have ongoing repercussions. In October 2014, JPMorgan Chase revealed that names, addresses, phone numbers and email addresses of the holders of 83 million accounts were exposed when the bank’s computer systems were compromised.
The bank apparently had a weak authentication scheme, which allowed for the infiltration, according to reports by The New York Times. In response, the bank increased their security staff to more than 1,000 individuals, mostly former military and government security experts.
While the hackers did not empty out accounts by directly stealing money, the information purloined in this attack could be used to propagate thousands of financial crimes, including identity theft, tax fraud, and more.
Apart from fixing the weak authentication system and boosting its cybersecurity team, JPMorgan had to launch a damage control campaign to assure its clients that their money was still safe, despite the massive breach.
This example is, unfortunately, one of many recent breaches.
Target and Home Depot also suffered from attacks, which exposed tens of millions of credit cards and accounts, as well as health insurance company Anthem, which had 80 million social security numbers stolen.
Experts say there are more attacks to come as hackers become better at finding Achilles heels in the security systems of companies, hospitals, schools, military weapon control systems, and other crucial entities.
The US government has responded to the threat with several initiatives, including the nation’s first cybersecurity summit. President Barack Obama urged the private sector to share information on hacks with investigators, keeping lines of communication open both ways.
Banks are also being urged to implement training that educates employees on the red flags of a breach so they can alert IT personnel. Part of this endeavor to protect critical infrastructure includes two executive orders issued in 2013 designed to work with owners and operators to prepare for, prevent, mitigate and respond to threats.
Perhaps the most groundbreaking effort to protect the US from hackers has been the new sanctions program created by the Obama administration.
Through an executive order, which is usually reserved for terrorists, traffickers or organized crime groups, the government has implemented a sanctions regime against foreign cyber hacking groups that threaten the US economy, national security or foreign policy objectives.
The order covers any individual or group that:
Harms or compromises any services or computer networks supporting what the government considers critical pieces of infrastructure, such as banks, power grids and military installations.
Causes a significant compromise of such infrastructures themselves in providing power or services.
Causes a significant disruption in the general availability of a computer or network of computers.
The order also covers any entities directly or indirectly responsible or complicit, not just the attackers themselves, and extends to any entities gaining or stealing trade secrets and using those pilfered technologies to gain money. Those funds, thusly, would be forfeit.
There are also punitive orders against any individuals or entities trying to evade these orders and help a designated entity engage in any transactions.
As the US government uses this tool to combat cybercrime, the financial services industry is making strides in securing their systems to protect their clients’ information and funds.
As the private and public sectors strategize to block intruders from cyberspace, hackers are also one step ahead, with new malware being developed every day. The challenge now is to educate and train professionals, in any industry, to know what cyber risks they face.