Main Content

Regulatory Compliance Does Not Equal Cybersecurity

Financial services institutions need a bold new approach to cybersecurity.

By Rocco Grillo

In our digitally connected world, businesses across industries are exposed to new and evolving risks and liabilities. Cyberrisk is understandably a top concern for organizations, with Aon’s 2017 Global Risk Management Survey reporting that companies in North America view cybercrime and hacking as their No. 1 risk. Banks globally are no exception, rating the biggest risks to their business as damage to reputation and brand; regulatory and legislative changes; and cybercrime and hacking. Financial institutions are not only prime targets for cyberattacks but bear tremendous fiduciary and legal, regulatory, and compliance responsibility to protect customer data and privacy.

Operating in a highly regulated industry, banks are required to have mature security programs, but staying ahead of compliance requirements alone does not equal security or immunity. Just look at the high-profile data breaches that have affected the major industry players, or the notorious SWIFT financial messaging service hack that resulted in a loss of $81 million for the Bangladesh Central Bank. Security isn’t one and done; cyberrisk is dynamic, the risk is enterprisewide, and security is an ongoing process that financial institutions must maintain by conducting effective cyber due diligence.

The numbers tell a disturbing story. On top of daily phishing, malware, and penetration attacks, banks faced an average of 85 serious attempts to breach their cyberdefenses over the course of the past year, and 36% of these attacks succeeded in stealing some data. The average dollar cost of a breach is reported to be $4 million, yet regulated industries, such as health care and financial services, pay a higher price because of fines and the higher-than-average rate of lost business and customers. Crucially, the real damage often isn’t inflicted when the compromise itself occurs – it is the "dwell time," the time it takes for companies to detect breaches and effectively respond, that is one of the biggest contributors to breach costs. The Advanced Threats in Financial Services and Retail study by Ponemon Institute found that financial firms take an average of 98 days to detect a breach, leaving attackers unimpeded inside the network, able to inflict significant damage.

There’s a serious disconnect today in risk management, and organizations are not adequately budgeting for cybercrime losses.

Cyberrisk is a broad-reaching, enterprise-level risk, and financial institutions are in a uniquely challenging position. In banking, the push for digital innovation, disruptive technologies, and delivery of more personalized customer experiences continuously introduces new threats. Forrester Research calls this dynamic an "epic" battle between privacy and digital innovation, predicting that by 2020 financial services and insurance companies expect to generate the biggest portion of their total sales from digital products, services, or products sold online. Alongside this drive toward digital business, many banks rely on legacy IT systems that are expensive to maintain and susceptible to more vulnerabilities, greatly compounding the cybersecurity challenge. The recent uptick of mergers and acquisitions (M&A) activity within the banking industry intensifies the trials with these legacy systems. The global number of banking M&A deals in 2016, while not notable in transaction value, surged to 1,259 total transactions. While far from the peak of 1,810 deals in 2009, the sheer number of institutions currently joining forces is cause for cybersecurity alarm bells to ring, because institutions must now integrate and secure disparate IT systems and cyberrisk management programs.

Beyond the risks emanating from their own networks and vulnerabilities, banks take on additional exposure via their increasing reliance on third-party vendors – in particular, technology service providers that provide or enable key banking functions and support customer accounts and transaction processing. Although it is possible to outsource the function, it isn’t possible to outsource the risk: Vendors such as core providers, card solutions processors, wire transfer providers, and mortgage subservicers open banks up to myriad threats. A bank can have fortress-grade security within its four walls, but when it outsources to third-party service providers and provides a connection to its network, the bank is no longer in control of the entire perimeter. As many chief information security officers (CISOs) and risk managers in financial institutions know, risks include the potential for disruption of service, stolen intellectual property or commercially sensitive information, risks associated with human errors such as lost devices, and data leakage through insecure email practices or other systems.

To address these issues, security and risk mitigation must be entrenched in the bank’s contractual agreement with the technology service provider, granting the bank the opportunity to audit the third party’s security practices and business continuity plans, establish performance standards, define default and termination terms, provide for data concerns for foreign-based service providers, outline data governance and vendor subcontracting rules, receive technology service provider updates detailing response to relevant issues and regulations, and, importantly, permit sharing of knowledge.

A bank’s cybersecurity fortress, designed to keep criminals out, must also take into account the internal employee or other “insider” with access to an organization’s networks and systems.

Achieving this level of trust, transparency, and accountability won’t come easy. According to a 2017 report issued by the FDIC’s independent inspector general, few banks’ contracts with technology service providers provide sufficient detail about the providers’ business continuity and incident response capabilities and duties. The report also found shortfalls in banks’ assessments of how providers could affect the banks’ own ability to plan for business continuity and incident response. Because financial institutions have an obligation to defend the privacy of their customers and protect the security and confidentiality of customer information, greater examination and oversight of third-party cyberrisk management programs is fundamental, especially in the context of new regulations like the European Union General Data Protection Regulation (GDPR). Security and Exchange Commission roundtable discussions and Federal Trade Commission and Department of Justice policy statements have all focused on cyberthreat assessments internally, as well as those in vendor relationships. Security assessment and benchmarking scorecards need to take account of third parties, and presentations from CISOs and executive management teams to boards should evaluate third-party risk management programs and reveal any exposures introduced by the relationship.

A bank’s carefully constructed cybersecurity fortress, designed to keep criminals out, must also take into account the internal employee or other "insider" with access to an organization’s networks and systems. Maliciously or accidentally, insiders can cause devastating leaks of information and data, make payment transfers, issue illegal trades, grant criminals access to security codes, and cause other damage. As organizations continue to increase security around new technologies, and in parallel shore up perimeter defenses to raise the bar on network security, criminals are increasing their focus on the human element as an entry point to pivot into broader network systems. Phishing tactics continue to be more authentic in appearance, with embedded malware that, once clicked, will infect or spread through an organization’s systems. Scams are growing that target mobile devices and social media sites that are accessed by employees on company mobile devices. Insider risk is a real and growing threat that is made worse when organizations grant employees excessive access to systems and networks where they do not need it. If an employee is successfully duped by a phishing attempt or wants to steal information from the company, he or she can inflict far greater damage if the organization has not properly configured access levels to align with the employee’s level of authority and job responsibilities. There is no good reason to give employees free rein within a company’s network. Stringent measures, as well as training and awareness programs, must be implemented to ensure employees comply with the bank’s rules, along with safeguards to identify those who do not comply and documented policies to remove those individuals from the organization.

Ultimately, regulations are ideally designed to protect companies, clients, and consumers against the potentially devastating consequences of these types of cyberrisks. Regulatory requirements for financial institutions have undeniably become tougher, and companies are burdened by the need to interpret what a fragmented global regulatory landscape means for their operations. Large global banks tend to have mature security programs and big budgets, but they can still find themselves in reactive mode, chasing regulatory compliance, rather than leading independent security planning. When new requirements or frameworks come out, banks and financial institutions must determine their current security state and identify deficiencies. If they are conducting routine testing and remediation to be secure, being compliant or meeting regulations should be easier to achieve. Of course, some companies will want or need to go above and beyond regulations. Too often, however, companies don’t have a mature position or haven’t done due diligence, so they find themselves in reactive mode. By conducting proactive due diligence with the aim of being secure, banks are more able to extend and tweak their existing programs to meet the next regulation, national cybersecurity regulatory ruling, or law that might come out.

Regulatory and compliance matters that are currently in the spotlight include the EU’s GDPR, the Bank of England’s CBEST vulnerability testing framework, and the proposed New York State Department of Financial Services’ (NYSDFS) Cybersecurity Requirements for Financial Services Companies, the first of its type in the United States.

Beyond the risks emanating from their own networks and vulnerabilities, banks take on additional exposure via their increasing reliance on third-party vendors.

The NYSDFS cybersecurity requirements, which took effect on March 1, 2017, are designed to ensure that financial services firms meet minimum cybersecurity requirements, such as mandating the creation of a new job function – that is, designating a CISO who will have principal reporting and oversight responsibilities for a company’s cybersecurity program. The regulation also imposes additional requirements related to annual certification, risk assessments, reporting, record keeping, and periodic reviews of access privileges, among other things. In general, larger banks will have some work to do, although they tend to be in good shape to meet the NYSDFS rules – they are no strangers to these types of requirements, and many are even ahead of the curve. However, midmarket smaller institutions, many organizations in the insurance subsector, and many third parties or affiliates of regulated entities have significant work to do. Many of them are facing this type of regulation for the first time and will need help.

Organizations across the financial services sector should take advantage of the opportunity presented by the NYSDFS cybersecurity requirements to evaluate their cybersecurity and compliance programs holistically. Rather than taking a "check the box" approach, companies should implement an integrated and cross-discipline effort in order to adopt an organizational program of cyberrisk management that is tailored to business objectives, while also maintaining a tolerable level of cyberrisk. By taking an integrated approach to the broad objectives contained in the NYSDFS requirements, organizations can achieve these business- and security-focused goals while also achieving compliance in an effective and efficient manner.

Across the Atlantic, the clock is ticking on the EU’s GDPR, set to take effect in May 2018. Unlike smaller regulations that necessitate minor enhancements or modifications to comply, the GDPR ushers in a host of challenges that companies need to address, especially if they don’t already have a comprehensive and effective data security program. Although this is an EU regulation, it applies to any company doing business in the EU, regardless of the location of its headquarters. Its impact, therefore, ripples across the globe. The regulation imposes stricter requirements on firms that handle customer data, including new rules for profiling customers and sharing data with third parties. This requirement is compounded by the requirement imposed by the EU Payment Services Directive, which asks financial services companies to open their data and payment capabilities to third-party providers within the ecosystem. In many cases, financial institutions themselves are also third-party service providers. As indicated earlier, these third-party relationships greatly magnify the cyberrisk and responsibility that banks and other financial institutions must take on.

In terms of banks’ readiness to meet this global initiative, larger banks with mature data protection programs will need to conduct a thorough, global gap analysis of how they handle consumer data and the technical controls they have in place compared with the GDPR requirements. In my experience, mature banks will need to enhance existing programs rather than create a specific, separate compliance program for this regulation. For example, they may have plans in place to disclose and notify consumers and other stakeholders of a breach, but the 72-hour deadline required by the GDPR may present a new challenge in terms of how efficiently they can work out what happened and then communicate that information externally. Banks need to view GDPR compliance not only as a legal and business issue but as an IT and security issue – it is important for the board and executive management to understand where data is held, who has access, and what security controls are in place to protect that data. The CISO and IT teams will therefore play a crucial role in a baseline assessment of these issues, alongside the data protection and privacy professionals and legal teams.

Launched in the U.K. in 2015, the CBEST vulnerability testing program is designed to identify areas where financial services organizations could be vulnerable to sophisticated cyberattacks and to understand their susceptibility to advanced persistent threat actors. The approach, called red teaming, involves looking at a company through the eyes of an attacker. The CBEST model provides testing scenarios that are based on realistic situations, derived from current threat intelligence. Increased pressure from regulators worldwide is driving in-house red teaming capabilities to accelerate, with this push likely first to occur in financial hubs such as Hong Kong, Singapore, the EU, and even the United States. Many of the top banks, from Citi to Bank of America to JPMorgan, are implementing CBEST not because they must, but from a best practices standpoint and to be ahead of the curve. Financial companies will face a significant challenge, however, in conducting the vulnerability testing necessary to adhere to CBEST: recruiting, motivating, and retaining highly technical cybersecurity talent to keep their red teams at the forefront of their field.

Additionally, a prerequisite to implementing a red teaming program is implementation of security controls. If a company doesn’t have security controls in place, it’s hard to map its current standards to regulatory requirements around red teaming. You must have the foundations of cybersecurity controls and vulnerability management in place before implementing the more sophisticated elements of red teaming and other CBEST elements.

Developing, implementing, and maintaining a mature and effective vulnerability testing program is a multifaceted challenge for any organization that has not yet embraced or adopted CBEST guidance. Across the industry, each organization’s journey to establish a vulnerability testing program that meets the rigor of CBEST is unique; however, the common thread is that organizations will have to take a phased and prioritized approach. A good start would be to engage external assistance from a cybersecurity professional services provider that already has been through the CBEST journey and that has also helped others do the same.

Operating and succeeding in this digitally connected online world requires much due diligence, and the tone needs to be set from the top of the organization. This requires the leaders of financial services companies to appraise enterprise cyberrisk collectively, not in silos. It’s easy to lose perspective on how to best reduce exposure and what to focus on when managing cyberrisk – especially because it affects multiple stakeholders, from the CISO to the risk manager, the board, IT, the C-suite, and even HR and communications. The enterprisewide nature of the risk means that the organization collectively – and, most importantly, the CISO and the risk manager – must make decisions jointly to optimize their strategies.

Far from being a one-time exercise, to achieve cyberresilience financial institutions must identify and shore up vulnerabilities across a diverse operating ecosystem, and develop strategic and practiced response plans in case an attacker succeeds. In addition to being prepared to respond to a breach, recovering from a breach is just as critical. It is imperative that financial companies conduct thorough assessments now, to quantify the intangible damages that will occur in the context of a breach and enhance board-level understanding. There’s a serious disconnect today in risk management, and organizations are not adequately budgeting for cybercrime losses of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance. This is easier said than done. In fact, almost four times more budget is spent on property-related risks versus cyberrisk, even though 46% of respondents in a recent Ponemon study reported a data breach in the last two years, with the average financial impact costing $3.6 million.

Ultimately, cyberresilience – the ability to defend, respond to, and recover from a breach – is the end goal for financial institutions, which tend to be facing thousands of attacks every day. Although compliance is rightly prioritized in the highly regulated banking industry, being compliant should be viewed as a result of having good security practices rather than as a check-the-box exercise that is expected to guarantee security. In my experience, boards and CISOs in financial institutions are always keen to know how they measure up in compliance terms against their peers and industry benchmarks. This is understandable, but the focus should be shifted toward conducting good cyber due diligence and assessments, implementing proper detection controls, having effectively enforced third-party risk and insider risk programs and conducting testing such as red teaming in order to simulate the organization’s response in the event of a serious attack. If such practices are implemented, these organizations can stay ahead of industry regulations, because their response to any new cybersecurity requirement is less likely to demand a dramatic overhaul of their current program.

About the Author:
Rocco Grillo is Cyber Resilience Leader and a member of the executive management team at Stroz Friedberg, an AON Company. His cyber-resilience team, which includes the company’s incident responders and security scientists who deliver the firm’s proactive and reactive cybersecurity capabilities, has successfully triaged some of the largest data breaches recorded in the last decade. Previously, Grillo led Protiviti’s Global Incident Response and Forensics Investigations, helped develop RedSiren Technologies (a leading managed security service provider and full services security firm that evolved out of Carnegie Mellon), and held management positions with Lucent Technologies and Bell Atlantic. He is a CISSP, CRMA, PCI-QSA, and a Certified Third Party Risk Assessor. He is an affiliate board adviser for FS-ISAC and NH-ISAC, a member of the Shared Assessments Program Steering Committee board and the CLM Cyber Liability Council, and has also served on the board of directors of the New York Metro ISSA Chapter, the IT Policy Compliance Group, and the (i-4) International Information Integrity Institute Research Steering Committee.