With JPMorgan Chase’s early-October announcement of a data breach affecting more than 80 million customers being just the latest example, cybersecurity has jumped well up the list of issues most likely to keep bank executives awake at night.
For banks, it’s yet another risk that must be addressed on an enterprise basis as the threat of cybercrime raises not only operational and regulatory risks but significant reputational risk exposure, as well.
Successfully addressing cyberrisk is not simply a matter of finding a technological fix but also involves people and processes.
Attacks on banks come from a variety of sources, including organized crime, unfriendly nation states and so-called hacktivists out to make political statements by disrupting business. And, as the costs of technology continue to decrease, the barriers to entry into the world of cybercrime get ever lower while the Internet creates a target-rich environment for cybercriminals.
Indeed, as much of banks’ technology strategies have shifted in recent years to increasingly focus on customer service and convenience, the financial institutions have also increased their cybersecurity exposures. At the same time as banks have become more and more technologically interconnected to various vendors and other third parties, extended data supply chains have expanded their vulnerability to cybercrime.
A 2014 report, prepared by the New York Department of Financial Services, examined the state of cybersecurity in the banking sector. The report, based on the department’s 2013 survey of 154 New York depository institutions, found that most institutions, regardless of size, reported breaches or attempted breaches of their IT systems over the past three years.
While the methods used in the intrusions or attempts varied, including such techniques as malicious software, phishing, pharming and botnets or zombies, the New York survey found that the larger the institution, the more likely it was to be the target of malware and phishing attacks. The report acknowledged, however, that it’s unclear whether the discrepancies between the figures reported by institutions of various sizes reflected a true difference in experience or simply that larger financial institutions are better able to identify intrusions into their IT systems.
In remarks in April, U.S. Comptroller of the Currency Thomas J. Curry addressed differences in cybersecurity preparations between large banks and their smaller counterparts, noting that as large banks improve their cyberdefenses, hackers may increasingly turn their attentions to community banks as a point of entry into the larger banking network.
In addition to the wrongful activities resulting from cyberattacks widely reported by depository institutions in the New York survey, large financial institutions also noted cases of mobile banking exploitation, ATM skimming/point of sale schemes, and insider access breaches.
According to the New York report, the majority of financial institutions surveyed have a documented information security strategy in place for the next one to three years, though such a strategy was more commonplace at larger institutions. The survey found that while more than 90% of large institutions and 82% of midsize institutions had a documented information security strategy, such a strategy was in place at only 62% of small financial institutions.
Banks must constantly prepare for potential attacks and regularly test those preparations. Further, in findings from the 2014 Cybersecurity Assessment pilot examination work program, the Federal Financial Institutions Examination Council (FFIEC) noted that financial institutions’ dependence on information technology, the industry’s interconnectedness, and the rapid growth and evolution of cyberthreats demands the attention of institutions’ boards and senior management.
Exposures stemming from third-party and vendor relationships must be addressed. The extended “data supply chain” created by such relationships is a common path for hackers to gain access to banks’ information technology systems. In addition to establishing risk management practices related to those third-party arrangements, banks also need to consider the vendors’ risk management practices and controls.
Banks must look for warning signals and identify potential vulnerabilities across the entire business “ecosystem” as they assess cyberrisks arising from third-party and vendor relationships.
There are various resources available to banks looking to assess and manage cyberrisk exposures, including the FBI’s InfraGard, the U.S. Computer Emergency Readiness Team, the U.S. Secret Service Electronic Crimes Task Force, and the National Institute of Standards and Technology.
Banks’ boards and senior management’s attention to cyberrisk should include an understanding of the institution’s inherent cybersecurity risks, according to the FFIEC, as well as routine discussions of cybersecurity issues, regular monitoring and awareness of threats and vulnerabilities, the creation and maintenance of a dynamic control environment, the management of third-party connections, and the development and testing of business continuity and disaster recovery plans incorporating cyberincident scenarios.
For banks, the cybersecurity task is an ongoing one, as cybersecurity arrangements must constantly evolve with the changing nature of the threat. Here there’s work to be done, the New York report suggests: Only 49% of institutions surveyed reported their information security strategies adequately address new and emerging cyberrisk exposures, while 31% said their strategies needed to be modified to address emerging risks and 22% said further investigation was needed to understand those new exposures.
<< Back to Essential ERM: Manage risk or risk disaster