An Overview of Cybersecurity for Financial Institutions: Looking Back and Planning Ahead

Cyber risk, the probability of loss and/or harm to an entity based on technological and data exposures, is much higher in the financial industry as compared to others, to the extent?that even bank ratings can be greatly impacted . This certainly isn’t surprising given the nature of the data this sector manages every day.

While we always hear about the big cyberattacks, such as?Accenture ,?CNA Financial ,?CapitalOne ,?Colonial Pipeline ,?SolarWinds , and?Equifax , we don’t hear about the smaller financial organizations that are impacted daily by ransomware, business email compromises, unauthorized access, etc. Some of these attacks, which place control of systems and sensitive data into the hands of criminal enterprises, leave these small businesses in shambles due to the loss of productivity, brand damage, and soaring costs related to a cyber incident. Keep in mind that data obtained during a cyber incident can also be reused in later attacks, perpetuating a vicious lifecycle of damage to the digital assets of organizations and consumers alike.??

This is why financial organizations of all sizes must adequately address their information technology and cybersecurity policies and controls to mitigate these risks in an effort to maintain consumer and investor trust. Once you know your risks, you can pinpoint specific actions to take to decrease the likelihood of an unwanted event or outcome.

Cyber Liability Insurance Market Updates and Considerations for Financial Institutions

As ransomware demands and associated insurance claims rise, the cyber insurance industry is combining their expertise by joining an alliance known as?CyberAcuView ,?which brings together some of the biggest cyber insurance underwriters to help risk mitigation efforts by compiling and analyzing data related to cyber claims. This is a much-needed initiative to better understand how to protect against losses and manage cyber-related claims. Many cyber insurance carriers now require policyholders to enable multi-factor authentication, implement endpoint detection and response solutions, and block all external access via remote desktop protocol (RDP). Failure to comply with these requirements can result in the inability to acquire insurance or renew coverage. Providing inaccurate information can also lead to issues when a claim arises given policies are issued based on the information supplied in the application. Financial institutions should review their cyber insurance policy to understand their policy limits, retention, co-insurance and responsibilities to ensure they are adequately covered in the event of a cyber incident.

Not all cyber incidents end in ransomware, but they can still be costly for a number of reasons, which is why understanding your coverage is key. An?analysis ?conducted by NetDiligence, an organization specializing in cyber risk readiness and responsive services, identified that ransomware was the number one cause of loss for SMEs ($90M average revenue). The study suggests that the average ransom demand jumped from $36K to $175K, while the average cost of a ransomware incident as a whole went from $150K to $275K. Additionally, the average incident cost for large companies ($8B average revenue) was $9.1M across all types of incidents. (These findings are based on?3,547 claims arising from events that occurred during 2015–2019.) These numbers continue to rise, forcing insurers to reassess their approach to measuring risks, issuing pricing, and enforcing controls upon their clients to help mitigate the potential of a cyber incident.

Data Breach Laws & Regulations

While many states currently have their own privacy and data breach notification laws in place, lawmakers are advancing the ball to bring federal requirements to the table due to the increasing number of cyber-related attacks across all sectors. Case law related to data breaches is constantly emerging and teaches us about the minefield of legal exposure in this area, which is why specialized counsel is crucial in the event of a cyber incident (often referred to as a?data breach coach ). The?CapitalOne issue ?is a great example of how attorney-client privilege can be easily lost due to how incident responders are contractually engaged, as well as the oversharing of the forensic findings report.

The?New York Department of Financial Services (NYDFS) ?is actively enforcing their cybersecurity regulations by issuing steep fines to financial institutions that fail to comply with their prescribed requirements. While business email compromises are sadly an everyday occurrence, they can be mitigated with proper implementation and management of security controls. Yet somehow, these types of cyber incidents continue to happen, which is why state and federal agencies are becoming more stringent in their response to cyber incidents.

An example of this is a mortgage company that failed to disclose a business email compromise, which resulted in a?$1.5 million penalty . Another case identified a life insurance company’s failure to implement multi-factor authentication, which ultimately led to successful malicious email phishing attacks compromising several email mailboxes containing sensitive information;?the insurance company was fined $1.8 million ?for their non-compliance and the consequential outcome.

More recently, the Securities and Exchange Commission?fined multiple firms ?due to lax cybersecurity policies and controls, which resulted in numerous email account takeovers exposing thousands of consumers personally identifiable information (PII) records. And then, there’s the?first ever sanction of its kind by the U.S. Department of the Treasury ?where a cryptocurrency exchange (Suex) was fined for facilitating illicit payments in conjunction with at least eight ransomware variants.

These actions by the federal government are indicative of the continued fight against ransomware and other cyber-related attacks. It’s easy to see that these fines will continue to mount until organizations of all sizes take security seriously. Some states have introduced safe harbor legislation to promote the adoption of industry-recognized cybersecurity frameworks to help protect a compliant business from certain legal claims within said state in the event of a cyberattack. If followed (as outlined by the specific state law), these?breach litigation safe harbors ?can create an affirmative defense when dealing with the legal aftermath of an attack. 2022 will be an interesting year as we continue to watch things unfold as it relates to cyber and privacy law.

Advancements in Proactive Research and Knowledge Sharing

The financial industry is strategically fighting back by investing in open-source intelligence which provides insight into an organization’s footprint on the web. Georgia State University’s?Evidence Based Cybersecurity Research (EBCS) Group ?goes a step further to truly understand how online criminals operate and how organizations can get ahead of future threats based on identified trends.?The Federal Reserve Bank of Atlanta? recently?partnered? with EBCS to monitor online criminal markets for payments-related activity to document trends, identify new types of fraud, and support a better understanding of crimes surrounding new payment types. Through this partnership, the FRB of Atlanta is taking proactive measures in the prevention of cyber threats and online payment fraud.

Professionals in the financial sector have most likely heard of or are a member of?The Financial Services Information Sharing and Analysis Center (FS-ISAC) , which is the only global cyber intelligence sharing community solely focused on financial services. Members receive a myriad of benefits surrounding sector-specific cybersecurity insights, guidance, alerts, tools, and access to a network of experts to prepare for and mitigate threats.

Planning Ahead to Aid in the Prevention of Cyberattacks

Most (not all) cyber-related incidents can be avoided through proper planning and by having the right resources and controls in place. Preparation is what makes all the difference, which entails outlining your risks, performing a cost-benefit analysis, implementing safeguards to aid in prevention, and knowing who to bring in AND when in the event of a cyber incident. After a cyber incident has occurred, time is of the essence to lessen the overall damage.

While?defense-in-depth ?is key to any well-rounded cybersecurity program, it all starts with having the right approach in place focused on people, process, and technology – in that order. Some companies get ahead of themselves and throw money at technology without having the right people and processes in place to properly implement and manage these tools. This method never works, as technology alone cannot get the job done.

People?– There are multiple ways to touch on the “people” aspect of this approach, many of which vary on the industry and size of the organization. Organizations at the very least should have the right people in place (and enough of them) to perform the work necessary, whether internally or outsourced.

• Executives and board members are expected to make cybersecurity a priority and discuss it on a regular basis to ensure the business has the information and resources it needs to address cyber threats.
• The business should have cyber liability coverage in place with oversight by an executive or manager who understands the policy requirements and limits, and how/when to invoke the policy.
• Risk management personnel should know how to measure risk appropriately to ensure that business operations and financial success align with the Organization’s risk appetite.
• IT teams should be knowledgeable about how to implement and maintain proper IT and security controls.
• Cybersecurity professionals should help build out security programs and applications, assess the controls in place through security audits, and investigate threats.
• Employees should receive regular and meaningful security awareness training, so they are prepared for the threats they may encounter and how to report and respond to them.
• Outside counsel specialized in privacy and cybersecurity (a.k.a. data breach coaches) and digital forensics and incident response firms should be vetted and ready to respond, when needed. Some cyber insurance carriers utilize a panel of approved legal and incident response providers they bring in at the onset of a claim, whereas others allow insureds to form relationships and select the vendors of their choosing. Another reason why you should understand how your policy works.

Process?– Once you know who the people are and the parts they play, you need to define the why, how, and when they do it.

• Some industries are required to follow certain types of regulatory compliance frameworks (i.e., HIPAA, FISMA, CMMC in the near future, etc.), while others may undergo an elective security audit and certification process (i.e., SOC2, ISO27001, etc.) due to client requirements. Whatever the case may be, the organization should know the compliance framework(s) they are subject to or intend to follow and implement policies and procedures to ensure strict adherence by all involved.
• Organizations need metrics to measure success. Define expectations and processes and audit them regularly to identify strengths and weaknesses. This includes testing your incident response plan at least annually.
• The IT team should define a cadence for identifying vulnerabilities and applying security patches based on the criticality and risk of exploitation. This ensures the riskiest vulnerabilities are addressed first during patching.
• Define how often assessments are done, such as risk assessments, penetration testing, firewall configuration reviews, cloud control reviews, and so on. Having scheduled assessments in place aids in repetition to ensure continuous evaluation and remediation of risks. Scoping of these assessments should be thoroughly considered to make the most impact.
• Cybercriminals can strike anytime, but we are now beginning to see a trend that attacks occur during the holidays and weekend, as outlined by CISA in a recent?statement . Having the right processes (and people) in place can help mitigate the risks during these times.

Technology?– People define processes and use technology to meet their needs. People should vet and compare technological solutions to align with expectations.

Identify and implement (in no particular order):

• Antivirus and endpoint detection and response solutions
• Vulnerability scanners (network + agent-based) and patching deployment software
• Asset management tools
• Multi-factor authentication wherever possible
• external network monitoring
• Disable legacy authentication
• SIEM solutions
• Network segmentation
• Ransomware resilient backups controls
• Remote access software/VPN with MFA
• Device controls
• Password vaulting solutions
• IAM, PIM, PAM solutions
• Encryption (at rest and in transit)
• Sensitive data scanning solutions and DLP
• Geographical controls
• DMARC, SPF, and DKIM
• Honeypots/canary tokens

The above is a non-exhaustive Iist but should give readers an idea of things to consider when layering in the components of a good cybersecurity program.

There’s no doubt that the financial sector is a high-value target, which is why organizations in this industry must be diligent in their efforts to protect their data and systems. Security is no longer a choice; it is a business expense and a necessity to operate in this digital age where everything and everyone is connected online.