Member Article

Cyber-risk is a witch’s brew of reputational, operational, legal and financial dangers. This toxic combination exposes a financial institution to a potentially existential hazard when an intrusion occurs. The only way to mitigate (because an intrusion cannot be prevented) is proper planning. To quote Benjamin Franklin, “If you fail to plan, then you are planning to fail.” Cyberattacks are not only increasing in sophistication, but are increasingly focusing on smaller financial institutions. It is a statistical certainty that one’s financial institution will face a cyberintrusion, but it is likewise a certainty that its effect will correspond directly to the amount of planning and preparation by the board and management. It is incumbent on the board to address cybersecurity proactively and to plan for the eventual cyberattack, in whatever form it may come.A board cannot merely rely on management or those employed by the institution to manage informational technology; it must be involved. As SEC Commissioner Luis A. Aguilar said last year, “Put simply, boards that lack an adequate understanding of cyber-risks are unlikely to be able to effectively oversee cyber-risk management.” To take it to the logical next step, if a board fails to properly oversee cyber-risk, then it not only puts the organization at risk, but also potentially makes itself liable.It is through education that a board can begin the process of mitigating cyber-risks. I liken it to when I go to the mechanic, because I know little about cars. My mechanic can tell me something needs to be done to my car and (unfortunately) I just have to accept it (and just pull out my wallet). I must rely on his reputation and honesty (and mercy). Likewise, if a board member or other executive management member does not understand or appreciate cyberthreats, then that person cannot adequately assess any plans, the institution’s capabilities, the sufficiency of the resources being expended to protect the institution, or the capabilities of the people protecting the institution. The uneducated board members must resort to blind faith, which is never the best plan. As President Reagan said, “Trust but verify.”Like the flu, cyberthreats evolve or mutate from year to year (albeit somehow the Nigerian Royalty scam continues to take millions each year from unwitting victims). When financial institutions strengthen one set of vulnerabilities, hackers find or develop another. It is essentially a game of “whack a mole” played for the highest of stakes. Regardless of the seemingly hopeless character of the cyber struggle, it can still be “won” provided one appreciates what a “win” is. One should not reasonably expect to never have an intrusion. There is no way to be 100 percent cyber-secure unless an institution is willing to disconnect itself completely from the internet.

Therefore, a “win” cannot be thought of as successfully preventing all cyberintrusions, but instead as proactively minimizing risks to the institution, its customers and its employees when the intrusion occurs. Cyber-risks (and the eventual intrusions) are an inherent part of doing business for today’s financial institutions.Contrary to popular misconception, the typical hacker is no longer the lone teenager spending all his time in his bedroom hyped up on Red Bull and working magic on his computer. Hacking has moved mainstream. In fact, in many parts of the world, hacking has become a reputable business, with hackers being respected and influential members of the community. The one clear thing is that hackers are a diverse group with different motivations, capabilities and means. Like all solid educations, it is essential to begin with the basics of who, why and how. So, let’s take a look.Who are the hackers?

• Organized crime
• Hacktivists
• Insiders
• Nation States

What motivates the hackers of 2015?

• Espionage
• Fraud
• Disruption
• Destruction
• Social or political message (Hacktivists)
• Undermining reputation or overall confidence (Hacktivists and Insiders)
• Building reputation/recruiting (Hacktivists)
• War

What are their strengths?

• Technical expertise
• International reach
• Anonymity
• Financial sponsors
• Weak legal reach

What are the threats?

• Malicious software, or malware, which includes viruses, ransomware (which is becoming more prevalent), worms, trojans, spyware, botnets, logic bombs, phishing and spear phishing.
• Distributed Denial of Service (“DDoS”) – A DDoS attack is when a hacker utilizes hijacked computers (usually via malware) from many disparate locations to send simultaneous requests to a target. The purpose is to cause a shutdown of the site.
• Automated Clearinghouse (“ACH”)/payment account takeover – A type of identity theft in which hackers gain control of a business account by stealing its online business credentials. [If you want to learn more about this, please read my partner, Scott Adams’s article in last quarter’s CBE and join him for a webinar on this topic on October 22.]
• Data leakage – Unauthorized transmission of information to someone outside the company.
• Third party/cloud or vendor risks – The risks inherent in having vendor relationships. Albeit the institution may not have direct control over the risks, those risks may be mitigated by proper due diligence and monitoring of the vendors.
• Mobile/web application vulnerabilities – Weaknesses in mobile applications or internet-facing web server. Hackers use tools to gain control of the consumer’s mobile platform to gather information or control the payment web server.
• Weakness in project management or change management – These weaknesses undermine the institution’s procedures and policies, delay vulnerability discovery and mitigation, and expose systems and sensitive data to intruders. In other words, an institution can have the best plan in the world, and it will not matter, if it does not have the right people and talent in charge of the plan’s implementation.

What is the impact to an institution?

• Lost financial assets
• Reputational damage, loss of trust or brand confidence by customers and shareholders
• Business disruption
• Stolen intellectual property
• Stolen customer information
• Legal and regulatory attention

Fortunately, no one is alone in the struggle against hackers and cyberintrusions. The FFIEC has taken steps to help educate boards and management. For example, in June 2015, the FFIEC released its Cybersecurity Assessment Tool (the “Assessment”). It is meant to assist boards and executive management in identifying the institution’s inherent risks and determining its cybersecurity preparedness. After using it, it will be easier to gage the institution’s level of preparedness. (Importantly, it is expected that the Assessment will be incorporated into future regulatory examinations in 2016.)The Assessment is divided into two principal parts: Inherent Risk Profile and Cybersecurity Maturity. The “Inherent Risk Profile” examines an institution’s inherent cybersecurity risk, such as technologies and connection types, delivery channels, online/mobile products and technology services, organization characteristics, and external threats. It does not include any mitigating controls, but incorporates the type, volume, and complexity of the institution’s operations and threats directed against it. The second part is “Cybersecurity Maturity.” It examines five domains, namely cyber-risks and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyberincident management and resilience. These domains are graded on a five-point scale ranging from Baseline (the lowest level) to Innovative (Steve Jobs reincarnate). Each domain includes assessment factors and contributing components that must be satisfied prior to its being able to move up a maturity grade. Management analyzes the two parts in tandem to discern the optimal level of alignment between the Inherent Risk Profile and its Cybersecurity Maturity for the institution (and where it presently is on the scale). In theory, as inherent risks rise, an institution’s maturity level should increase. As such, the Assessment should be done at least periodically (or earlier if material changes are being considered to services, products or vendor relationships) to ensure there are sufficient risk mitigation and controls in place. Over time, it will allow the executive officers, directors and examiners to measure the institution’s progress or worse, its ongoing failure to prepare. In today’s world, there is little certainty in business, except that financial institutions of all sizes will be a target and a victim of a cyberattack. It is only through diligent education, preparation, and planning (including incorporating controls as described in my colleague, Brienne Marco’s article) that an institution can minimize the intrusion’s impact to its reputation and operations and mitigate the liability from the equally inevitable lawsuit. If you have any questions about this topic, please contact us.