The views and opinions expressed in this article are those of the thought leader and not those of CeFPro.
By Phil Masquelette, Senior Vice President/CRO & CISO, Ulster Savings Bank
What advice would you give when creating an innovation process to defend against cyber-attacks?
A brief description of measures your organization might take to protect against a cyberattack from both a technical and non-technical perspective follows. Given the nature of the cyber threat landscape, a financial institution must be ever-vigilant to protect its systems, networks, and data from cyber assaults by a myriad of threat actors, including hackers, whether state sponsored, cybercriminals, insiders, or otherwise. Mitigants, such as data backups, controls, anti-malwares, disaster recovery planning, training to increase awareness, incident response planning, and risk assessments, audits, exams, and retention of third party vendors to provide tabletop exercises and other practice drills, are all in play.
Beyond that on a purely non-technical level, for those not working remotely, employees should wear identification badges in office locations, and stop to ask unaccompanied strangers if they need assistance. Vendor representatives, such as auditors, outside counsel, and other consultants are to be provided visitor badges when they arrive at the reception area, and this approach applies to bank examiners, also. And they are accompanied to scheduled conferences within the premises. Tailgating into restricted areas should not be allowed. The potential threat is that information may be accessed to cause harm to customers, colleagues, and the community whether through compromise of data, disruption of business function, and/or monetary or physical damage.
Resources, both internal and external, can be implemented to perform whatever is necessary when (not if) a cyberattack has occurred within the company. There, of course, will be pressure to return to normal operations, quickly and efficiently, as possible, yet not before complete forensics with appropriate patching has occurred.
Why is it important to review state cyber security regulation?
The question is to determine if the data breached was non-public, such as social security numbers or account information, and if so to document and notify the affected customers, as well as the New York State Department of Financial Service (“NYSDFS”), pursuant to 23 NYCRR 500, if it has applicability to your organization. There is a 72 hour notification requirement specifically to NYSDFS, along with notice to other regulatory and enforcement authorities, the FDIC, the FBI, and local law enforcement agencies.
Regardless of whether an incident has taken place, seriously consider through an annual reporting certification to NYSDFS, if they are (or are one of) your regulator(s), to the extent applicable:
(1) The confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems;
(2) The Covered Entity’s cybersecurity policies and procedures;
(3) Material cybersecurity risks to the Covered Entity;
(4) Overall effectiveness of the Covered Entity’s cybersecurity program; and
(5) Material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.
What approaches can be taken to align risk and cyber security teams?
Proactively, testing of the Business Continuity Plan should meet the objectives of the Federal Financial Institutions Examination Council (FFIEC). These objectives, according to the most recent FFIEC booklet involve first and foremost not to disrupt the business during the test period. Complexity increases with the participants, functions, and bank branches.
Currently, management will be called upon to respond and to show competence with a number of different scenarios with the intended outcome of discerning vulnerabilities. Tests can be varied and different types of transactions can be utilized. Documentation of test dates, a written summary of the results, and material omissions can be highlighted with problems emphasized for process, procedural, and policy improvements to take place. If the test results fail to meet expectations, management will be assigned action plans to close any gaps in the results encountered with follow-up test work to ensure compliance, going forward.
Reactively, responsibilities for risk and cyber security teams are ever-changing, dependent upon circumstances. Examples of responsibilities are defining what has happened, and where data has been breached, to ascertain what customers’ information has been illegally or inadvertently obtained. The next question is determine if the data was non-public, such as social security numbers or account information, and if so to document and notify the affected customers, regulators, and law enforcement, as well.
How do you foresee cyber resilience evolving over the coming twelve months?
Risk and regulations within the industry over the next 6-12 months will become stricter, which would transcend the political climate. Culturally, there is more of a demand for information security and physical security. This increased need for safety and security is a major issue.
When an incident occurs the same post-event analysis, which is called for now, will be applicable twelve months from now:
1. What are the lessons learned?
2. What happened, and when did it happen, if once or more than once?
3. Was everything done that needed to be done to cure the incident?
4. Were the policies, procedures, and processes of any use, and if not, what was wrong?
5. Was this done in a timely manner, and if not, what happened?
6. What could have been done differently, or in a more efficient or effective way?
7. Next time, if there is one (and there will be), what is a better approach?
8. What got in the way, and how?
9. What additional or other mitigants would prevent or lessen the impact next time?
10. Are the right people in the right roles?
Program needs include preparation for analyzing and identifying, collection of audit trails and evidence, communication channels, corrective action and recovery, and proactive procedures to ensure appropriate functional response of systems, going forward. Readiness is key.