Cyber-Risks 2015 – A Board Primer

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/cyber-risks-2015-a-board-primer-13169/


Cyber-risk is a witch’s brew of reputational, operational, legal and
financial dangers. This toxic combination exposes a financial institution
to a potentially existential hazard when an intrusion occurs. The only way
to mitigate (because an intrusion cannot be prevented) is proper planning.
To quote Benjamin Franklin, “If you fail to plan, then you are planning to
fail.”

Cyberattacks are not only increasing in sophistication, but are
increasingly focusing on smaller financial institutions. It is a
statistical certainty that one’s financial institution will face a
cyberintrusion, but it is likewise a certainty that its effect will
correspond directly to the amount of planning and preparation by the board
and management. It is incumbent on the board to address cybersecurity
proactively and to plan for the eventual cyberattack, in whatever form it
may come.

A board cannot merely rely on management or those employed by the
institution to manage informational technology; it must be involved. As SEC
Commissioner Luis A. Aguilar said last year, “Put simply, boards that lack
an adequate understanding of cyber-risks are unlikely to be able to
effectively oversee cyber-risk management.” To take it to the logical next
step, if a board fails to properly oversee cyber-risk, then it not only
puts the organization at risk, but also potentially makes itself liable.

It is through education that a board can begin the process of mitigating
cyber-risks. I liken it to when I go to the mechanic, because I know little
about cars. My mechanic can tell me something needs to be done to my car
and (unfortunately) I just have to accept it (and just pull out my wallet).
I must rely on his reputation and honesty (and mercy). Likewise, if a board
member or other executive management member does not understand or
appreciate cyberthreats, then that person cannot adequately assess any
plans, the institution’s capabilities, the sufficiency of the resources
being expended to protect the institution, or the capabilities of the
people protecting the institution. The uneducated board members must resort
to blind faith, which is never the best plan. As President Reagan said,
“Trust but verify.”

Like the flu, cyberthreats evolve or mutate from year to year (albeit
somehow the Nigerian Royalty scam continues to take millions each year from
unwitting victims). When financial institutions strengthen one set of
vulnerabilities, hackers find or develop another. It is essentially a game
of “whack a mole” played for the highest of stakes.

Regardless of the seemingly hopeless character of the cyber struggle, it
can still be “won” provided one appreciates what a “win” is. One should not
reasonably expect to never have an intrusion. There is no way to be 100
percent cyber-secure unless an institution is willing to disconnect itself
completely from the internet. Therefore, a “win” cannot be thought of as
successfully preventing all cyberintrusions, but instead as proactively
minimizing risks to the institution, its customers and its employees when
the intrusion occurs. Cyber-risks (and the eventual intrusions) are an
inherent part of doing business for today’s financial institutions.

Contrary to popular misconception, the typical hacker is no longer the lone
teenager spending all his time in his bedroom hyped up on Red Bull and
working magic on his computer. Hacking has moved mainstream. In fact, in
many parts of the world, hacking has become a reputable business, with
hackers being respected and influential members of the community. The one
clear thing is that hackers are a diverse group with different motivations,
capabilities and means.

Like all solid educations, it is essential to begin with the basics of who,
why and how.  So, let’s take a look.

Who are the hackers?

- Organized crime
- Hacktivists
- Insiders
- Nation States

What motivates the hackers of 2015?

- Espionage
- Fraud
- Disruption
- Destruction
- Social or political message (Hacktivists)
- Undermining reputation or overall confidence (Hacktivists and Insiders)
- Building reputation/recruiting (Hacktivists)
- War

What are their strengths?

- Technical expertise
- International reach
- Anonymity
- Financial sponsors
- Weak legal reach

What are the threats?

- Malicious software, or malware, which includes viruses, ransomware (which
is becoming more prevalent), worms, trojans, spyware, botnets, logic bombs,
phishing and spear phishing.
- Distributed Denial of Service (“DDoS”) – A DDoS attack is when a hacker
utilizes hijacked computers (usually via malware) from many disparate
locations to send simultaneous requests to a target. The purpose is to
cause a shutdown of the site.
- Automated Clearinghouse (“ACH”)/payment account takeover – A type of
identity theft in which hackers gain control of a business account by
stealing its online business credentials. [If you want to learn more about
this, please read my partner, Scott Adams’s article in last quarter’s CBE
and join him for a webinar on this topic on October 22.]
- Data leakage – Unauthorized transmission of information to someone
outside the company.
- Third party/cloud or vendor risks – The risks inherent in having vendor
relationships. Albeit the institution may not have direct control over the
risks, those risks may be mitigated by proper due diligence and monitoring
of the vendors.
- Mobile/web application vulnerabilities – Weaknesses in mobile
applications or internet-facing web server. Hackers use tools to gain
control of the consumer’s mobile platform to gather information or control
the payment web server.
- Weakness in project management or change management – These weaknesses
undermine the institution’s procedures and policies, delay vulnerability
discovery and mitigation, and expose systems and sensitive data to
intruders. In other words, an institution can have the best plan in the
world, and it will not matter, if it does not have the right people and
talent in charge of the plan’s implementation.

What is the impact to an institution?

- Lost financial assets
- Reputational damage, loss of trust or brand confidence by customers and
shareholders
- Business disruption
- Stolen intellectual property
- Stolen customer information
- Legal and regulatory attention

Fortunately, no one is alone in the struggle against hackers and
cyberintrusions. The FFIEC has taken steps to help educate boards and
management. For example, in June 2015, the FFIEC released its Cybersecurity
Assessment Tool (the “Assessment”). It is meant to assist boards and
executive management in identifying the institution’s inherent risks and
determining its cybersecurity preparedness. After using it, it will be
easier to gage the institution’s level of preparedness. (Importantly, it is
expected that the Assessment will be incorporated into future regulatory
examinations in 2016.)

The Assessment is divided into two principal parts: Inherent Risk Profile
and Cybersecurity Maturity. The “Inherent Risk Profile” examines an
institution’s inherent cybersecurity risk, such as technologies and
connection types, delivery channels, online/mobile products and technology
services, organization characteristics, and external threats. It does not
include any mitigating controls, but incorporates the type, volume, and
complexity of the institution’s operations and threats directed against it.
The second part is “Cybersecurity Maturity.” It examines five domains,
namely cyber-risks and oversight, threat intelligence and collaboration,
cybersecurity controls, external dependency management, and cyberincident
management and resilience.  These domains are graded on a five-point scale
ranging from Baseline (the lowest level) to Innovative (Steve Jobs
reincarnate). Each domain includes assessment factors and contributing
components that must be satisfied prior to its being able to move up a
maturity grade.

Management analyzes the two parts in tandem to discern the optimal level of
alignment between the Inherent Risk Profile and its Cybersecurity Maturity
for the institution (and where it presently is on the scale). In theory, as
inherent risks rise, an institution’s maturity level should increase. As
such, the Assessment should be done at least periodically (or earlier if
material changes are being considered to services, products or vendor
relationships) to ensure there are sufficient risk mitigation and controls
in place. Over time, it will allow the executive officers, directors and
examiners to measure the institution’s progress or worse, its ongoing
failure to prepare.

In today’s world, there is little certainty in business, except that
financial institutions of all sizes will be a target and a victim of a
cyberattack. It is only through diligent education, preparation, and
planning (including incorporating controls as described in my colleague,
Brienne Marco’s article) that an institution can minimize the intrusion’s
impact to its reputation and operations and mitigate the liability from the
equally inevitable lawsuit.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!