Use Cybersecurity Risk Assessments to Protect Your Organization
Imagine a time when your institution or organization is under constant attack—all day, every day—from criminals. They attempt to scramble through doors and windows just like the bank robbers in those old black and white film shorts. They attempt to fool or exploit your employees just like Frank Abagnale, the con man of Catch Me If You Can fame.
But unlike the bank robbers or con men of the past, they do it all without a single gun and typically without ever personally entering your business. Their weapon of choice is malware, and instead of a Richard Nixon mask, they use the cloak of invisibility that cyberspace affords them. Well, that imaginary time is now, and it’s actually very real. Your company may not be as big as JPMorgan Chase, Sony, or Target, but make no mistake, cybercriminals are not discriminatory. They are, however, patient and persistent with a preference for easy targets. So, you must honestly assess whether your organization is an easy target. And you need to do it now.
Cybercrime Comes Out of the Shadows
“Good News! A major hack you don’t have to worry about!” That’s how an article about the February billion-dollar bank hack began, before quickly turning dire. “Unless that is, you happen to be an executive or security employee at one of the hundreds of banks targeted by the group that’s come to be known as Carbanak or Anunak. If you are, then you have a problem, because these hackers, and no doubt others to come, aren’t targeting banking consumers but the very internals of banks, silently monitoring their systems and subtly defrauding them.”[i]
That heist, on the heels of the Sony hack, reveals just how brazen cybercriminals have become. No longer satisfied with just stealing money and identities from consumers, they have upped the ante to skimming corporate coffers and damaging brand reputations. The only good news about this feverish escalation of hacks is that it is pulling cybercrime out of the shadows and into the public consciousness, where the more we know, the more we can defend and protect.
The Government Responds to this Unchecked Audacity
The United States government is becoming as concerned about the proliferation of cybercrime and cyberterrorism as it is about the proliferation of weapons of mass destruction, and rightly so. Hacks into our critical infrastructure, financial system and businesses have the potential to do significant damage. From the executive office on down, the government is pushing back on cybercrime in multiple ways.
The White House Leads the Charge: As one of the first administrations to face cybercrime as such a significant threat, the president continues to promote consumer and corporate awareness of the issue through proposed legislation and public forums. The FACT SHEET from a recent White House-sponsored cybersecurity summit sums up the government’s concern. “Despite improvements in network defense, cyber threats are evolving faster than the defenses that counter them.”[ii]
Federal Regulatory Agencies Step Up Their Efforts: The Federal Financial Institutions Examination Council (FFIEC) is leading the charge among federal financial regulatory agencies. The multi-member agency’s Cybersecurity and Critical Infrastructure Working Group, which is charged with improving industry preparedness, has spearheaded general recommendations and specific guidance related to cybersecurity.
- General Recommendations from the FFIEC Cybersecurity Assessment: After examining 500 community institutions as part of a cybersecurity examination pilot last summer, the FFIEC observed that “the level of cybersecurity inherent risk varies significantly across financial institutions,” and that “it is important for management to understand the financial institution’s inherent risk to cybersecurity threats and vulnerabilities when assessing cybersecurity preparedness.”[iii] The report listed five key areas where institutions must be more proactive:
- More robust risk management and routine supervision from senior leadership
- Threat intelligence gathered from and shared with multiple sources in collaboration
- Implementation of cybersecurity controls that prevent, detect and correct
- Greater command of external dependency management
- More resilience in managing cyber incidents
- Specific Guidance in Updated FFIEC Business Continuity Planning (BCP) Booklet: In February, the FFIEC introduced Appendix J to its BCP Booklet, which requires institutions and third-party service providers (TSPs) to “incorporate the potential impact of a cyber event into their BCP process and ensure appropriate resilience capabilities are in place.”[iv] The new Appendix also outlines the cyber risks to be considered under this requirement:
- Sophisticated malware focused on data corruption and unauthorized financial transactions
- Insider threats from disgruntled employees or moles planted by cybercriminals
- Data or systems destruction or corruption due to a cyberattack
- Disruption of communications capabilities and infrastructure due to a cyberattack
- Simultaneous cyberattacks on financial institutions and their TSPs
In addition to the FFIEC, the OCC appears poised to take a stronger stance on cybersecurity, a risk it ranked among the top five in its Fall 2014 Semiannual Perspective on Risk. During a recent speech, Deputy Comptroller Beth Dugan warned that “the severity of cyber threats is escalating rapidly, and attackers are exhibiting an increasing ability to exploit vulnerabilities in commonly used infrastructure.”
She went on to say that “while the impacts on financial services firms has been relatively limited so far, as we see from experience in other industry sectors, there is a growing possibility for materially severe attacks on banks or the infrastructure on which they depend.”[v] As a result, Dugan hinted that both the FFIEC and the OCC would be doing more in the coming months to ensure industry preparedness.
State Regulatory Agencies Follow Suit: Federal regulatory agencies are not the only ones issuing recommendations about cybersecurity, and traditional financial institutions are not the only audience for them. For example, the New York Department of Financial Services (NYDFS) recently issued a report about cybersecurity preparedness in the insurance sector. As an industry that collects a significant amount of consumers’ personal information, it is a ripe target for cybercriminals.
In surveying insurance companies, however, the NYDFS found that “95% of insurers already believe that they have adequate staffing levels for information security and only 14% of CEOs receive monthly briefings on information security.”[vi] The recent data breach at one of the country’s largest medical insurers, compromising tens of millions of consumer records, seems to prove their sense of security false and certainly indicates the need for more frequent discussion in the C-suite.
For its part, the NYDFS plans to begin “integrating regular, targeted assessments of cybersecurity at its regulated insurance companies.”vi With this in mind, it is relatively safe to assume that other states will, at some point, follow suit.
The Number One Thing Your Business Should Do to Thwart this Threat
Sticking with the status quo is equal to inviting cybercriminals in, but that is exactly what far too many organizations are doing, either out of a false sense of security (as found in the NYDFS insurance survey) or due to budget constraints. So what should you do? You must gain an honest understanding of what the FFIEC calls your inherent risk, and a cybersecurity risk assessment is the tool that best facilitates this kind of analysis, no matter your business or industry type.
But Our Organization Conducts an Information Security Risk Assessment. That’s all well and good, but an information security risk assessment is much broader in scope, taking into account all possible threats. As Deputy Comptroller Dugan pointed out, “natural disasters, fires, and utility failures don’t have motivations and aren’t persistent.”V Because cyber threats are persistent—and, in fact, constant—and do harbor motivations, they must be viewed under their own microscope.
But We Just Conducted a Cybersecurity Risk Assessment Six Months Ago. That puts you ahead of many organizations, but while the general rule suggests you conduct risk assessments annually, there is a caveat. They should also be conducted any time material changes occur in your infrastructure, systems, or products, as well as when new information becomes available. The recent $1 billion bank hack and the insurance carrier breach qualify as that new information, which calls for revisiting your cybersecurity risk assessment.
So, What Does a Cybersecurity Risk Assessment Entail? For a cybersecurity risk assessment to be effective, it must accomplish five successive tasks:
- Identify and classify all applicable systems, accounting for all current products and services
- Calculate the inherent risks those systems pose
- Evaluate the adequacy of current control mechanisms to mitigate those inherent risks
- Determine the remaining risks so they can be addressed through appropriate controls
- Provide an accurate and timely view of your current cyber resilience to senior leadership
Compliance is Not Security
It is estimated that millions of cyberattacks occur daily. Such regulatory agencies as the OCC know that “as the cost of technology decreases, the barriers to entry for cyber crime drop, making it easier and cheaper for criminals of all types to seek out new ways to perpetrate cyber fraud.”v
Recent regulatory guidance is intended to help shore up cyberdefenses by calling for more active participation from senior leadership and incorporating cyber threats into business continuity planning. Fulfilling those requirements will help your compliance stance, but they are not enough to ensure your organization’s security—a major expectation of regulators.
For that, a cybersecurity risk assessment is the pivotal starting point toward protecting your institution and its customers’ confidential data—and forms the basis for identifying risks and ensuring all necessary controls are in place to keep it safe from the criminals lurking in cyberspace.