This is one of five key articles featured in our 2022 Financial Institutions Advisor. Download the entire whitepaper here.
Cyberattacks continue to increase, with hackers seeing potential for profit in essentially any industry. Financial institutions continue to remain a common target, as attackers focus on both an organization and its customer base to potentially wire funds out of the country or hold sensitive data ransom. At the same time, financial institutions continue to expand their technology footprint, requiring increased oversight on security across a wider range of devices, vendors, and cloud platforms.
The state of cybersecurity
Countless companies in various industries have recently received front-page news coverage for cybersecurity concerns, and the attack trends are continuing to grow. As the threat landscape continues to evolve, it’s helpful to look back at how the environment has changed in recent years.
Historically, most organizations had many layers of secure controls in place — such as their trained people, formal processes, and strong technology controls. While some organizations used different tactics than others, the general concept stood that financial institutions had clearly put multiple layers in place to protect the internal environment from external threats.
A few short months into 2020, many companies sent employees to work from home for the first time due to the COVID-19 pandemic. Some organizations had planned ahead (or were fortunate to have recent laptop orders) and could shift quickly to the remote environment. Other organizations had to rush in new VPN setups, roll out new web-accessible applications, or have employees work from home on their personal devices. These projects typically take months of effort in a normal year. Unsurprisingly, security precautions weren’t always taken in these rushed efforts. Similarly, many of these work-from-home options were never anticipated as part of financial institution culture and operations, with gaps in training and procedures now relying on teams making decisions on the fly.
For projects and remote connections implemented over the past year, vulnerabilities still remain. As staff return to offices, personal devices present an emerging risk of transmitting viruses to the secure internal networks. Meanwhile, attackers continue to increase their profits as they send phishing emails tricking employees into clicking links. In addition, the Federal Financial Institutions Examinations Council (FFIEC), Federal Trade Commission (FTC), and third-party vendors continue to raise expectations for security requirements. While these expectations assist with guidance on controls to reduce risk of attacks, the risk of noncompliance with regulatory and vendor contract requirements continues to rise as well.
Current threats facing financial institutions
Based on our experience working with financial institutions, we’ve identified the common trends of critical threats impacting the industry. While there are other additional unique forms of attack, the majority of security incidents we’ve seen can be tied back to at least one of the following areas:
- Remote security vulnerabilities — With employees working remotely, the line between secure office networks and home networks become heavily blurred. This is particularly concerning when spouses and children also have additional work/school devices that need connecting to the same home wireless network. For employees working from personal devices, their employer may have zero visibility into the security of those devices and may be unaware of any existing viruses stealing data from the device. For financial institutions that recently added remote access, those that didn’t add multifactor authentication requirements were exposed to multiple security incidents — with guessed credentials allowing for overseas attackers to easily view emails and other confidential information.
- Ransomware — Not only are ransomware attacks continuing to rise, but the methods are adapting to respond to companies’ efforts to find alternatives to paying out demands. Originally, an attack would focus on encrypting files, requiring companies to pay to unlock unless they had reliable backups to restore from. As more organizations built robust backup controls, attackers have adjusted the threat to focus on publicly releasing data unless ransoms are paid. Attackers will also research organizations to identify appropriate bitcoin ransom amounts to demand and offer a cut of ransom payments to insiders who help provide a foothold into the network.
- Social engineering — Emails sent to employees tricking them into clicking links and providing credentials are still a main channel for attackers to gain initial footholds into networks. The pandemic provided many opportunities for attackers to mimic expected emails with urgent messages. Additionally, employees working from home can’t as easily ask an office neighbor if emails appear suspicious. Our cybersecurity practice has seen a significant rise in click rates during social engineering tests over recent years.
- Lack of security-dedicated resources — Many financial institutions run lean organizations, relying on IT teammates to also wear information security hats or involve outside vendors to support technology operations. Where internal teams are understaffed, risks increase; in many cases, there’s a competition for time and budget to maintain security programs and ongoing technology projects.
Recent financial institution regulatory updates
Even more frequently than previous years, regulators have continued to update cybersecurity guidance in 2021. Key updates include the following:
- January: The Federal Reserve implemented a Security and Resiliency Assurance Program. As part of this new program, institutions and service providers must conduct an assessment of their compliance with the Federal Reserve Banks’ FedLine security requirements and submit an attestation that they have completed.
- June: The FFIEC released the Architecture, Infrastructure and Operations IT Exam Handbook, which included an increased focus on data governance, similar topics as the 2019 BCM guidance such as board involvement and system resilience, and new technologies such as remote access.
- July: The FFIEC issued Guidance on Authentication and Access to Financial Institution Services and Systems, with special emphasis on layered security and focus on multifactor authentication options.
- November: The FTC issued a final rule clarifying its data security requirements for certain covered financial institutions, amending the Safeguards Rule originally issued in 2002 under the Gramm-Leach-Bliley Act.
- November: The Office of the Comptroller of the Currency announced a final rule requiring banks to notify their primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after it’s determined that a cyber incident has occurred.
Additionally, the Federal Reserve Banks released an Operating Circular in late 2020, which included expectations for “Security and Resiliency Assurance Program” attestations. With the increase in banks crossing financial thresholds that require additional information security control implementation and auditing, cybersecurity insurance providers have continued to increase requirements before offering insurance coverage. Whether requirements are directly being issued by your regulating entity or not, these various updates are all increasing expectations for financial institution security levels.
Actions to secure your financial institution
Especially with the volume of changes over recent years, now is the time to reassess your security environment. Ideally, you’ll have dozens of complex layered controls in place to consider, and there are a few key items that we typically see as gaps leading to security incidents.
Focusing on these three actions are key initial steps to confirm you’re comfortable with the existing setup or to develop a plan to address gaps:
- Enforce password requirements — Strong passwords on all accounts with remote access should be required, as well as multifactor authentication considerations. If software updates aren’t under an automated process, a solution may be required. External connections mean the possibility of threat actors attempting to exploit system or application vulnerabilities from afar.
- Utilize virus scanners and content filters — To defend against ransomware, institutions should ensure virus scanners and content filters are effectively configured on mail servers. Additionally, institutions should employ a data backup and recovery plan for all critical information, and perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note: Network-connected backups can also be affected by ransomware, so critical backups should be isolated from the network for optimal protection.
- Implement contact training and testing — In instances of social engineering threats, attackers often use compelling stories or arguments to gain entry, whether electronically or physically. Contact training of staff is key to maintain an environment of mindfulness against this sort of activity. Testing should be designed to analyze the effectiveness of contact training, as well as chart progression over a period of time.
While attackers continue to evolve their approaches and regulators increase expectations, implementing these key controls and proactively planning to strengthen your cybersecurity safeguards can help protect your financial institution. If you have any questions on cybersecurity best practices, please feel free to contact us.
