Proposed federal legislation, as well as a recent presidential executive order, could alter the level of cooperation between government and financial institutions when it comes to fighting cyber-security threats. But no matter what actions the federal government takes, financial institutions of all sizes need to continue to protect themselves now as the threats and attacks are ever increasing.
For most institutions, the recent and very disruptive cyber attack is Distributed Denial of Service (DDoS): bombarding a website with so many requests for service that it is unavailable to legitimate customers. In the last few months alone, SunTrust, PNC, JPMorgan Chase, Bank of America and US Bank have reported one or more major attacks, and customers have reported an inability to access online bank accounts for hours and, in some cases, days.
While DDoS attacks can be anything from a nuisance to a major disruption, they are not the only cyber threat banks face. Sometimes, groups of hackers use DDoS attacks to divert the attention of IT personnel while they launch other, smaller attacks designed to penetrate a bank’s IT operations, steal identities and other sensitive data, or even divert funds.
How serious are the threats? According to the Financial Services – Information Sharing and Analysis Center (FS-ISAC), a financial services industry group, the cyber-security threat level has been either "elevated" or "high" since last fall, the group’s second- and third-highest Cyber Threat Levels. In addition, the top 10 banks in America, which are required to list risks to their organizations in certain public documents, included DDoS attacks in their most recent 10-K reports.
One more key factor: Cyber terrorists, criminals, and traditional hacker groups are becoming more sophisticated, able to launch cyber attacks from multiple places around the globe.
Who’s most at risk? Big banks are subject to the most high-profile attacks, but smaller institutions, often with less sophisticated IT operations and staff, have been victimized as well. There have been multiple instances where cyber criminals gained access to the wire transfer abilities of a smaller institution and transferred money to another account. New platforms and capabilities, such as mobile banking and mobile payment, provide additional opportunities for criminals.
In February 2013, President Obama issued an executive order to improve what he termed "critical infrastructure cybersecurity." The order directed federal agencies to develop voluntary cybersecurity standards for the private sector, and required federal agencies to provide unclassified reports of cybersecurity threats. The order seeks to encourage government agencies to share more information about cyber threats and attacks with private industry, and develop standards and best practices to help critical infrastructure companies, such as banks, combat cyber threats more effectively.
A more comprehensive piece of legislation, the Cyber Intelligence Sharing and Protection Act (CISPA), goes further, encouraging sharing in both directions: government to private industry and private industry to government. The proposed law provides legal immunity to private companies that share cyber threat information. It also exempts such information from the Freedom of Information Act. CISPA has passed the House but is stalled in the Senate, with opponents raising concerns about privacy and other issues.
Regardless of what the federal government does in 2013, banks should adopt the attitude that cyber attacks are not a matter of "if," but "when." Banks should not only cooperate with Homeland Security and other federal agencies, but also focus on their own organizations and risk-management strategy. The three elements of that strategy should be:
Educating employees, being aware and alert to what’s going on, and sharing information with government and regulators.
Continued monitoring of policies and procedures to promote quick action when an incident happens. Response plans need to evolve over time as threats and vulnerabilities are constantly changing.
Continue to harden and patch key systems. Consider outsourcing complex IT functions if they’re not a core competency.
Whatever cybersecurity framework and regulations come from the federal government, chances are that the guidelines will be broad enough to apply to all industries; they will not be specific to banking and other financial services. In the end, it will be up to each financial institution regardless of size to figure out what systems and processes it will employ to protect its information and its customers’ information.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.