Written by: MATTHEW DONAHUE, CISM, CBCP
On January 16, 2020, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) issued a joint warning to financial institutions detailing the potential of increased cyberattacks. This warning comes on the heels of “increased geopolitical tension and threat of aggression”—which they feel could result in a possible increase in cyberattacks on U.S. financial institutions and other U.S. interests.
While the warning by the FDIC and OCC does not cite a single or specific threat, it does mention an increase in disruptive and destructive attacks against financial institutions over recent years. Cyber criminals have many different ways to infiltrate an institution’s network or systems, such as increased use of malware, social engineering, and use of compromised credentials. The alert goes on to point out that, because of infections or infiltrations, the impact of a cyberattack on the institution affects its systems, data vital to critical operations, regulatory compliance, infrastructure, and resiliency.
While these threats and their potential impacts should not be a surprise to most financial institutions, the alert encourages a reevaluation of the specific safeguards and controls against these threats by leveraging risk management principles. Integrating cybersecurity into the institution’s risk management process should allow senior management and the board to properly weigh its potential threats to the institution.
The alert highlights key risk management and control considerations, such as:
- Response, resilience, and recovery capabilities
- Identity and access management
- Network configuration and system hardening
- Employee training
- Security tools and monitoring
- Data protection
We have compiled a high-level breakdown of each consideration—including suggestions on cybersecurity best practices to reassess controls and ensure preparedness for a potential boom in cyberattacks.
Response, Resilience, and Recovery Capabilities
Institutions cannot simply rely on preventive controls—they need to have well-documented plans regarding business continuity management, incident response, and disaster recovery. All of those plans need to be consistent with cybersecurity planning considerations. These factors include:
- Testing and exercises on cyber-related scenarios, with ample plans to update when necessary
- Establishing or maintaining relevant relationships with law enforcement or other cybersecurity resources
- Reviewing your backup strategy to ensure availability, proper segmentation, and diversity of recovery options based on current threat trends
Identity and Access Management
With the continued success of phishing across almost all industries, and the threat actor’s ability to compromise logins, it’s no surprise that strong identity and access management controls should be prioritized. Authentication controls should be in place for the different stakeholders of a system. Customers, employees, and vendors/third parties who might have a legitimate reason for access should still be monitored, and businesses should still implement proper procedures around their authentication. These procedures include:
- Segmentation and role-based access controls to systems and data
- Placement of authentication controls and tools that are aligned with better practices, such as multi-factor authentication, geoblocking, and tokens (hard or soft)
- Review of roles and activity for appropriateness
Network Configuration and System Hardening
Institute and maintain a proper lifecycle to ensure the network and systems are secured during implementation, throughout the lifespan of updates or patches, and then into eventual retirement. Keeping a tight leash on these controls is important in maintaining secure systems. These can be based on a specific framework or amalgam of best practices. Some widely accepted practices include:
- Limiting removable media
- Completing vulnerability scans on network devices including servers, switches, PCs, laptops, firewalls, etc.
- Ensuring systems are updated and patched when applicable
- Keeping anti-virus and anti-malware software updated and continually running
Training employees is vital, as they are on the front lines and can be an asset to the information security program when properly educated. These trainings should be all-inclusive regarding the financial institution’s cybersecurity, but should also be specific to roles and responsibilities of the employees. This can include:
- Ongoing training modules on current threats such as phishing, password management, incident response, and communication
- Regular testing for data on how well employees are responding to threats
Security Tools and Monitoring
Proper tools and monitoring can be invaluable in securing an institution’s network and systems:
- Ensure there is a process in place to evaluate new (or known) threats to better determine risk to the institution. Threat intelligence sources can provide valuable insight on emerging threats that might impact a specific industry. Financial institutions have their own Information Sharing and Analysis Center (FS-ISAC) which provides alerts and publications. There is also the U.S. Computer Emergency Readiness Team (US- Cert), which does similar work.
- Collect and review logs for suspicious or anomalous activity and indicators of compromise or unauthorized access. This is typically accomplished with a security information event monitoring (SIEM) system.
- Implement monitoring and testing over network security to proactively identify any weaknesses in the program. Most importantly, this requirement explicitly describes the need for regular internal and external penetration testing or red team exercises
Some data is worth more than others, so understanding what you need to protect to avoid losses of any type is critical. Protection of data starts with understanding and auditing the information or data your institution collects, processes, stores, and transmits. To do this, your company must:
- Develop and maintain a data classification program to identify the various types of information with which the institution interacts. Additionally, understand the flow of data exchanges within the internal network environment or with external entities.
- Ensure designated data is encrypted at rest or in transit. Additionally, physical protections should be in place for data, whether it’s a server room, laptop, hard-copy documentation, etc.
- Data should also have a lifecycle and should be protected for the duration of its lifecycle or retention period. When it is no longer useful or non-compliant with regulatory requirements, the data should be disposed of securely
The statement from the FDIC and the OCC doesn’t seem to be intended as the end-all-be-all of emerging cyber threats, but rather serves as a reminder that key principles of risk management integrated into cybersecurity programs can continue to provide valuable processes and guidance.