Incidents like this occur more frequent than you might believe. Cybersecurity attacks on financial institutions increase each year. According to an Oct. 2021 report by FinCEN, in just the first six months of 2021, more ransomware-related SARs were filed than all of 2020 (Figure 1). The FDIC’s 2022 Risk Review report concluded that, “malicious cyber threat actors pose serious risk to bank information systems.” And in August, Acting Comptroller of the Currency, Michael J. Hsu, stated, “we have observed increases in the frequency and severity of cyber attacks against financial institutions and their service providers in recent years.”
Figure 1. Source: FinCEN. Note: Data from January 2011 to June 2021.
While it may be no surprise that cyber threats are increasing, it can be easy to get desensitized to the real threat of cyber attacks because of the saturation of cyber incidents in the news. As part of National Cybersecurity Awareness Month, let’s take a look at a few ways we can work to level-up our cybersecurity posture.
Governance
The most secure banks have developed a culture of cybersecurity awareness. To do this, institutions must start at the top, with the board of directors. But this can be challenging. According to a 2021 survey by Tandem, 66% of financial institutions do not have any board members with cybersecurity or IT experience. To compensate for the lack of experience, institutions may choose to move toward more frequent reporting to their boards. The data reveals a trend toward more frequent reporting (Figure 2).
Figure 2. Source: Tandem
The Tandem survey also states, “Institutions who provide monthly updates to the board of directors are more likely to have a higher confidence in the board’s understanding of the institution’s cybersecurity posture.” The bottom line is that having an informed board increases the likelihood of having a board who supports a strong security-focused culture.
Risk Management Tools
Risk management tools can help banks formally evaluate their risks and provide a repeatable and measurable reporting process for upper management and the board. Two of the more popular cybersecurity assessment tools used by Texas banks include the FFIEC Cyber Security Assessment Tool (CAT) and the CSBS Ransomware Self-Assessment Tool (R-SAT).
The FFIEC CAT was released in 2015 and last updated in 2017. While a little dated, it is still the most popular cyber assessment tool reportedly being used by over 90% of banks in 2022. The FFIEC CAT is designed to help financial institutions identify their cybersecurity risks and determine their cybersecurity maturity.
The CSBS R-SAT, released in 2020, is a more targeted assessment tool specific to ransomware attacks. Reportedly used by more than 50% of banks in 2022, it includes 16 questions designed to help institutions assess their efforts to mitigate the risk of ransomware and identify gaps for increasing security.
Both assessment tools provide executive management and the board with an overview of their institution’s preparedness towards identifying, protecting, detecting, responding to and recovering from cybersecurity related incidents. Using formal cybersecurity assessment tools such as these contributes to developing a cybersecurity conscious culture because they draw attention to gaps in security practices.
Basic Cybersecurity Controls
While there are numerous security controls institutions should consider, the CFPB recently highlighted three specific cybersecurity controls they recommend for companies to focus on in the Consumer Financial Protection Circular 2022-04. In the Circular, the CFPB states that if businesses are not implementing these basic security controls, they may be in violation of GLBA and the Consumer Financial Protection Act (CFPA). The three controls the CFPB focused on included multi-factor authentication (MFA), password management and timely software updates.
It is interesting the first two controls mentioned by the CFPB are related to managing credentials associated with authentication. According to the 2022 Verizon Data Breach Investigations Report, the data type most frequently stolen in 2021 was credentials. The stolen credentials (usernames and passwords) were then used to compromise systems and applications. It is important to protect our passwords and improve our authentication by using MFA for remote or high-risk systems.
Testing and Assurance
After we measure risk and apply controls, we must also periodically evaluate, or test, controls. Testing controls assures they function as expected, which is to mitigate the risk of the threats identified. There are a variety of audits, assessments and tests that can be used to measure these controls, including IT audits, self-assessment, vulnerability assessments, penetration tests, social engineering tests, BCP tests and incident response tests.
While the frequency of different kinds of testing is based on the institution’s risk assessment, we see trends towards banks conducting social engineering tests and vulnerability assessments more frequently, likely in part due to ease of access and reduced cost. Discussion of these two types of tests bring this conversation full circle.
One reason these two tests are so effective right now is because they target our most concerning vulnerabilities: our people and unpatched systems. Another reason these two tests are a great idea is because they provide a valuable and frequent reporting tool for senior management and the board. Frequent and informative reporting to the board has a marked positive effect on cybersecurity posture of your bank.
In summary, there are a few clear ways to level up your cybersecurity: spend time reporting to the board, use risk management tools, focus your controls on the most vulnerable areas and test to confirm your controls are working. Each activity is valuable on its own but work even better when you put them all together.
Resources
In 2021, The Texas Bankers Association developed an Information Sharing and Collaboration Center called Texas Bankers ISAO. The TB-ISAO is a free service for TBA member banks designed to improve Texas community banks’ cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and collaboration related to cybersecurity risks, incidents and best practices.
The TB-ISAO offers a variety of free resources and tools for Texas bankers. For example, one of the free tools offered includes a BIN and Domain monitoring service. The TB-ISAO currently serves 311 participating members representing 191 banks. To learn more or sign up, visit member.texasbankers.com/TBISAO or email Alvin Mills, Vice President of Information Technology & Security, at [email protected].
CoNetrix is a family of technology companies that provides information technology consulting, IT/GLBA audits and security testing, Aspire IT hosting and a cybersecurity GRC product known as Tandem. www.CoNetrix.com