Recently reported network intrusions and disruptions, thefts of electronic data, and other significant cyber incidents have impacted millions of people and exposed the increased and continuing risks for businesses and government agencies. These incidents have transformed the cyber threat from a theoretical problem into a clear and present danger. In a recent survey of U.S. executives, security experts, and others from the public and private sectors, "76% of respondents said they are more concerned about cybersecurity threats this year than in the previous 12 months."
Cybersecurity has become a priority for lawmakers and law enforcement agencies, regulators and the White House. It has become part of the public consciousness, and across corporate America, the cyber threat has evolved from an information-technology problem that could be delegated to information-technology personnel to a key business and governance risk requiring the careful attention of boards and senior leadership.
In this memo, we: (1) provide an overview of this new reality; (2) address the nature and sources of the cyber threat; (3) discuss the potential financial, legal, and other consequences of cyber incidents; (4) present the legal and regulatory framework applicable to cybersecurity issues; (5) offer best practices and recommendations for boards and senior management; and (6) examine recent resources tailored to the particular cybersecurity risks facing financial institutions.
Cyber-related events during the last several months illustrate the current reality-cybersecurity is a growing business and governance risk that requires immediate and regular attention by business leadership:
- When the operations of the New York Stock Exchange and United Airlines were suddenly halted due to technological glitches, fears of a cyberattack quickly spread. In response, the NYSE issued a statement (on Twitter, no less) assuring the public that the outage resulted from "an internal technical issue and is not the result of a cyber breach." Similar messages were delivered the same day by the White House ("[T]here is no indication that malicious actors are involved in these technology issues."), the Director of the Federal Bureau of Investigation ("FBI") ("We do not see any indication of a cyber breach or a cyber attack."), and the Secretary of Homeland Security ("[T]he malfunctions at United and the stock exchange were not the result of any nefarious actor."), who also reiterated that "cybersecurity is a top priority for me, for the President, and for this Administration."
- The Department of Justice (the "DOJ") announced charges against nine people in connection with an international ring of organized cybercriminals who hacked into the networks of business newswires to steal press releases prior to their public release in order to trade on the stolen inside information.
- Citing the "increasing barrage of cyber attacks on financial firms," the U.S. Securities and Exchange Commission (the "SEC") announced charges last week against a St. Louis-based investment adviserthat the SEC alleged had "failed to establish the required cybersecurity policies and procedures inadvance of a breach."
- The Director of the U.S. Office of Personnel Management ("OPM") was forced to resign in the wake of a massive data breach that compromised sensitive personal information of millions of federal employees with security clearances.
- Wired magazine documented a group of hackers remotely manipulating a vehicle's air conditioning, stereo controls, brakes, and transmission using a laptop miles away, and as The New York Times has reported, "[t]hough automakers say they know of no malicious hacking incidents so far, the risks are real." Just days later, Fiat Chrysler announced a recall of 1.4 million vehicles due to "a potential cybersecurity flaw," reportedly prompting an investigation by the National Highway Traffic Safety Administration.
- FBI Director James Comey warned that that the FBI is "picking up signs of increasing interest" among terrorist groups in a cyberattack against the United States.
- The former Superintendent of the New York Department of Financial Services called cybercrime "a huge threat to our financial system" and predicted that there would be "a lot of action around cybersecurity and the regulation in that area."
- The FBI arrested several people in the United States and Israel this summer who, according to several news reports, are linked to a data breach at one of the country's largest banks.
More thought, attention, and resources are being devoted to cybersecurity than ever before. The government has issued extensive guidance addressing cybersecurity, and lawmakers are working to enhance the ability of the public and private sectors to defend against and respond to the cyber threat. The purpose of this memo is to outline the threat, the applicable legal and regulatory framework, and key steps to mitigate the legal and business risks posed by the brave new cyber world. This memo also examines two recent developments of particular relevance to the financial industry: a July 2015 Government Accountability Office ("GAO") Report on cybersecurity at banks and other depository institutions, and the Cybersecurity Assessment Tool recently developed by the Federal FinancialInstitutions Examination Council ("FFIEC").
As described below, it is essential that businesses-particularly those that collect and transmit business and customer data online-conduct periodic risk assessments; undertake comprehensive preventative measures to fortify defenses; develop effective employee training and education, policies, and controls; and design robust incident response plans to ensure maximum preparedness in the event of a breach. Although the risk of a cyber incident cannot be eliminated, companies can meaningfully mitigate the risk and resulting harm by preparing for an incident before it occurs.
The Nature and Sources of the Threat
According to a February 2015 worldwide threat assessment by the United States intelligence community, "[c]yber threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact." The Director of National Intelligence has predicted that "[r]ather than a 'Cyber Armageddon' scenario that debilitates the entire US infrastructure," it is more likely that there will be "an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time." Corporations across a broad spectrum of industries often find themselves the targets of these low-to-moderate level cyberattacks, which can manifest in many different forms.
Likely Business Targets
The financial industry consistently has been one of the sectors most likely to be the target of a cyberattack. According to the 2015 IBM Cyber Security Intelligence Index, the finance industry had the highest incident rate across surveyed industries in 2013 and 2014, accounting for approximately one-quarter of the private-sector incidents observed by IBM during each of those years. That finding is consistent with those of other cybersecurity providers and researchers. Verizon, for example, reported that among private industries, the financial services industry was second only to the information industry in the number of cyberattacks, and Mandiant identified financial services as one of the top three most targeted industries, together with retail and business and professional services.
The Sources of External Threats
The primary sources of external threats to companies and organizations are: "(1) nation states with highly sophisticated cyber programs (like Russia or China), (2) nations with lesser technical capabilities but possibly more disruptive intent (such as Iran or North Korea)," (3) individual or organized cybercriminals who typically act for financial gain, and (4) so-called "hacktivists" who are motivated by ideological objectives.
There is evidence that large banks are "more likely to be targeted by nation-states and hacktivists," while smaller depository institutions, which typically have less sophisticated defense mechanisms, are more commonly targeted by financially-motivated cybercriminals. Financially-motivated cybercriminals traditionally have sought banking credentials, credit card or other personal information from a variety of businesses, but the type of information being targeted-as well as the means of monetizing that information-is expanding. Recently, the DOJ announced the indictment of nine people in a large-scale,international scheme to hack into business newswires, steal yet-to-be published press releases containing confidential financial information, and then illegally trade on the basis of that stolen information. Along similar lines, Mandiant recently profiled the activities of a sophisticated group of cybercriminals who have been targeting confidential M&A information from public companies, presumably to engage in insider trading. In addition, the Director of the FBI expressed growing concern about terrorist groups looking to carry out a cyberattack.
The Blurring of State and Non-State Actors
The lines between state-sponsored and other cyber actors have blurred, as the techniques and motives of cybercriminals and state actors have increasingly overlapped. State actors have expanded beyond traditional espionage and have also "undertaken offensive cyber operations against private sector targets" to advance political, foreign policy or economic objectives, or to seek "retribution for perceived wrongs." North Korea, for example, launched a highly destructive attack against Sony Pictures Entertainment in apparent retaliation for its planned release of a satirical film depicting the assassination of Kim Jong-un.It is widely suspected-although the U.S. has officially declined to confirm-that China was behind the recent OPM hack, which resulted in the theft of sensitive information for millions of federal employees and potentially compromised the identities of intelligence officers secretly stationed abroad. China has also been linked to both a prolonged intrusion at The New York Times and the seizing of millions of electronic records held by U.S. health insurer Anthem. Five Chinese military hackers were charged with economic espionage last year for allegedly hacking into the networks of private entities in America to steal information "that would be useful to their competitors in China, including state-owned enterprises." Then-Attorney General Eric Holder described it as "the first ever charges against a state actor for this type of hacking." It can sometimes be difficult to distinguish between state and non-state actors within the same country when those "varied actors actively collaborate, tacitly cooperate, condone criminal activity that only harms foreign victims, or utilize similar cyber tools."
The Range of External Attacks
The range of objectives motivating cyberattackers has resulted in a range of different types of attacks against businesses. In 2012 and 2013, for example, dozens of financial institutions were subjected to coordinated and sustained distributed denial-of-service, or DDoS, attacks. Those attacks caused disruptions to online banking functions, but resulted in no reported losses of personal information, suggesting a lack of any pecuniary motive. Some government officials and security researchers attributed the attacks to the government of Iran, suggesting the attacks may have been "in retaliation foreconomic sanctions and online attacks by the United States," while others have attributed the DDoS attacks to a group of hacktivists in Iran.
In the summer of 2014, one of the largest U.S. banks suffered a data breach that compromised account information belonging to over 80 million households and small businesses. It was reported that customer email addresses, home addresses, and telephone numbers were compromised, but that no customer funds were taken. The DOJ announced arrests this summer of several individuals in the U.S. and abroad who reportedly were linked to this breach.
In two of the largest financially-motivated cyberattacks, in 2013 and 2014, Target and Home Depot were victims of data breaches that involved the theft of credit card data of more than 40 million customers and 56 million customers, respectively. And aside from these large-scale attacks, banks routinely experience so-called "account takeovers" in which cybercriminals surreptitiously obtain victims' banking credentials and then direct wire transfers or other withdrawals from the victims' accounts. The methods used to obtain the victims' banking credentials vary, but often include phishing emails or luring victims into unwittingly installing malware on their computers that enables the perpetrator to steal their banking information.
More recently, healthcare companies-which maintain extensive records of personal information-have become victims of the so-called mega-breaches that had been affecting the retail sector. In February 2015, for example, Anthem, "the second-largest health insurer in the United States," announced that hackers stole information regarding tens of millions of its customers from a database containing up to 80 million customer records.
The Tools of External Attacks
The methods of carrying out these attacks vary in their degree of sophistication. Although certain actors, particularly state-sponsored actors, have become increasingly more sophisticated, phishing and other relatively unsophisticated methods remain common, and employee errors and supply-chain vulnerabilities continue to be responsible for many cyber incidents. The recently-indicted hackers who allegedly stole press releases in order to trade on inside information used phishing emails, among other methods, to infiltrate the networks of the business wires. Another factor contributing to and compounding the cyber threat is the proliferation of widely-available hacking tools, which increasingly enable virtually anyone, anywhere in the world, to carry out cyberattacks. The DOJ announced criminal charges last year in a case involving the sale of malware to thousands of people around the world who, for only $40, could surreptitiously take over a victim's computer and then spy on their victims through their web cameras, steal files and account information, log victims' key strokes, and utilize the infected computers to carry out DDoS attacks.
Threats From Within
Aside from these sources of external threats, insiders present another source of risk, accounting for more than 50% of cyber incidents by some estimates. Data breaches caused by insiders often can be more inadvertent than malicious.
Further highlighting the vulnerabilities created by employees, data collected from sanctioned tests involving the distribution of over 150,000 phishing emails "showed that nearly 50% of users open e-mails and click on phishing links within the first hour" of receiving them. This has important implications for the design of cybersecurity programs, reinforcing the need to incorporate effective employee training and education into any cybersecurity program. This is addressed in more detail below.
Financial, Legal and Other Implications of Cyber Incidents
The direct financial costs resulting from a significant cyber incident can be substantial. Target, fore xample, reported that as of May 2, 2015, it had incurred $256 million in data-breach expenses since its 2013 data breach in which hackers stole the credit card information of millions of customers. Sony estimated that the breach of its PlayStation Network, which compromised the information of millions of users, would cost the company more than $170 million, and the Sony Pictures Entertainment hack in connection with the film "The Interview" was projected to cost the company hundreds of millions of dollars, including lost revenue from the decision to pull the film's release from theaters.
Victim companies also face litigation risks and intangible and less-quantifiable harms, including reputational damage, loss of consumer confidence, disruption of business operations, destruction of files, drops in stock price, and even the potential for embarrassment-such as when personal emails are released to the public by hackers.
Private Litigation Risks
In the wake of a significant cyber incident, companies-and their directors and officers-can face a flurry of private lawsuits from a range of different constituencies: individual consumers whose personal information has been compromised, shareholders alleging failures by the board and senior leadership in preparing for and/or responding to cyberattacks, and other third-parties potentially affected by a breach, such as banks and credit card companies.
Target, for example, faced dozens of lawsuits after the data breach that compromised the credit/debit card and other personal information belonging to as many as 100 million consumers. As in other breach cases, the consumer-plaintiffs asserted violations of state consumer protection and state data-breach statutes, as well as common law claims of negligence, breach of implied contract, bailment, and unjust enrichment. The plaintiffs' factual allegations related to the company's conduct pre- and post-breach, including, for example, that Target allegedly failed to (1) "take adequate and reasonable measures to ensure its data systems were protected," (2) "take available steps to prevent and stop the breach from ever happening," (3) "disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers' financial account and personal data," and (4) "provide timely and adequate notice of the Target data breach."
The multi-district consumer litigation was consolidated in the District of Minnesota, and in March 2015, following the denial of the defendant's motion to dismiss, the District Court preliminarily approved a settlement of the consumer litigation.55 The proposed settlement requires Target to pay $10 million to consumers who used credit or debit cards at Target during the relevant time period and to implementvarious security measures to protect customer data, including: appointing a chief information security officer, creating metrics to track and maintain information security, and offering security training to its employees.
According to published reports, Target subsequently reached a proposed $19 million settlement to reimburse financial institutions for the costs they incurred from the breach, such as reimbursing fraudulent charges and reissuing credit and debit cards. The financial institutions had alleged violations of a Minnesota credit-card statute, negligence, and negligent representation by omission for failing to disclose information-security weaknesses. The settlement was derailed in May of this year, however, after failing to receive the required 90% participation rate from issuers. In August, Target reached a settlement with Visa Inc. and the banks that issue Visa cards for up to $67 million. Another group of financial institutions was recently certified as a class in federal court in the District of Minnesota, allowing other financial institutions the opportunity to join the suit against Target.
Derivative shareholder litigation against Target's directors remains pending. The shareholder plaintiffs have asserted claims for, among other things, breach of fiduciary duty, waste of corporate assets, and gross mismanagement, and like the consumer plaintiffs, they rely on allegations concerning the defendants' supposed pre-breach failure to insure adequate safeguards and their post-breach response.
Risks of Enforcement Proceedings or Public Inquiries
In addition to private lawsuits from these various constituencies, companies that are victims of a cyber incident can also face investigations and enforcement actions from a wide array of federal and state regulators and law enforcement agencies, as discussed in greater detail below. Cybercrime creates a somewhat unique situation in which a company that is a victim of an attack may at the same time be viewed by regulators as a subject of a government investigation. In the case of a significant breach, the possibility also exists that a company may be the subject of a Congressional inquiry and its executives could be called to testify.
Risks to Senior Leadership
The recent wave of cyberattacks also has placed great pressure on organizations to hold management accountable for perceived lapses. Last year, Target's board of directors ousted the company's CEO following its data breach, marking the first time a CEO has been removed due to a cyber incident. In addition, Institutional Shareholder Services ("ISS") took the unusual step of recommending that Target shareholders vote against seven of the ten directors (focusing on those who served on the audit and corporate-responsibility committees) for taking insufficient steps to ensure that Target's systems were fortified against security threats. And the director of the OPM was forced to resign this summer in the wake of a massive data breach that compromised the personal information of more than 20 million federal employees.
These consequences have served to reinforce the warning from one SEC Commissioner that "boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril."
Regulatory Requirements and Enforcement Priorities
A wide variety of federal and state regulators and law enforcement agencies are increasingly directing their attention toward cybersecurity. The DOJ, SEC, Financial Industry Regulatory Authority ("FINRA"), Federal Communications Commission ("FCC"), U.S. Department of Health & Human Services ("HHS"), Federal Trade Commission ("FTC"), a number of state attorneys general, and federal bank regulators have enhanced their emphasis on cybersecurity and, in many cases, specifically identified cybersecurity as a priority. Organizations across sectors should therefore expect both increased rulemaking and enforcement activity.
The U.S. Department of Justice and Federal Law Enforcement Agencies
A number of federal agencies charged with law enforcement and prosecution have increasingly focused on cybersecurity and have dedicated significant resources to pursuing and prosecuting cybercrime. The Criminal Division of the DOJ created the Cybersecurity Unit within the Computer Crime and Intellectual Property Section in December 2014 "to serve as a central hub for expert advice and legal guidanceregarding how the criminal electronic surveillance and computer fraud and abuse statutes impact cybersecurity." In April 2015, the Cybersecurity Unit released its recommended Best Practices for Victim Response and Reporting of Cyber Incidents "to assist organizations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident." The Cybersecurity Unit also is "helping to shape cyber security legislation" and "engag[ing] in extensive outreach to the private sector to promote lawful cybersecurity practices." In addition to the Cybersecurity Unit, many U.S. Attorney's Offices across the country have allocated resources to investigating and prosecuting cybercrime.
The FBI has identified cybersecurity as one of the agency's top three priorities, and has instituted a "set of technological and investigative capabilities and partnerships" to assist in its efforts to combat cybercrime, including: a Cyber Division, "[s]pecially trained cyber squads at FBI headquarters and in each of [the] 56 field offices," cyber action teams, 93 Computer Crimes Task Forces, and partnership with other federal agencies such as the Department of Defense and Department of Homeland Security. The U.S. Secret Service, within the Department of Homeland Security ("DHS"), maintains a national network of morethan 35 Electronic Crimes Task Forces with a "focus on identifying and locating international cyber criminals connected to cyber intrusions, bank fraud, data breaches, and other computer-related crimes."
Federal prosecutors have recently brought a number of significant criminal cases targeting cybercrimes. Federal prosecutors announced charges last month against nine stock traders and computer hackers who allegedly reaped as much as $100 million in illegal insider-trading profits "by conspiring to use information stolen from thousands of corporate press statements before their public release." A month earlier, the DOJ announced that it had dismantled a major computer hacking forum called Darkode and charged 12 people associated with the forum. Domestic law enforcement efforts to combat cybercrime have benefitted from an extraordinary degree of international cooperation rarely seen in other contexts. The Darkrode case, for example, was part of a coordinated effort by law enforcement authorities from 20 different countries, representing "the largest coordinated international law enforcement effort ever directed at an online cyber-criminal forum." Similarly, the U.S. Attorney's Office in Manhattan brought charges last year in connection with the sale and use of "Blackshades" malware as part of a global law enforcement operation involving more than 90 arrests and other law enforcement actions in 19 countries.
U.S. Securities & Exchange Commission
While SEC officials have at various times hinted at the prospect of additional cyber-related enforcement actions, the director of the SEC's Chicago Regional Office recently emphasized that "[c]ybersecurity . . . isan area where we have not brought a significant number of cases yet, but is high on our radar screen." He pointed to two areas in particular on which the SEC is focused: cybersecurity controls and cyberrelateddisclosures.
SEC Guidance for Public Companies
On the disclosure side, the SEC's Division of Corporation Finance (the "Corp Fin Division") has issued "disclosure guidance" to aid public companies in their cyber-related disclosures. The guidance first addresses the potential disclosure of cybersecurity as a significant risk factor. In determining whether the risk rises to that level, companies should consider "prior cyber incidents and the severity and frequency of those incidents," as well as "the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption." Where the cyber threat constitutes a material risk, the company should describe the type and severity of the risk, and should "avoid generic 'boilerplate' disclosure." In some cases, that may require the disclosure of actual known or threatened cyber incidents.
The Corp Fin Division's disclosure guidance also provides that if the costs or other consequences related to actual or potential cyber breaches "represent a material event, trend, or uncertainty," they should be addressed in a public company's MD&A section. This too may require the disclosure of actual cyber incidents where, for example, the resulting costs are likely to be material or have led to a material increase in cybersecurity spending. Since the SEC's disclosure guidance was first issued, the Corp Fin Division has issued a number of comment letters to public companies regarding their cybersecurity disclosures, and speculation has emerged that the SEC is considering regulations requiring more specific disclosures surrounding cyber incidents.
SEC Guidance for Registered Entities
Aside from the Corp Fin Division's disclosure guidance for public companies, the SEC addressed cybersecurity for regulated entities through the Division of Investment Management (the "IM Division"), which regulates investment companies, variable insurance products, and federally registered investment advisers, and the Office of Compliance Inspections and Examinations ("OCIE"), which "administer[s] the SEC's nationwide examination and inspection program" for registered entities, including brokerdealers, transfer agents, investment advisers, investment companies, the national securities exchanges,and clearing agencies.
The IM Division issued cybersecurity guidance that outlined steps for registered investment companies and registered investment advisers to consider. The guidance recommends that these registered entities conduct periodic assessments; develop a strategy that is designed to prevent, detect, and respond to cybersecurity threats-including instituting preventative security measures and creating an incident response plan; and implement the strategy through written policies and procedures and training. The guidance also recommends that funds and advisers assess the cybersecurity measures in place at relevantthird-party service providers.
On the examination front, OCIE announced the launch of a Cybersecurity Examination Initiative by issuing a Risk Alert in April 2014. The 2014 Risk Alert offered a useful roadmap for the types of questions firms can expect to face during an examination. The Alert included, for example, a sample exam letter requesting information about past cyber incidents, cybersecurity governance, protection of firm networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and methodologyfor identifying best practices.
About 10 months later, in February 2015, OCIE released a follow-up Risk Alert providing summary observations from its examinations of 57 registered broker-dealers and 49 registered investment advisers conducted under the 2014 Initiative. The 2015 Risk Alert provides data points from the OCIE's examinations that can be used to inform cybersecurity policies and practices.
For example, OCIE found a gap, particularly among investment advisers, when it comes to the level of scrutiny applied to cybersecurity at third-party vendors. While most of the examined firms performed risk assessments on a firm-wide basis, only 32% of the advisers required cybersecurity assessments of vendors with access to their networks, and even fewer (24%) incorporated requirements relating to cybersecurity risk into their contracts with vendors and business partners. As cybercriminals have increasingly looked to exploit vulnerabilities at third-party vendors as a backdoor into companies' networks, companies should not overlook the need to apply the same type of rigor to outside vendors that they do to their own networks. Efforts to fortify internal defenses are wasted if attackers can simply achieve the same result by taking advantage of weaknesses in cybersecurity at third-parties.
The 2015 Risk Alert also reported that over half of the examined broker-dealers (54%) and just under half of the examined advisers (43%) had received fraudulent emails seeking to transfer client funds. A number of firms that experienced losses as a result of such fraudulent emails said that those losses were the result of employees not following identity authentication procedures. These findings further highlight the importance of employee education and training as part of an effective cybersecurity program.
In September 2015, OCIE issued a new Risk Alert outlining the areas on which OCIE intends to focus in its second round of cybersecurity examinations, a process "which will involve more testing to assess implementation of firm procedures and controls." The areas include governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
SEC Rulemaking and Enforcement Activity
The SEC also has implemented rules that relate directly or indirectly to cybersecurity and have been-and likely will increasingly be-the basis for enforcement actions. The principal such regulation is Rule 30 of Regulation S-P (referred to as the "Safeguard Rule"), which requires that brokers, dealers, investment companies, and registered investment advisors develop and implement written policies and procedures reasonably designed to "(a) [i]nsure the security and confidentiality of customer records and information; (b) [p]rotect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) [p]rotect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer." The Safeguard Rule has been the basis for enforcement actions against firms and individual executives for cybersecurity deficiencies, and can be expected to serve as the basis for future enforcement actions as regulatory scrutiny of cybersecurity practices increases.
In fact, just last week, the SEC relied to the Safeguard Rule to deliver on its earlier statement that cybersecurity is an area "high on [the SEC's] radar screen." The SEC announced charges against a St. Louis-based investment adviser that, according to the SEC, had "failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm's clients." The SEC expressly acknowledged that no evidence existed of financial harm to any of the firm's clients, but determined that enforcement proceedings were nevertheless appropriate in light of the "increasingbarrage of cyber attacks on financial firms." Among the firm's alleged failures were that it "failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents."
In addition, in November 2014, the SEC adopted Regulation Systems Compliance and Integrity ("Regulation SCI"), which requires certain key market participants, including registered national securities exchanges and clearing agencies, to take steps designed to reduce the occurrence of data breaches and improve resiliency in the event of a breach. Regulation SCI provides a framework forthese entities to implement policies and procedures to help ensure operational capability, take appropriate corrective action when systems issues occur, provide notifications and reports to the SEC regarding systems problems and systems changes, inform members and participants about systems issues, conduct business continuity testing, and conduct annual reviews of their automated systems.
Financial Industry Regulatory Authority
The SEC has not been the only source of guidance for broker-dealers. Earlier this year, FINRA issued detailed guidance to address the threat of a cyber incident. FINRA's guidance provides specific recommendations for ensuring each of the following: risk assessments, a governance framework, technical controls and preventative measures, incident response plans, training of employees, and intelligence sharing. Like the SEC, FINRA has relied on the Safeguard Rule to bring enforcement actions in the wake of a data breach. FINRA fined a regulated firm for failing to protect confidential customer information after international hackers obtained information regarding approximately 192,000 customers, and recently entered into a settlement with another firm that faced an information security threat after an unencrypted laptop containing sensitive information about hundreds of thousands of clients was left unattended in a restroom.
Federal Communications Commission
The FCC encourages communications companies to practice "proactive and accountable self-governance within mutually agreed parameters" with respect to cybersecurity, and facilitates the improvement of cyber-risk management and corporate accountability in the communications sector through the Communications Security, Reliability and Interoperability Council. The FCC also has prioritized enforcement actions in cyber breach cases. In April of this year, the agency entered into a consent decree with AT&T after nearly 280,000 customers' personal data was compromised. In what the FCC called the "largest privacy and data security enforcement action to date," AT&T agreed to pay a $25 million penalty, hire a senior compliance office, conduct a privacy risk assessment and adopt various other reforms. Companies in the communications sector should expect the FCC to continue its enforcement attention on perceived cybersecurity lapses in the future.
Department of Health & Human Services
The Health Insurance Portability and Accountability Act ("HIPAA") Security Rule established "national standards for protecting the confidentiality, integrity, and availability of electronic protected health information," and HHS's Office of Civil Rights ("OCR") is charged with the administration and enforcement of HIPAA's Privacy and Security Rules. In May 2014, two health care organizations entered into a settlement with the HHS OCR for $4.8 million after allegedly failing to adequately secure "thousands of patients' electronic protected health information" that was "held on their network," in the largest HIPAA settlement to date.
Federal Trade Commission
The FTC has been particularly active in the area of cybersecurity, bringing over 50 civil actions against companies related to the protection of personal information, using its authority under the Gramm-Leach-Bliley Act ("GLBA"), Section 5 of the FTC Act (which prohibits unfair or deceptive practices), and the Fair Credit Reporting Act. The United States Court of Appeals for the Third Circuit recently upheld the FTC's authority to bring suits under Section 5 of the FTC Act based on "unfair or deceptive" cybersecurity practices. The Third Circuit ruled that the alleged conduct-breaches of a hotel chain's data which resulted in over $10.6 million in fraudulent charges-did not "fall outside the plain meaning of 'unfair.'" This decision may embolden the FTC to increasingly prioritize data security and privacy issues in its enforcement initiatives.The FTC's relatively sweeping-and potentially expanding-authority to regulate cybersecurity issues is further evidenced by its issuance of the Health Breach Notification Rule in 2009, which requires certain businesses that are "not covered by HIPAA to notify their customers and others if there's a breach of unsecured, individually identifiable electronic health information." The agency began enforcing the rule in February 2010.
State Attorneys General
Forty-seven states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws requiring notification of security breaches involving personal information, and a number of state attorneys general have been active in this area. About 15 state attorneys general, led by Illinois and Connecticut, are reportedly investigating a 2014 cyber breach at a major financial institution. As lawmakers consider enacting federal legislation that sets nationwide guidelines for customer notification in the case of a data breach, the "[a]ttorney generals from all 47 states with data breach notification laws are urging Congress not to preempt local rules with a federal standard," arguing that the states currently play an "important role" in protecting consumers from cyberattacks.
Federal Bank Regulators The federal bank regulators-the Office of the Comptroller of the Currency ("OCC"), the Board of Governors of the Federal Reserve System ("FRB"), the Federal Deposit Insurance Corporation ("FDIC"), and the National Credit Union Administration ("NCUA")-have responsibility for ensuring the safety and soundness of the institutions they oversee, protecting federal deposit insurance funds, promoting stability in financial markets, and enforcing compliance with applicable consumer protection laws. These regulators individually and collectively have prioritized cybersecurity and have been working with industry and interagency organizations to improve financial institution cybersecurity.
Financial Stability Oversight Council
The Financial Stability Oversight Council ("FSOC"), established by the Dodd-Frank Act to "identify risks to the [country's] financial stability," "promote market discipline," and "respond to emerging threats to the stability of the U.S. financial system," has addressed the issue of cybersecurity. Earlier this year, FSOC-whose members include the heads of each of the bank regulators-released its annual report, in which it identified cybersecurity as requiring "heightened risk management and supervisory attention." The report warned that "recent cyber attacks have heightened concerns about the potential of an even more destructive incident that could significantly disrupt the workings of the financial system." The FSOC advised that "[m]itigating risks to the financial system posed by malicious cyber activities requires strong collaboration among financial services companies, agencies, and regulators."
Individual Bank Regulators
Each of the individual bank regulators have also emphasized the importance of cybersecurity. In its Spring 2015 Semiannual Risk Perspective, for example, the OCC identified cybersecurity as one of its top supervisory concerns, and a priority for the next twelve months. The report noted that, consistent with guidance from the other regulators, the OCC's bank examinations "will include assessments of data and network protection practices, business continuity practices, risks from vendors, and compliance with any new guidance." A senior representative of the Federal Reserve Bank of New York emphasized that "cybersecurity is a 'new normal.' It is going to become part of our vocabulary in nearly every exam we conduct, conversation we have with senior management, and conversation about the future of financial services." Benjamin Lawsky, who recently stepped down as the Superintendent of the New York Department of Financial Services, called cybercrime "a huge threat to our financial system" and predicted that there would be "a lot of action around cybersecurity and the regulation in that area."
Federal Financial Institutions Examination Council
The banking regulators have collaborated and coordinated on cybersecurity through the FFIEC, a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions and to make recommendations to promote uniformity in the supervision of financial institutions. Two key forms of guidance issued by the FFIEC are the Information Technology Examination Handbook and the Cybersecurity Assessment Tool, which was released this summer and discussed in detail below.
The FFIEC's IT Examination Handbook, first published in 1980, "comprises 11 booklets addressing topics such as electronic banking, information security, and outsourcing technology services." FFIEC has updated the Handbook, and the FFIEC and individual regulators have issued guidance to address particular threats facing the industry, such as DDoS attacks, account takeovers, advanced persistent threats, and credit/debit card breaches. There are now more than 150 examples of cybersecurity guidance applicable to the banking and finance sector.
Financial institutions also are subject to certain regulations and interagency guidance issued pursuant to the GLBA. Section 501(b) of GLBA mandated that the bank regulators issue information security standards for financial institutions to safeguard sensitive customer information. Member agencies of the FFIEC did so by issuing the Interagency Guidelines Establishing Information Security Standards (the "Security Guidelines"). Under the Security Guidelines, each financial institution must develop and maintain an effective information security program tailored to the complexity of its operations, and service providers that have access to its customer information are required to take appropriate steps to protect the security and confidentiality of this information. The Security Guidelines require each financial institution to identify and evaluate risks to its customer information, develop a plan to mitigate the risks, implement the plan, test the plan, and update the plan when necessary. Each financial institution must also report to its board "at least annually" on its information security program and compliance with the Security Guidelines. The standards set forth in the Security Guidelines are consistent with the IT Examination Handbook and other guidance from the FFIEC member agencies. The Security Guidelines afford the FFIEC agencies enforcement options if financial institutions do not establish and maintain adequate information security programs.
Pursuant to its authority under the GLBA, the FTC issued the Safeguards Rule, requiring certain non-bank financial institutions under the FTC's jurisdiction to have an information security plan that "contains administrative, technical, and physical safeguards" to "insure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer."
Financial institutions should endeavor to follow regulatory guidance to ensure best practices in cybersecurity and to mitigate their regulatory risk. In addition, being responsive to this guidance is essential because private plaintiffs are likely to rely on any deviation from the regulatory guidelines as purported evidence of inadequate cybersecurity in the wake of a cyber incident. In one case, for example, the United States Court of Appeals for the First Circuit determined that a bank's security procedures were not "commercially reasonable" based in part on the bank's failure to adhere to FFIEC guidance.
Best Practices for Boards and Senior Management
The frequency and scope of recent cyberattacks and the corresponding increased costs and harm demonstrate that the cyber threat is one of the most significant business risks facing financial institutions and other businesses. As a result, cybersecurity is a governance issue that requires attention from directors and senior leadership. In a recent study, "79 percent of C-level US and UK executives surveyed sa[id] executive level involvement is necessary to achiev[e] an effective incident response to a data breach and 70 percent believed board level oversight is critical." Below is a summary of some of the key practices for boards and senior management to consider.
As one SEC Commissioner stated, "ensuring the adequacy of a company's cybersecurity measures needs to be a critical part of a board of director's [sic] risk oversight responsibilities." Senior management and the board should consider whether a committee of the board (such as the Audit Committee or a RiskCommittee) or the full board should have primary oversight responsibility for cybersecurity. In any case, the board should be briefed regularly about cyber risks and efforts to address and mitigate those risks. External advisers, including those with the requisite technical expertise, can be enlisted as necessary to help directors understand the risks and a company's preparedness to respond to those risks. The board should also consider whether particular members of management should be tasked with overseeing cybersecurity and reporting to the board on cybersecurity matters.
The National Association of Corporate Directors ("NACD") addressed the role of boards relating to cybersecurity and identified the following five principles: (1) "[d]irectors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue;" (2) "[d]irectors should understand the legal implication of cyber risks as they relate to their company's specific circumstances;" (3) "[b]oards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given adequate time on the board meeting agenda on a regular basis;" (4) "[d]irectors should set an expectation that management establish an enterprise-wide cyber-risk management framework with adequate staffing and budget;" and (5) "[b]oard-management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach."
For financial institutions, the recently-released FFIEC Assessment Tool (discussed in detail below) provides a useful mechanism to evaluate the alignment between an institution's inherent risks and its cybersecurity preparedness. The FFIEC also released an overview for CEOs and directors along with the Assessment Tool that, among other things, lists questions for management and directors to consider andguide their discussions when using the Assessment Tool. Although a valuable resource, the Assessment Tool "is intended to complement, not replace, an institution's risk management process and cybersecurity program."
Periodic Risk Assessments
Periodic risk assessments should be conducted to develop a meaningful understanding of the key cyber risks facing the organization. It is impossible to design a program tailored to a particular company's risks and operations without first understanding those risks and how they impact the company's business. Accordingly, the board and senior leadership should be briefed regularly on the institution's cyber risks and the measures in place to mitigate those risks. The risk assessments should identify the company's most sensitive and valuable information and assets, and the company's senior leadership should understand where and how that information is stored, and the ways in which it is protected. Those assets should be afforded the greatest level of security protection.
Preventative Measures: Technology, Controls and Compliance
The board and senior management should ensure that the company has implemented sufficient preventative measures and controls and that they are being periodically reviewed and updated as necessary. Technology is, of course, a critical component of defending against a cyberattack, and companies should follow the best practices outlined in the applicable regulatory guidelines. Technological measures, however, cannot be relied on exclusively. Employees remain a significant source of potential vulnerability that cybercriminals continue to exploit, and therefore, an effective cybersecurity program must incorporate employee training and education and information-security controls. Notwithstanding the risk from insiders, this aspect of cybersecurity is often neglected. In one survey, for example, only 50 percent of respondents said they conduct periodic security awareness and training programs, and the same number said they offer security training for new employees.
Although many companies have developed robust compliance programs in areas ranging from antibribery to anti-money laundering to insider trading, compliance efforts on the information-security side are often lagging, even though the risk to the overall organization from non-compliance by a single employee may be potentially greater in the cyber area. New hires and existing personnel should all be trained on the importance of cybersecurity, educated as to the risks and their individual roles in protecting the company against those risks, and advised of the company's information-security policies. Compliance with information-security policies should be monitored, just as employees' compliance with securities trading or other more traditional areas of compliance are routinely monitored.
Employee training should be provided periodically and updated as necessary, and employees should be required to sign regular cyber-compliance certifications. The importance of information security needs to be emphasized, and the message should come from the top of the organization to instill a strong culture of information security throughout the organization. Basic policies and protocols that reduce risks should include requiring encryption, limiting the use of personal devices, using strong passwords that must be changed periodically, and controlling remote access through multifactor authentication.
Taking these steps to enhance cybersecurity can present a difficult balance for companies because each enhanced security measure typically imposes an additional burden on employees. It could become convenient for employees to bypass these measures, so it is critically important that information-security policies be prioritized, and that the proper tone is set by management. Further, there are effective measures that impose a relatively low burden and yet, surprisingly, still are not implemented by many sophisticated organizations until after they are victimized. In the wake of the OPM hack, for example, the White House announced a "Cybersecurity Sprint" designed to improve cybersecurity at federal agencies over a 30-day period, and that effort has included basic measures that had not been widely implemented. As one example, in just the first 10 days of the Sprint, federal civilian agencies reportedly were able to increase multifactor authentication-an effective and not burdensome measure-by 20 percent. Moreover, given the increased awareness of the severity of the risk among the general public, there is reason to be optimistic that employees will have at least a modestly increased tolerance for some additional burdens in order to fortify their companies' cybersecurity.
As the nature of the cybersecurity threat evolves, and additional risks or vulnerabilities are identified, cybersecurity policies and protocols must be updated accordingly. For example, the need for increased oversight and scrutiny of third-party vendor relationships has become evident as cybercriminals have increasingly exploited weaknesses in vendor security to bypass a company's cybersecurity. The Target breach is perhaps the most high-profile example, but the DOJ's recent announcement of a massive insider trading ring that relied on the hacking of business newswires further highlights the risks associated with providing network access or sensitive data to third-party vendors. Management should require appropriate vendor management controls, including diligence, monitoring and contractual protections.
Information Sharing with Government and Industry Peers
A comprehensive cybersecurity program should include a mechanism for sharing information with public and private partners to enhance access to actionable cyber-threat intelligence that can be used to better detect and respond to threats. As discussed below in the context of the GAO Report, the financial sector is among the leaders in this effort. Although lawmakers and regulators are exploring ways to improve cyber information sharing, institutions must continue working collaboratively to remove barriers to more robust sharing and to find innovative ways to enhance the effectiveness of their information sharing. Information sharing is also an important tool for smaller institutions, which tend to have less sophisticated defense mechanisms and fewer IT resources; by helping them focus their limited resources, cyber-threat intelligence can be particularly important to those institutions.
Review and Satisfaction of Applicable Legal and Regulatory Requirements
The legal and regulatory framework governing cybersecurity is fragmented and evolving. Companies must navigate a maze of domestic and international cyber-related laws and regulations that apply in both the pre-breach and post-breach context. Companies have legal, regulatory and often contractual obligations to safeguard information and, following a breach, to make certain disclosures to customers, regulators, or other third-parties. In the post-breach context, for example, 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws requiring notification of security breaches involving personal information, and industry-specific laws and regulations impose independent notification obligations. As discussed above, public companies also have public disclosure obligations, and SEC-regulated entities are subject to separate SEC regulations concerning the safeguarding of information. Senior leadership should understand not only the business risks associated with the cyber threat but also the legal and regulatory risks and requirements. Management should ensure ongoing compliance with those requirements and, as discussed below, oversee the company's preparedness to satisfy its legal, regulatory, and contractual obligations in the event of a breach. Just as advance planning can mitigate the business risks, it can also mitigate the legal and regulatory exposure from a cyberattack.
Incident Response and Business Continuity Plan
Because no defense system is impenetrable, it is critical not only to ensure adequate preventative measures, but to have a comprehensive incident response and business continuity plan that can quickly be implemented in the event of a breach. In the wake of an attack, companies face a host of challenges and must make difficult and time-sensitive decisions, typically with incomplete information and in a chaotic environment. The way in which companies respond can directly impact the extent of the resulting harm, including financial loss, reputational harm, and civil and regulatory liability-all of which can be mitigated through advance planning and maximum preparedness.
Some of the key issues that typically arise following a breach are: (1) assessing the scope of the attack, determining what, if anything, has been taken, and ensuring that any intruders are completely removed from the network. This is a process that is usually far more difficult and time-consuming than most organizations anticipate, which further compounds the challenge of responding to an attack because the scope of the breach typically cannot be determined quickly, meaning that companies will have to make difficult decisions despite lacking key facts and critical information; (2) quickly restoring and ensuring continuity of business operations with minimal disruption, even in the case of destructive malware; (3) complying with domestic and international statutory and regulatory disclosure requirements, and determining when and to whom disclosures should be made, as well as what should be disclosed; (4) deciding if and when to notify law enforcement authorities and, if so, dealing with the day-to-day interactions with those authorities as they conduct investigations; and (5) handling internal communications and external public relations with consumers, shareholders and other affected third-parties.
Given the range of issues that arise, a comprehensive response requires an integrated approach involving the participation not only of senior leadership but of representatives from a number of different internal constituencies, such as IT, legal, compliance, and investor relations, as well as outside technical, legal, and PR advisors. Companies should not put themselves in the position of confronting these difficult questions for the first time, or scrambling to determine who should be responsible for what, in the chaotic aftermath of a cyber incident. Companies need to consider each of these issues in advance of an attack. The response plan should provide clearly delineated lines of responsibility for each of the significant issues likely to arise following a breach and should be tested through tabletop exercises before an incident occurs.
The risk of a cyberattack cannot be eliminated. But the impact can be mitigated through careful planning, and it is therefore essential that boards and senior leadership take the steps necessary to put their companies in the best position to limit the resulting harm should an incident take place.
Recent Developments Affecting Financial Institutions
Recognizing the unique threats facing the industry, the GAO and FFIEC each released cybersecurity resources this summer specifically tailored to financial institutions. We examine both the GAO Report and the FFIEC Cybersecurity Assessment Tool in detail below.
The GAO Report on Cybersecurity at Banks and Other Depository Institutions
In July of this year, the GAO released a report on cybersecurity at banks and other depository institutions. The report principally examined (1) how bank regulators oversee depository institutions' efforts to mitigate cyber threats, and (2) how government agencies share cyber threat information with the banking sector. The report's key conclusions were: first, while bank regulators focus their cybersecurity examinations on risks within individual institutions, the regulators need to collect and analyze data from IT examinations on trends across the industry; and second, notwithstanding fairly robust sharing of cyber-threat information among financial institutions, obstacles still remain, and banks are seeking more usable threat information from their government counterparts.
Bank regulators take an institutional, risk-based approach to their cybersecurity examinations. Accordingly, the scope of an IT examination at any particular institution is determined based on an assessment of that institution's internal and external risks. To assess those risks, examiners look at an institution's safeguards and protections against threats to customer information, the likelihood and effects of identified threats and vulnerabilities, and the sufficiency of policies and procedures to control risks.
Hiring and training a sufficient number of examiners with the requisite expertise to conduct sophisticated examinations poses a serious challenge for regulators. To put the problem in perspective, the FDIC is the primary regulator for over 4,000 institutions, and has only "60 premium IT examiners who are highly skilled in conducting IT examinations;" the OCC is the primary regulator for more than 1,500 institutions, and has "100 dedicated IT specialist examiners;" the NCUA "regulates more than 6,200 credit unions" and has "40 to 50 subject-matter IT examiners" and 16 IT specialists; and the Federal Reserve "regulates more than 5,500 institutions" and has approximately 85 IT examiners with information security or advanced IT expertise.
Faced with these resource constraints, regulators generally have not used IT experts for examinations of medium and small institutions, meaning that "examiners with little or no IT expertise are performing IT examinations at smaller institutions." This allocation of limited resources is understandable, but concerning, especially given that the discrepancy in sophistication of examiners parallels the disparity in information-security resources across such institutions. Smaller institutions, not surprisingly, tend to devote fewer resources to information security. One large bank said it planned to deploy over 1,000 people to focus on cybersecurity, and following a significant breach last year, that bank's CEO announced that the bank would double its $250 million annual spending on cybersecurity. By contrast, some community banks do not have any dedicated IT security personnel. This may leave smaller financial institutions more vulnerable to cyberattacks, perhaps explaining why cybercriminals appear increasingly to be targeting smaller financial institutions.
The principal deficiency identified in the GAO Report, however, was the failure of regulators to aggregate data from individual examinations to identify trends across the industry: "Although each regulator described collecting some information across examinations to assist its oversight, the regulators did not have standardized methods for collecting examination data that could allow them to readily analyze trends in specific information security problems across institutions."
The failure stems in part from the methods by which regulators collect information from individual institutions. In particular, the information is not collected in formats that would facilitate such aggregation and analysis. The regulators, for example, do not have standardized methods for categorizing IT deficiencies. The deficiencies identified at particular institutions generally were not broken into fields or categories that differentiated the types of problems found at different institutions, and thus the regulators are not able to identify trends in specific types of deficiencies across institutions. In addition, although banks have obligations to disclose to their regulators data breaches that compromise sensitive customer information, the information collected by the regulators is not centrally compiled and analyzed. The GAO found that the regulators "varied in the extent to which they could provide data on actual incidents at their regulated institutions."
The GAO Report concluded that these flaws have hindered the regulators from identifying broader IT issues affecting their regulated entities and thus impede their ability to better target their IT risk assessments. This is not the first time-and cybersecurity is not the first area-in which the GAO has observed this deficiency in how regulators collect and analyze information. In a January 2000 report, the GAO observed "that neither the Federal Reserve nor OCC collected aggregated information on the risks that examiners identified during examinations." As an example of the potential benefits of such an approach, the January 2000 report concluded that by aggregating examination data, regulators would have been better positioned to recognize the industry-wide exposure to Long Term Capital Management and appreciate the potential disruption to the markets of its collapse. And in 2009, the GAO "found that bank regulators' oversight of institutions' anti-money laundering activities could be improved by aggregating information about deficiencies."
The second key conclusion of the GAO Report was that improvements are needed in the way cyber-threat information is shared among the financial sector and disseminated from the government to the private sector. While the government has been engaged in a campaign to encourage the private sector to share more information with the government, the GAO Report identifies deficiencies in the flow of information from the government to the private sector.
The financial industry has developed sophisticated information-sharing mechanisms and established a model that other industries have sought to emulate. The Financial Services Information Sharing and Analysis Center ("FS-ISAC"), for example, has become a key resource for cyber-threat information for financial sector institutions. The FS-ISAC was established in 1999 and is the operational arm of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security ("FSSCC"). The FS-ISAC facilitates the sharing of information pertaining to physical and cyber threats, vulnerabilities, incidents, potential protective measures and practices. It has over 5,000 members worldwide, and when it learns of an attack or has other information to share, it follows a protocol in which different color-coded alerts indicate who can access the information. During the OCIE examination sweep, broker-dealers identified the FS-ISAC as "adding significant value," and banks have reported that a high level of trust has developed among the FS-ISAC members and that the FS-ISAC was valuable in responding to the financial-sector DDoS attacks. The DDoS attacks showcased the "sector's capacity..., through the FS-ISAC, [to] act collectively to respond to major attacks and minimize their capacity to cascade through the sector."
The financial sector has also developed and implemented innovations to facilitate more robust information sharing. For example, to help alleviate concerns about exposing competitive weaknesses by revealing breaches to competitor institutions, the FS-ISAC removes identifying data to obscure the identity of the breached institution. Although some reluctance to share information for this reason remains, this approach has reduced the concern. The FS-ISAC has also deployed an automated system called Soltra Edge, which was developed in conjunction with DHS, the Depositary Trust, and Clearing Corporation, for efficiently disseminating alerts to member institutions.
The government is also an important source of cyber threat information for financial institutions. In nearly 70 percent of all breaches, organizations first learn of the breach from the government or some other external source. The primary government sources of cyber information for the financial sector are Treasury, DHS, Secret Service, and the FBI. Treasury's Financial Sector Cyber Intelligence Group ("CIG"), for example, monitors and analyzes intelligence on cyber threats to the financial sector and disseminates that information to industry participants. The CIG facilitates the sharing of classified information and also responds to requests for information from financial institutions, either individually or through the FS-ISAC. Law enforcement agencies, like the FBI Cyber Division and the Secret Service's Electronic Crimes Task Forces, often share threat information directly with financial institutions or through the use of Private Industry Notification Reports addressing particular threats. And representatives of financial institutions are often provided temporary security clearances so they can receive threat briefings from the FBI or other agencies.
Although the financial industry has developed extensive information-sharing arrangements both within the private sector and between the private sector and government, the GAO Report identifies obstacles that remain and offers suggestions for improvements to the way in which the government disseminates information to the industry. In particular, financial institutions have expressed frustration that the information they receive is often "repetitive," "not timely," and "lack[ing] sufficient details" to be actionable.
By virtue of having multiple sources of information within government, banks often end up receiving the same information from multiple agencies. That redundancy causes banks to waste resources trying to determine whether the information is new or duplicative. While this creates an unnecessary distraction of IT resources for banks of all sizes, it poses an even greater challenge for smaller institutions that are already grappling with limited information-security resources.
Banks also reported that for the information to be effective, it must be timely and specific. The timeliness of information sharing can be critical in effectively defending against a cyberattack that quickly spreads from one institution to another. One report found that 75 percent of cyberattacks spread from victim 0 to victim 1 within 24 hours, and "[o]ver 40% hit the second organization in less than an hour." As to the specificity of the information, the GAO Report determined that the information banks obtain from the government often lacks context or specific details necessary to enable banks to take steps to protect themselves. A representative of a financial institution offered this analogy: "receiving insufficiently detailed information [is] similar to telling the institution that it might be attacked by a criminal in a red hat. But saying that a criminal in a red hat, would go behind the building, and use a crowbar to force the door open would provide enough detail for the institution to better target its defenses."
The government is already taking steps to reduce obstacles to better information sharing. Treasury, for example, is seeking to accelerate the declassification of financial cyber threat information, which should enable the sharing of more specific information. Deputy Treasury Secretary Sarah Bloom Raskin recently said that Treasury is focused on "getting information declassified very quickly and into the hands of people who need it," adding, "It makes no sense for the government to be sitting on this information."
While the GAO Report focused mainly on potential improvements in the flow of information from government to the private sector, it also identified issues that continue to restrict complete sharing in the other direction. There is, for example, continuing concern within the private sector about potential liability resulting from the sharing of personal information with the government, as well as fears that the information may become classified (which, in turn, restricts further sharing of the information by the institution) or subject to public disclosure (through FOIA requests, for example).
Congress and the White House have been working to alleviate these concerns as well. In February, President Obama issued Executive Order 13,691 on Promoting Private Sector Cybersecurity Information Sharing, which directs the Secretary of Homeland Security to "strongly encourage" the development of Information Sharing and Analysis Organizations ("ISAOs") to serve as focal points for cybersecurity collaboration. The President also proposed legislation that would protect companies from lawsuits for sharing certain cybersecurity information with the government. Two pending bills in the House and one in the Senate seek to provide private companies protection from liability in order to encourage sharing of information with the government.
The FFIEC Cybersecurity Assessment Tool
This summer, the FFIEC rolled out a Cybersecurity Assessment Tool (the "Assessment Tool") to give financial institutions a "repeatable and measurable process to inform management of their institution's risks and cybersecurity preparedness." The Assessment Tool incorporates principles from the IT Handbook and the National Institute of Standards and Technology ("NIST") Framework.
The Assessment Tool is broken down into two parts. The first addresses an institution's Inherent Risk Profile, and the second addresses the company's Cybersecurity Maturity. It enables an institution to evaluate its level of risk in each of five enumerated risk categories, and its level of cybersecurity preparedness in each of five "domains." By comparing the institution's risk levels to its cybersecurity maturity levels, management can assess whether the degree of maturity is sufficiently aligned with its level of risk. If not, the Assessment Tool provides readily identifiable measures the company can take to reduce a particular risk or increase the maturity of a particular aspect of its cybersecurity.
The Inherent Risk Profile assigns one of five escalating risk levels (least, minimal, moderate, significant, or most) to each of five categories of risk: (1) technologies and connection types, (2) delivery channels, (3) online/mobile products and technology services, (4) organizational characteristics, and (5) external threats. For each category, the Assessment Tool lists different parameters that correlate to each risk level. For example, within the "technologies and connection types" category, one of the considerations is the number of personal devices allowed to connect to the corporate network. The institution determines its risk level by choosing the parameters that best describe the company's characteristics. The following table provides an example of the characteristics, or parameters, corresponding to each of the risk categories for "personal devices":
Click here to view table
After determining the Inherent Risk Profile, the institution turns to the Cybersecurity Maturity portion of the Assessment Tool to determine its maturity level within each of five "domains:" (1) "Cyber Risk Management and Oversight," (2) "Threat Intelligence and Collaboration," (3) "Cybersecurity Controls," (4) "External Dependency Management," and (5) "Cyber Incident Management and Resilience." Within each domain, the Assessment Tool lists declarative statements that apply to each maturity level (baseline, evolving, intermediate, advanced, or innovative). The institution determines its maturity level by identifying which declarative statements best fit the current practices of the company. The Assessment Tool thereby allows a company to determine its maturity level within each of the five domains, but does not provide an overall enterprise-wide maturity level.
When the assessment is complete, management can assess the degree of alignment between its risk profile and its cybersecurity maturity. An institution's maturity level generally should go up as its risk profile rises. Because the risk profile and maturity levels will change over time, the Assessment Tool recommends that management reevaluate both periodically and be vigilant of planned changes (like new products or services or new connections) that may affect its risk profile.
The Assessment Tool is a useful management oversight resource because it provides a method for comparing an institution's maturity level to its inherent risk profile. To the extent management is not satisfied with the level of maturity in relation to its risk profile, the characteristics of the different categories provide actionable steps that management can take either to reduce its risk level or to enhance its maturity level.
* * *
As discussed above, the cyber threat presents a growing business and legal risk for companies across a broad spectrum of industries and requires careful and current attention by senior corporate leadership.