“You’re going to be hacked. Have a plan.”
– Joe Demarest
Assistant Director, Cyber Division, FBI
The question is not whether you are going to be hacked, but rather when and how often. That thinking is so pervasive in the cyber-security industry that industry participants now refer to “cyber-resilience” to better describe a realistic and effective cyber-defense plan. Nobody can have complete cyber security; instead, the goal should be cyber resilience.
The Cyber World Is a Scary Place
News feeds are replete with examples of corporate hacking in the financial services industry, demonstrating just how prevalent cyber security risks have become in the computer-networked world:
- In 2012, bank account information from 79 banks in the United States and the United Kingdom was hacked and posted on the Internet, exposing financial information for 1,700 accounts.
- In 2013, more than 20 financial institutions were the target of a nearly year-long distributed denial of service (DDoS) campaign in which hackers penetrated corporate networks and disrupted web service.
- More recently, account information for up to 76 million customers of a financial services giant was stolen by Russian hackers in what was thought to be a coordinated attack on a number of banks. This breach occurred despite the organization’s assertion that it spent up to $250 million a year on cyber-security prior to the attack; it is now doubling that budget.
- According to Jason Truppi, an FBI supervisory special agent, nearly 519 million financial records have been stolen from U.S. companies by hackers in the past year. To put this in perspective, according to the 2010 census, approximately 308,745,538 people live in the United States.
- Other attacks reported in the news that have not involved the financial services industry highlight how disruptive and destructive cyber intrusions can be. One attack led to the leaking of “private” celebrity photos, while another revealed Hollywood industry secrets in embarrassing emails and led to alterations in a major Hollywood cinematic release.
Perhaps the more pertinent question, then, is “How bad will it be when I do get hacked?” Cyber events come in all shapes and sizes and can affect financial institutions in a number of ways. For example, the theft of account information can impact a few thousand accounts or tens of millions. A breach of personally identifiable information (PII) can lead to civil lawsuits, require costly disclosures, raise regulatory scrutiny and liability, and entail hefty legal and remediation costs. In at least two noted cases, the reputational damage also negatively impacted stock prices and earnings.
But cyber attacks can do more than just create customer data losses and their accompanying financial impact. Cyber espionage can deprive a company of trade secrets and competitive advantage. It is strongly suspected that cyber espionage against U.S. defense contractors aided China in developing its new J-31 stealth fighter – and cyber espionage does not have to be perpetrated by China or Russia. Disgruntled or subversive former employees can penetrate financial services networks and abscond with sensitive client information or trade secrets.
In addition, DDoS attacks, which disrupt web sites, have interfered with banking operations by disrupting customer web access. Finally, third-party cyber disruptions in a company’s supply chain, such as business partners or vendors, can impact core business functions negatively. Examples of third-party intrusions that could greatly impact the financial services industry are cyber attacks on a stock exchange or an Internet or phone service provider. Without the ability to place trade orders, a brokerage house would lose its core profit-making function. Similarly, the theft of customers’ credit card information from a third party, such as major retailers, can put a firm’s customer accounts at risk.
You Can’t Do Too Little, and You Can’t Do Too Much
Thus, the real answer to the question of how bad it could be will depend on whether a good cyber-resilience plan is in place. Since cyber events are inevitable, you need not shoot for cyber-security perfection – because it doesn’t exist. The hacking underworld moves as fast as the cyber-security technology that aims to prevent damage from attacks. Nevertheless, a strong multilayer cyber-resilience plan can help contain the risk of certain events, substantially mitigate the impact of successful cyber attacks, correct flaws in the defense, and transfer the risk and cost of such events.
KNOW THE ENEMY
The first line of defense is awareness and preparedness. Financial services regulators and industry associations provide guidance to their members with regard to known risks and best practices. The SEC and FINRA, through their cyber-sweep risk alerts and targeted examination letters, have highlighted areas of interest and concern with respect to companies’ risk assessment, business continuity, internal cyber communication, response plans for intrusions such as DDoS attacks and understanding of threats to the industry.This easily accessible guidance provides companies with information about the first line of defense for financial services companies, yet many companies are found to be lacking basic cyber protections.
For example, preliminary accounts from the first sortie of SEC cyber examinations indicate that companies are failing to assess their preparedness with regard to protecting their clients’ information:
- According to Jane Jarcho, national associate director of the SEC's investment adviser and investment company examination program, the security of client access and login practices are not being assessed and evaluated by more than one third of the advisers that the SEC examined.
- Similarly, the North American Securities Administrators Association (NASAA) recently released the results of its Pilot Survey of Cybersecurity Practices of Small and Mid-Sized Investment Adviser Firms, which indicate that many companies do not encrypt their files and devices, and some employ free cloud services that have been shown to have significant security vulnerabilities.
The NASAA report also highlights tools that are useful in assessing cyber awareness and preparedness, but that are not universally applied by investment advisers. While a cyber intrusion may be inevitable, not being educated on the basics is akin to inviting the cyber underworld into your digital home.
DEPLOY YOUR ASSETS
Once a company is aware of the types of data that might be vulnerable within its organization, the second step is to ensure that the right people and assets are in place. Regulators that have undertaken cyber examinations (1) expect that personnel in strategic information technology positions at companies will have backgrounds that demonstrate a deep understanding of cyber issues and (2) have demanded evidence of enterprise-wide coordination of cyber security. Moreover, cyber-security software, hardware and processes are readily available and scalable to any size company. So lacking the proper infrastructure to detect, deter and remediate intrusions is unacceptable. Companies need not buy all the software available, but, irrespective of size and financial wherewithal, they should be able to identify and implement appropriate security controls, including limiting access, monitoring usage, and controlling the computers, smartphones, and tablets of employees in a manner that securely protects the PII of its employees and customers.
Unfortunately, cyber security is not a static endeavor. New and effective malware and viruses are developed and deployed by cyber-thieves all day, every day. Therefore, it is incumbent on companies to assess and test their awareness, people and infrastructure to ensure they are up to date. Companies open holes in their once-resilient cyber shields when they fail to ensure that new employees have antivirus and encryption applications on their computers and smartphones, or when they neglect automatic updates and patches on their software applications. Accordingly, constant assessment of policies, infrastructure and personnel is necessary to prevent tearing a hole in the shield. Additionally, cyber systems need to be tested periodically to ensure that vigilance is paying dividends. Cyber-security firms provide testing and monitoring services – such as penetration tests, cyber audits and forensic analysis of cyber events – that can educate a company on its weaknesses and provide suggestions for remediation.
COVER YOUR ASSETS
The inevitability of cyber events means that despite best efforts to avoid or prevent a successful attack, a company likely will face a cyber event at some point that might cause financial harm. Even worse, as noted above, cyber intrusions of third parties can impact a company’s bottom line as well. Fortunately, as a means to help transfer some of the risk of the unexpected and unavoidable, the insurance market has developed cyber insurance. While the field is growing, it has matured to the point that a robust and competitive market exists, providing a wide-ranging menu of coverages and costs. Currently, the market provides coverage for a variety of risks and expenses, including a data breach, notification, identity protection and credit monitoring, forensic costs, network restoration, cyber extortion, business interruption, and regulatory investigation and litigation (depending, of course, on the specific policy language).
Certain risks are not universally covered, such as catastrophic risks from war, terrorism and state-sponsored computer viruses; regulatory fines; operational errors; industrial espionage; reputational damage; and the value of data as intellectual property or trade secrets. As the cyber-insurance market continues to mature, risks such as the impact from third-party cyber intrusions will most likely become universally insurable. Until then, the best solution is a carefully negotiated insurance policy that expressly covers the risks most pertinent to each company’s business wrapped around a comprehensive cyber-resilience plan.
Oh Hack! What Do I Do?
If a company has an effective cyber-security program, there is a decent chance that the next intrusion won’t make the news, but it probably will require immediate action. The first item on the action plan should be to convene a preordained incident response team – which should include key stakeholders such as information technology, legal, corporate security, risk management and public relations – to immediately assess the extent and the source of the event and close the hole in the cyber shield to stop the loss of data or mitigate the impact of the cyber event on the company.
The legal department must determine whether contractual, regulatory or law-enforcement notification is necessary and whether customer notification is required under state, federal or international law. Notification requirements vary widely by jurisdiction and the law of the company’s home state will not necessarily govern breaches affecting out-of-state customers. Risk management should notify the insurance carrier, if applicable, while the public relations team finalizes previously developed internal and external talking points.
The triage team should have the contact information of an experienced, outside cyber counsel to advise on notification, insurance issues and talking points. Additionally, information technology should have pre-identified, objective third-party vendors to help assess the breach, devise solutions and perform cyber testing. Finally, as the foregoing examples demonstrate, the plan must include a first-call, public-relations crisis manager that specializes in cyber events, should it appear that the cyber event will become newsworthy.
… and Sometimes the Bear Eats You
The oft-cited camping axiom “You don’t have to outrun the bear, only your friend” can be applied to the cyber industry. Even if you are prepared and aware, there is no guarantee that you won’t get hacked, but there is a good chance hackers will be occupied with easier or less-protected targets. If you have a basic cyber plan that is better than your competitor’s, you might be able to watch the event from inside your tent. Your strategy of outrunning your friend won’t look so good, however, if the bear gets you and your friend. So don’t do the bare minimum to beat your friend; do your best to keep the bear away.