Though other more notorious cyber security breaches have recently flooded the news, there can be no question that some of the more startling breaches have involved major financial institutions.1 Indeed, the cyber threats to the banking industry are real and upon us, and are cropping up in ways we potentially did not think of previously:
Vulnerabilities in mobile banking pose another new and highly sophisticated danger, as mobile banking vulnerabilities may exist on mobile devices that are not patched, and malware can be developed to specifically target the use of mobile devices. One example of this type of vulnerability is the Zeus-in-the-Middle malware, a mobile version of the GameOver Zeus malware, which itself was one of the most sophisticated types of malware the FBI ever attempted to disrupt. GameOver Zeus was designed to steal banking credentials that criminals could then use to initiate or redirect wire transfers to overseas bank accounts. All told, the malware infected over 1 million computers worldwide and caused over $100 million in estimated losses.2
In continued recognition of persistent threats upon the banking industry, on December 10, 2014, Benjamin J. Lawsky, Superintendent of the New York Department of Financial Services (NYDFS), issued a guidance letter to NYDFS-regulated banks outlining specific cyber security-related factors that will be reviewed as part of a bank’s annual review. In this release, Superintendent Lawsky stated:
It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators. Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.3
With the non-stop breach activity we have seen over the last few weeks, both state and federal regulators are showing their concern, and urging regulated entities to improve their cyber security postures immediately before the “bad guys” can wreak as much havoc on the U.S. financial markets as they have on other U.S. companies, particularly those in the retail sector.4
This alert will discuss the recently announced cyber security guidance issued by NYDFS as well as other recent statements issued by various federal regulators concerning their own annual examinations or desk audits.
Superintendent Lawsky’s guidance letter is very specific, and encourages banks to provide comprehensive answers to very important cyber governance issues, including:
- Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion, including multi- factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response processes, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies and procedures; and
- Cyber security insurance coverage and other third- party protections.5
This guidance may be seen as a welcome blessing for the many New York-based financial institutions or financial services organizations (or pieces of them) that are also regulated by the SEC’s Office of Compliance,6 FINRA,7 or the FDIC, OCC, and/ or FFEIC8 – each of which has announced either guidance or street sweep letters for annual audits/ reviews of its respective regulated entities. Thankfully, much of the guidance issued by these organizations to their respective regulated entities is similar to that issued by NYDFS. Conflicting guidance would have only confused the question of “best cyber security practices” even further, and could have caused regulated entities double or triple the compliance work in order to keep up with each involved agency. In the inherently perplexing area of cyber security, we need more good answers, rather than more questions to be answered by regulatory entities.
Good Cyber Governance and Cyber Compliance
The NYDFS guidance is also well-placed in that it focuses not just on “data protection” measures, which are but a piece of the puzzle, but also on “incident detection and response… and on the integration of information security into business continuity and disaster recovery policies and procedures,” as well as cyber security insurance coverage. These three pieces go together like a hand in a glove.
As recent major data breaches have taught us, it is more than likely that despite state of the art firewall and anti-virus protection, every day New York- regulated entities are subjected to thousands of cyber security “events” of various intensity and complexity. Those thousands of events require sophisticated incident detection tools to determine whether they are actually “incidents” in disguise, which would then require immediate remediation and/or counter-measures. Unfortunately, despite the best efforts of companies, it is estimated by some that at least 90% of all intrusion detection systems might not be able to catch the most sophisticated hack.9 The name of today’s game is not being “cyber perfect” (because we can’t be) but remaining “cyber resilient,”10 i.e., being able to take a cyber-punch and get back off the canvas through a battle-tested incident response and data recovery plan aimed at getting the organization back in business as soon as possible. Helping maintain resiliency is cyber insurance, which can potentially defray the huge (and potentially crippling) costs of a cyber-breach forensic investigation and recovery efforts.11
As noted above, NYDFS-regulated banks, financial institutions, and some insurance companies may not be subject to just NYDFS regulation, but to other federal regulations as well.12 For these reasons, New York-regulated organizations need to become more culturally “cyber compliant”-based organizations. Essentially, instead of “checking the box” once every audit cycle, cyber security procedures, training and policies (along with incident detection hardware and software) need to be revisited by internal IT departments and outside IT experts more than just once a year. Unfortunately, despite our best efforts, what is state-of-the-art today may not be state-of-the- art tomorrow. Cyber security processes, procedures, and internal discussions need to be documented when necessary to evidence improvements when made. And solid information concerning cyber security events, incidents, and incident responses needs to come to the attention of the board of directors in a timely fashion so that boards can exercise their fiduciary duties regarding enterprise risk management. Good cyber security is a living, breathing concept and needs to be treated as such.