Prudential bank regulators and other supervisory authorities have put cybersecurity front and center in 2015 by issuing guidance that sets forth their expectations of improved cybersecurity and that incorporates cybersecurity assessments into the scope of examinations.
In June 2014, JPMorgan Chase & Co., a leading global financial services firm and one of the largest banking institutions in the United States, was attacked. More than 90 of the bank’s servers, which housed user contact information for current and former customers who had accessed chase.com or jpmorgan.com, were attacked by hackers. The attack constituted one of the biggest breaches in banking history, with the private information of about 76 million households and about 7 million small businesses compromised. The information included names, addresses, phone numbers and email addresses, but did not include financial information, such as passwords, dates of birth, social security numbers or account numbers. It was not until August 2014 that the attack was detected. In the aftermath, the bank pledged to double resources devoted to cybersecurity.
Cyber attacks have become key risks for banks. Hackers are highly motivated to attack banks because of the wealth of information they possess, the increase in their interconnected services and the fact that an attack is inexpensive, with the hacker using the same tools to attack more than one bank. In addition, attacks are increasingly conducted not to steal information or money, but rather to cause disruption as a form of retaliation against the United States. Some believe the attack against JPMorgan was the work of a sovereign nation similar to the 2013 attack on HSBC, which was the work of Islamic groups, and the 2012 attacks on Bank of America and Citigroup, which were the work of Iran.
CSBS Cybersecurity Guide
On December 17, 2014, the Conference of State Bank Supervisors (CSBS) issued “Cybersecurity 101: A Resource Guide for Bank Executives” (the Cybersecurity Guide), which is intended to assist bank CEOs, senior executives and board members in meeting their duties to mitigate cybersecurity threats. The Cybersecurity Guide compiles in one document industry-recognized standards for cybersecurity and best practices used within the financial services industry.
The Cybersecurity Guide was issued as part of CSBS’s Executive Leadership of Cybersecurity (ELOC) initiative, which was launched in 2014 to raise awareness among bank CEOs that the management of an institution’s cybersecurity risk is an executive-level issue that requires CEO involvement.
The Cybersecurity Guidance is organized by the following five core cybersecurity principles set forth in the National Institute of Standards and Technology’s (NIST’s) 2014 Cybersecurity Framework:
- Identify: Identify the internal and external risk to loss or damage posed by the bank’s activities, connections and operational procedures by conducting a risk assessment. This includes: (i) classifying the bank’s data in accordance with its sensitivity and importance to the bank’s operation; (ii) identifying threats to the bank and the vulnerabilities in the bank’s system; (iii) measuring the bank’s level of risk; (iv) communicating the risk and ways to mitigate it to the bank’s senior management and board of directors; and (iv) establishing a process for cyber risk management.
- Protect: Ensure that the bank has appropriate safeguards or controls in place to mitigate threats to the bank. This includes assessing the sufficiency of existing policies and procedures and assessing staff knowledge and readiness to address threats. Policies and controls should include: (i) implementing security measures to authenticate customers accessing financial services via the bank’s website; (ii) establishing multiple layers of security and access control for sensitive and critical information and limiting the employees with access to such information; (iii) protecting data by developing and maintaining an effective information security program tailored to the complexity of the bank’s operations and implementing industry best practices for securing sensitive data; (iv) requiring, by contract, service providers that have access to the bank’s customer information to take appropriate steps to protect the security and confidentiality of this information and auditing such compliance on a regular basis; (v) maintaining secure configuration for hardware and software systems; and (vi) installing a firewall for the bank’s system.
- Detect: Mitigate threats proactively by using controls and sensors that automatically work to prevent unauthorized access to the networks and regularly updating such controls.
- Respond: Devise an incident response plan, which includes: (i) forming an interdisciplinary response team with representatives from various departments as well as outside legal counsel; (ii) drafting a plan with clearly defined steps, timelines and checklists; (iii) conducting preparedness training for the response team; (iv) assessing the legal requirements for reporting an incident; and (v) communicating the event as needed.
- Recover: Develop and implement a recovery plan that includes appropriate processes and procedures for restoring confidence in the recovered systems and data. This may include: (i) rebuilding servers, databases and network devices that may have been compromised and restoring baseline configurations; (ii) restoring data; (iii) reconnecting the service with minimal disruption; (iv) determining which cybersecurity management improvements are necessary to prevent similar attacks from occurring; (v) determining whether the incident response plan needs to be improved; (vi) routinely auditing and improving the plan; and (vii) conducting annual “tabletop exercises” to discuss roles and responsibilities in an incident in order to test the effectiveness of the plan.
NYDFS Examination Letter
On December 10, 2014, a week before the publication of CSBS’s Cybersecurity Guide, the New York Department of Financial Services (NYDFS) issued a guidance letter to the financial industry, in which it announced that it will incorporate cybersecurity issues into the IT examinations that it conducts on any banks regulated under its jurisdiction. The guidance follows the NYDFS’s May 2014 “Report on Cyber Security in the Banking Sector.” The intent of this new cybersecurity examination process is to encourage all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.
The examinations will be based on new expectations for cybersecurity protocols, governance and third-party vendor data security, among other issues, and will likely be modeled after the NIST Cybersecurity Framework. The Securities Industry and Financial Markets Association is in the process of developing “auditable standards” of the NIST framework, which would be beneficial in supporting adoption of best practices.
The examinations will be conducted following the comprehensive risk assessment of each institution. To this end, the NYDFS will be asking banks to provide it with information, including the following:
- training and qualifications of the bank’s chief information security officer
- organizational chart of the bank’s IT and information security functions
- copies of the bank’s information security policies; system and device vulnerability management program; due diligence process regarding information security practices that are used in vetting, selecting and monitoring third-party service providers; incident response plan; and business continuity plan.
- Each bank board should assess its control environment, including cyber threats. Safety and soundness standards mandate a board authorize its management and enable it with the resources to develop necessary systems to take all reasonable measures to protect the bank from foreseeable financial harm. A control environment calibrated to achieve a reasonable risk-based approach with sufficient attention to risk transfer devices, like well-crafted indemnification provisions with contractual counterparties and insurance, are key.
- The NYDFS and other prudential federal and state regulators of financial institutions are making cybersecurity a priority for enforcement in 2015. In order to pass the NYFDS examinations, banks should make any improvements necessary to their infrastructure and systems. In addition, now would be a good time to review and amend, as necessary, the policies and procedures specifically implicated by the NYFDS, including the information security policy, the incident response plan, the business continuity plan and the procedure for vetting third-party service providers. Conducting tabletop exercises to simulate an attack would also be an effective way to assess and fix any vulnerabilities.