Banks’ boards of directors must, among other things, understand the risks associated with existing and planned IT operations, monitor risk management, and work with senior bank managers on strategic technology planning. See the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook InfoBase. Recent changes in the types of attacks perpetrated by cyber criminal groups and attackers’ increased skill levels have changed how board members should approach these cybersecurity responsibilities.
The number of ransomware attacks against businesses in the U.S. quadrupled in 2016, according to Beazley, a leading cyber insurance carrier. The FBI estimates that U.S. businesses paid more than a billion dollars to ransomware attackers in 2016. The number of such attacks is projected to increase again in 2017.
The dramatic increase in ransomware attacks should cause banks’ board members to ensure that their banks’ information technology managers and the banks’ critical vendors have stored backups of mission-critical data offline so that the data cannot be encrypted by a ransomware attack. Board members should also ensure that the backups can be quickly restored so that a ransomware attack will not significantly impact bank operations. Board members should review their banks’ insurance coverage to determine whether existing policies will cover losses caused by interruptions related to ransomware attacks on their banks or on critical vendors.
The intensity of distributed denial of service (DDoS) attacks has also increased. Attackers now use Internet of Things (IoT) devices to launch and maintain the attacks. The use of an IoT botnet to disable Dyn, a large domain name service provider, in October 2016 illustrates that DDoS attacks of more than one terabits per second will be increasingly common. Board members should ensure that their banks’ IT networks and those of their key vendors are protected against massive DDoS attacks by services that can absorb or divert the attacks.
Finally, the skills of attackers targeting banks’ computer networks have improved to new levels. Mandiant’s 2017 M-Trends report states on page 9: “The line between the level of sophistication of certain financial attackers and advanced state-sponsored attackers … no longer exists.” In other words, banks are being targeted by attackers with skills equivalent to those of attackers employed by Chinese and Russian intelligence agencies. How advanced are those skills? Extremely advanced, according to a February 2017 report by the Department of Defense (DoD), Defense Science Board, Task Force on Cyber Deterrence (page 4): “For at least the coming five to ten years, the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures.”
To ensure their banks are prepared for such attackers, board members should advocate that the banks engage the best security firms available to conduct “red team” tests of the banks’ defenses, detection tools and incident response procedures. Board members should also work with senior managers to ensure the banks engage incident response vendors, such as forensic firms and knowledgeable counsel, to assist when cybersecurity incidents occur.