In the Office of the Superintendent of Financial Institution’s (OSFI) first Annual Risk outlook for Fiscal Year 2022-2023, the OSFI identifies the most material risks which face federally regulated financial institutions (FRFIs). Among the financial risks that the OSFI identifies as most pressing is a significant cybersecurity incident or cyberattack. This focus has been intensified by the recent Russia-Ukraine conflict, which has brought into stark relief the fact that cyber risks can occur on a global level due to how highly interconnected the global financial system and associated technology infrastructures actually are. The current global context highlights the very real threats posed by this and other conflicts to financial and other international institutions.
Threat of attacks require incident preparedness
The existence and proliferation of highly sophisticated cyber incidents has been making headlines for years, and the instances of such incidents are becoming increasingly numerous and severe (there are several reports on this trend. For example, please see IBM’s report entitled: “How much does a data breach cost in 2022”). In response and subsequent to this threat, major Canadian financial institutions have been hardening their systems and testing its resilience. Penetration tests and “Red-Teaming”, which are measures designed to discover weaknesses and vulnerabilities in the financial institution’s information security posture, and approach the testing in ways that are similar to what is being used by actual hackers, are not optional but an essential part of incident preparedness. So-called ethical hackers must have the same up-to-date skillset of current hackers in the cybersecurity ecosystem in order to be effective and to achieve the goal of remaining as current as possible with the trends and methods that such attackers employ in real life cyber attack scenarios.
As we have reported on numerous previous occasions over the past years, the risks associated with cyber security vulnerabilities have been exacerbated due to the high number of employees that continue to work remotely as a result of the COVID-19 pandemic and other related factors. Institutions have had to increase their focus on fortifying the security measures associated with remote access for employees in addition to internal systems and networks that are confined to specific brick and mortar buildings that are controlled by such organizations.
Financial institutions often have proactive threat hunting and threat intelligence tools at their disposal and are building up teams and organizations in order to stay ahead of cybercriminals. These measures are also sometimes necessary and effective in identifying cyber incidents and data breaches in the financial institution’s supply chain.
Ransomware and financial institutions
One form of cybersecurity incident known as a ransomware attack does not show any signs of slowing. In fact, it has shown signs of evolving and becoming more sophisticated over time. The Sophos’ State of Ransomware report for 2022 reveals that among 5,600 IT professionals surveyed from small, medium and large organizations, 66% of organizations confirmed that they were the subject of ransomware attacks, up from 37% in 2020. The rise in the occurrence of such attacks includes a focus on large organizations in what is referred-to as “big game” attacks, as well as a reflection on the fact that many more victims of such attacks have been paying the ransoms demanded by hackers. In March of 2021, a ransomware attack experienced by CNA (an insurance firm based in the U.S.) caused a disruption to customer services as well as locking employees out of their own internal network. According to a May 20, 2021 report by Bloomberg, CNA paid a ransom of $40 million (U.S.) to regain control of its network. This case illustrates a shift from hackers attacking the assets of clients directly, towards attacking platform operators (such as financial institutions and insurance companies) in an effort to block transactions, which in-turn deprives such platforms of transaction-based revenues (such as self-service securities trading platforms, for example).
The extortion techniques themselves have evolved beyond the simple encryption of data through the use of malware on a victim’s computer which does not get decrypted unless and until the ransom has been paid. Today, hackers are finding new and effective ways to increase their leverage, including the rise of what is being referred-to as “double extortion” techniques, whereby hackers will both encrypt a victim’s data AND steal the encrypted data in order to threaten the victim with the prospect of a public leaking of such data. In fact, some hackers no longer bother with encryption at all and move straight into theft of the data and extortion of the victims while victims retain access to their data. This is likely in response to defensive information security measures such as regular data back-ups that lessen the efficacy of the encryption approach. However, restoration of data through accessing backed-up data will not always be feasible, especially in situations where critical services or systems are disrupted by encryption and systems remaining offline represent a significant risk of harm, such as hospitals providing critical care.
An additional attack vector that can be leveraged by hackers is a distributed denial-of-service (DDOS) attack, whereby hackers flood services with internet traffic to prevent legitimate users from accessing online services. This threat, in addition to the double extortion method, results in a “triple extortion” technique, which is designed to further increase the pressure on the victims of cyber attacks to pay the ransom demanded.
Cybercrime is evolving at a rapid rate. So much so, that it is now mimicking the structure and processes of legitimate business. In addition to creating their own malware, hackers are beginning to organize and distribute – both for their own purposes as well as to service affiliates. This activity includes charging other hackers for the use of their malware platforms in an activity that has come to be known as “Ransomware as a service” (RaaS), which is a play on the term “Software as a service” (SaaS). The rise of cryptocurrency has been central to hackers’ ability to engage in this type of criminal commerce. As a result, legitimate businesses are faced with the prospect of dealing with highly sophisticated and organized cybercrime networks which are capable of proliferating attacks at an unprecedented rate and scope. The cooperation and coordination of such criminal affiliations can at times surpass the ability of legitimate industry and law enforcement to stem the rising tide of cyber attacks globally. This is compounded by the fact that gaining entry into such criminal enterprises through the rental of infrastructure allows even small players to be able to carry out sophisticated attacks. Once again, this echoes how small entrepreneurs in legitimate business having been leveraging large public cloud providers such as AWS to act as the small business’ technology infrastructure in order to deliver services such as SaaS offerings of various kinds.
In response to the increased scope and sophistication of such attacks, regulators are contemplating taking measures intended to assure the public that security measures are being taken by organizations, such as the potential introduction by the U.S. Securities and Exchange Commission (SEC) of a requirement for publicly-traded companies (including those in the financial services sector) to start making cyber security-related disclosures, where the goal of such disclosures would be to “strengthen investors’ ability to evaluate public companies’ cyber security practices and incident reporting.”
In 2013, OSFI published its initial Cyber Security Self-Assessment which has evolved in its depth and sophistication in the intervening years. The Assessment tool allows FRFIs to measure the adequacy of their own Cyber Security controls with varying maturity levels (1 through 5, with the high end) describing the most sophisticated and mature best practices to be implemented by FRFIs. In addition to the Self-Assessment tool, OSFI has updated its Technology and Cyber Incident Advisory reporting requirements which were initially launched in January of 2019 (the “Advisory”). While the Self-Assessment tool is not mandatory, its use is highly recommended in order to allow financial institutions to continuously monitor, evaluate and undertake improvements to potential vulnerabilities in their respective information security posture. Similar to best practices for compliance with other OSFI Guidelines such as B-10 (Third Party Risk Management Guideline), federally regulated financial institutions will need to document the steps, processes and methods to be taken and followed in order to comply with the requirements of B-13, including by way of internal compliance policy and the adoption of consistent best practices across the operations of such financial institutions.
The Advisory requires FRFIs to address technology and cyber security incidents in a “timely and effective manner”, which includes the obligation for FRFIs to provide timely notifications to OSFI when cyber incidents occur. Importantly, unlike obligations imposed by Canadian federal or provincial privacy legislation, these incidents must be reported irrespective of whether there is an impact on personal information.
The Advisory defines a technology or security incident as “[…] an incident that has an impact on, or the potential to have an impact on the operations of a FRFI, including its confidentiality, integrity or the availability of its systems and information.” The criteria for reporting such incidents is set out on the OSFI website, which states that, in order for an incident to be reportable, it may have one or more of the characteristics set out by OSFI on the foregoing webpage. This includes breaches caused by vendors and other third parties used by the FRFI.
The notification itself must be made within 24 hours or sooner to OSFI’S Technology Risk Division ([email protected]), as set out in OSFI’s prescribed Incident Reporting and Resolution Form (attached as Appendix II to the Advisory).
Such reporting obligation is ongoing in nature, whereby OSFI expects to receive regular updates from the affected FRFI as soon as new information becomes available. A failure to report may result in “increased supervisory oversight.”
The foregoing developments have led OSFI to prepare Guideline B-13, which was issued in July of 2022 and will become effective as of January 1, 2024. This timeline has been established in order to allow FRFIs sufficient time to comply with this latest Guideline. The accelerating and widespread adoption and use of technology, together with the corresponding growth in cyber incidents and attacks are the primary driving forces which have led to the issuance by OSFI of this latest guidance, as announced on July 13, 2022.
Domains and principles of cybersecurity at financial institutions
B-13 is organized into what OSFI refers-to as “the domains for the sound management of technology and cyber security”, as follows: (i) Governance and Risk Management; (ii) Technology Operations and Resilience; and (iii) Cyber Security. OSFI further breaks down such domains into Principles applicable to each domain (and to be adhered-to by FRFIs.) Each of these “domains” outlines key factors in sound information security practices by financial institutions, whereas the Principles set out targeted areas for achieving objectives pertaining to each domain. Follow the hyperlinks for each domain below for information pertaining to each of the Principles:
(i) Governance and Risk Management Domain – Principles
Principle 1 – Accountability and Organizational Structure; Principle 2 – Technology and Cyber Strategy; Principle 3 – Technology and Cyber Risk Management Framework
(ii) Technology Operations and Resilience – Principles
Principle 4 – Technology Architecture; Principle 5 – Technology Asset Management; Principle 6 – Technology Project Management; Principle 7 – System Development Life Cycle; Principle 8 – Change and Release Management; Principle 9 – Patch Management; Principle 10 – Incident and Problem Management; Principle 11 – Technology Service Measurement and Monitoring; Principle 12 – Disaster Recovery; Principle 13 – Scenario Testing
(iii) Cyber Security – Principles
Principle 14 – Identify Cyber Vulnerabilities; Principle 15 – Cyber Safeguards; Principle 16 – Detection of Cyber Incidents; Principle 17 – Respond, Recover, Learn
As the technology sector continues to rapidly evolve, it is more important than ever that governmental and regulatory authorities, such as OSFI, respond with risk management frameworks that are appropriate and commensurate with dynamic risks and challenges (both geopolitical and otherwise) faced by the world today. The various participants in this ecosystem and the corresponding regulatory framework will need to remain vigilant if consumers are to continue to have faith and trust in our financial institutions.