By Joe Alecci, IT Senior Manager
In a recent report published by the Ponemon Institute, it was noted that 2014 will long be remembered as the year of the Mega Breach. Starting with the Target breach in late 2013 and ending with the Sony attack, mega cyberattacks were front and center in the news and on the minds of most corporate executives. The only good outcome from these attacks (if there is such a thing) is that it has forced companies and organizations of all sizes and from all industries, including banking, to re-evaluate or, in some cases, rebuild their cybersecurity programs.
With all of these headlines it’s no surprise that in the summer of 2014, the FFIEC piloted a cybersecurity assessment at over 500 community financial institutions to evaluate their preparedness and ability to mitigate cyber risks. The assessment noted that cybersecurity inherent risks, which are the institutions’ activities and connections, not including their risk mitigating controls, varied significantly from institution to institution. Due to these inconsistencies, the FFIEC made some recommendations that financial institutions should implement to be better prepared for any potential attacks.
Starting at the top, the FFIEC recommended increased engagement by the Board of Directors and Senior Management to ensure that they understand inherent cybersecurity risks and to routinely discuss cyber security in meetings. Engaging the Board and Senior Management means that Cybersecurity governance must be addressed at the highest level which, in turn, will set the tone for effective cybersecurity governance strategy and organizational structure. It is the role of the Information Security Manager to define the information security program, provide guidance and information to executive management to enable informed decision-making. Organizations that exhibit strong governance often utilize a steering committee consisting of managers/leaders from various departments across the organization.
The FFIEC also expects financial institution management to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities by participating in information sharing forums such as the Financial Services Information Sharing and Analysis Center (“FS-ISAC). The FFIEC noted that institutions that utilize cyber-intelligence sharing programs are better equipped to mitigate risks. There are vast internet forums that are utilized by hackers and hacking organizations to share information so it makes sense for financial institutions to do the same.
One option is the FS-ISAC’s recently released Soltra Edge intelligence sharing platform. As the Dec 3rd press release notes, “Soltra Edge is a software solution designed to facilitate the collection of cyber threat intelligence from various sources, convert it into an industry standard language and provide timely information on which users can decide to take action to better protect their company.” Soltra Edge can now be downloaded (www.soltra.com) by most organizations with no cost for the basic license.
The FFIEC observations also noted that while most organizations have preventative tools in place, such as anti-virus and anti-malware, they should routinely scan IT networks for vulnerabilities and potential exposure to cyberattacks. The question often asked is what is considered “routinely”? The answer, in my opinion, is that it depends on the security posture of the organization that is determined by a risk assessment. The organization needs to understand the inherent risks and corrective controls in place across their critical systems. For example, organizations with extensive controls, such as IDS, patch management, web filtering, next generation firewalls, security awareness training and adequate logging and monitoring controls as well as strong governance, may not need to scan their networks as often as an organization with limited controls.
We are already seeing that many of our strongest clients increase the frequency of the internal and external vulnerability scans from annually to semi-annually. One thing is certain: the constantly increasing number and complexity of attacks indicates that conducting internal and external vulnerability assessments on an annual basis isn’t going to be enough.
Although it was noted that many financial institutions have processes in place to manage third party relationships and document their connections, management needs to consider the risk of each connection and evaluate the provider’s cybersecurity controls. Back in 2013, the OCC released bulletin 2013-29, which “upped the ante” with regards to vendor management guidance. The bulletin revamped the third party risk management lifecycle and provided a road map for financial institutions to manage third party risk. Ultimately, financial institutions need to hold the cybersecurity program of their service providers to, at least, the same level of their own internal cybersecurity program.
The FFIEC also determined that financial institutions have Business Continuity and Disaster Recovery Plans (“DR/BCP”) in place and are able to call third parties for mitigation service during a disaster event. However, financial institutions need to expand these plans to include incident response capabilities. Most financial institutions are required to test their DR/BCP plans annually, but do not routinely test their incident response plans. Enterprise-wide testing of an organization’s incident response plan with third party providers will not only assist in identifying potential gaps but also ensure that all employees know what is expected when an attack occurs. Simple “tabletop” testing can go a long way in helping employees understand the incident response process as well as increase cybersecurity awareness.
Financial institutions need to prepare with the assumption and understanding that they will be, at one time or another, a target of a cybersecurity attack, and ensure that their governance, risk mitigating controls and response capabilities are up to the challenge.
Joseph Alecci, CISA, CISM, CISSP, CRISC
Senior Manager – IT Audit & Information Security
Joseph Alecci leads the IT/Cybersecurity Audit & Risk Management Group at P&G Associates. He has over 20 years of experience in information systems and auditing management and is a member of the ISACA N.J. Chapter Board of Directors.