“Money, Money, Money, Money” is the opening lyrics for the 1973 song, “For the Love of Money.” The soul funk classic goes on to describe all of the dastardly acts that people will do in order to get more money. One of the malevolent acts some are willing to do in the digitally connected world of today is conduct cyberattacks on financial institutions. In 2017, financial services companies lost a total of $16.8 billion to cybercriminals. According to Dan Schulman, CEO of PayPal who also serves on the board of Symantec, the typical American business gets attacked about 4 million times a year while financial services companies get attacked over a billion times a year. Only the U.S. Post Office is targeted more. That breaks down to approximately 30 attacks a second.
The losses are steep and so are the costs. According to a recent report entitled, “The cost of Cyber Crime Study”, the average cost of cybercrime for financial services companies has increased by more than 40 percent over the past three years from $12.97 million per firm in 2014 to $18.28 million in 2017. This is the highest of any industry. While the average cost per compromised record for the average U.S. business was $225 across all industries in 2017, the same cost was $336 across the financial industry. In addition, the number of breaches has tripled in the past 5 years.
The Cost is More than Mere Dollars
While the immediate costs of a data breach are acute, the long term damage to a firm’s reputation and brand may be even more costly. Customer turnover is expensive in today’s hyper competitive world. According to a Ponemon Institute’s consumer sentiment study, data breaches are one of the top 3 factors that affect the reputation of a company. Only poor customer service and environmental incidents rank higher. Cyber hygiene is an issue for banking customers. According to a 2016 survey, 28 percent of people left their banks due to unauthorized activity on their accounts and 12.3 percent for credit unions. The fact is that consumer trust is hard to earn – and even harder to win back. Furthermore, the costs of customer turnover are not limited to the immediate aftermath of a breach, but instead can last up to 11 years.
Examples of Recent Breaches in the Financial Sector
The list of confirmed or potential breaches and cyberattacks throughout the financial sector is a long one indeed. The incidents involve firms of all sizes, both domestic and international. The range of services includes traditional banks, investment firms and third party vendors. Some are direct attacks while others are vulnerabilities that may or may not have been exploited. A small sampling includes the following:
- HSBC reported a cyberattack that took place in October of 2018 in which hackers gained unauthorized access to accounts of some of its U.S. customers. Compromised information included the names, addresses, contact information, birthdates, account information and transaction history.
- Two of the five largest banks in Canada were attacked earlier in 2018. The Bank of Montreal, Canada’s fourth largest bank, reported to have been contacted by criminals who reported to be in possession of the records of 50,000 of its customers. Canadian Imperial Bank of Commerce, Canada’s fifth largest lender, was contacted in similar fashion involving 40,000 customers.
- A community bank, National Bankshares in Blacksburg, VA, with assets of $1.3 billion, finds itself in a lawsuit with its insurance company in 2018 regarding two separate phishing attacks that occurred in 2016 and 2017. Employees were tricked into clicking something within the emails that launched a malicious payload of hacking tools through which the perpetrators stole $2.4 million by making unauthorized withdrawals at hundreds of ATMs nationwide.
- In 2017, Scottrade reported a breach involving 20,000 customers that originated through a third party as a result of careless employee behavior. The breach involved names, social security numbers as well as usernames and passwords.
- A blatant weakness was discovered in the web platform of Fiserv, Inc., a Fortune 500 company that serves as a major provider of technology services to financial institutions. The web platform helps power the websites for hundreds of financial institutions such as community banks and credit unions. The discovered vulnerability allowed a related banking customer to spy on the daily transaction activity of other customers within the same bank.
How and Why Does Data in the Financial Sector Continue to get Compromised?
When it comes to financial data breaches, IBM and the Ponemon Institute estimate that 50 percent of these incidents are the result of malicious or criminal attacks. System glitches were the culprits in 27 percent of these breaches and 23 percent the result of negligent employees. This clearly shows that threats are both internal and external and that negligence is just as much a threat as a faceless hacker. According to a 2016 report concerning the financial cybersecurity state of the financial industry, 75 percent of the top 20 U.S. banks are infected with malware and 95 percent of these institutions have a network security grade of “C” or below.
According to the IMF, 39 percent of all cyberattacks on financial institutions were against U.S. firms. They state that the risk to financial institutions is a function of three components as is shown below in the following equation.
Risk = f (Threat, Vulnerability, Consequences)
Besides the obvious fact that cybercriminals target banks for financial gain, the threat levels for financial institutions are high due to the sophistication of attackers today that are part of highly connected criminal networks, proxy organizations and nations such as North Korea. Like the healthcare industry, financial institutions are reliant on highly interconnected networks that increases vulnerability. Because the customers have such high expectations concerning the protection of their data concerning the regulated financial services industry, the consequences are inherently higher than other industries.
Small banks face the challenge of having to protect themselves against highly experienced and educated hackers, even though they may not even have an internal high level IT staff. Many community banks are forced to outsource their IT functions and cybersecurity responsibilities to third party solution providers. This limits the ability of instilling a culture of security awareness throughout the bank itself. Another inherent vulnerability for smaller community derives from their greater emphasis on individual customer service, which may conflict with security measures that are normally required.
Thanks to online banking, the attack surface has grown exponentially over the past decade as so many customers now utilize online banking. As a result, the utilization of specialized banking malware such as banking Trojans has grown in lockstep. This further complicates the monitoring process for banks and puts them in the position of providing guidance and alerts to their customers regarding proper hygiene and threats.
What Executive Leadership is Doing to Combat Today’s Threats
Like most industries today, the executive leadership of financial institutions have taken notice of the dire need to improve the security of their institutions and protect their assets and personal information of their customers and employees. Says Bancorp CEO, Andy Cecere, “We have been taught as bankers that the #1 risk in banking is credit. I think cybersecurity is closely approaching that.” This realization is evident across the industry as is evident in a 2017 survey that showed financial institutions at large have increased cybersecurity spending by 67 percent since 2013. But while increased spending is needed, simply throwing additional resources at the problem will not suffice. Some of the actions taken by financial institutions include the following:
- Undergoing risk assessments in order to identify the risks inherent within their organization
- Hiring outside specialists to find security weaknesses by conducting penetration testing that emulates how an actual hacker would attack the organizations
- Putting greater emphasis on incident response plans today rather than just focusing on prevention.
Most importantly, financial services firms have realized that security starts at the top. For large banks, this means it starts at the board level. The company board needs to ensure that the organization has the resources it needs and that the proper leadership is in place.
How Duty of Care/CIS RAM can help strike the right balance
No matter what industry you are in, a proper risk assessment is essential in order to identify the risks inherent to your organization and the threats that have the potential to undermine those risks. A risk assessment allows you to gain visibility and insight into the current state of your security posture. Once the potential threats relevant to your organization at hand are identified, you can then prioritize them according to their impact and likelihood. This is important because every threat cannot be protected against and nothing is completely safe. Should your organization undergo the traumatic experience of a data breach, you will not be judged by the mount the security you could chose to afford, only on the right amount of security justified by your situation. Obviously, the expectations for a global financial entity varies from that of a bank with several branches.
Information risks vary from one organization to the next, which can make the process of determining an organization’s expected “duty of care” intimidating, if not overwhelming for those who don’t practice cybersecurity on a professional basis. Fortunately, there is a set of guidelines available called the CIS® (Center for Internet Security) Risk Assessment Method (RAM). CIS RAM provides a set of controls to address your risks and obligations as well as a prioritized set of actions to protect the assets of your organization from cyberattacks.
For those unfamiliar with CIS RAM, partnering with a dedicated security firm such as HALOCK Security Labs can help oversee the process of determining your risk criteria in order to meet your standard of due care. Creating a strategy using CIS RAM provides prioritized strategies to achieve good cybersecurity hygiene throughout your organization is the key to protecting not only your hosted data, users and devices, but the reputation of your organization as well. As a business owner or bank executive, you may not have to fully understand the details of cybersecurity, but it doesn’t have to be a mystery either. For the financial services industry, the ability to account for the threats and risks to your organization plays a key role in preserving the financial state and wellbeing of your organization.
FINANCIAL SERVICES RESOURCES:
- Duty of Care Risk Analysis (DoCRA) Checklist
- CIS RAM Prospectus
- Foreseeable Risk Index (FRI)
- CIS RAM Workshop – Live Stream Dec. 10, 2018