Cybersecurity as a Global Concern in Need of Global Solutions: Some Recent Financial Regulatory Developments
By V. Gerard Comizio, Behnam Dayanim & Laura E. Bain
U.S. financial regulators are increasingly recognizing the threat of cyberattacks as one of “the biggest systemic risk[s] we have facing us.”
Globalization, however, complicates regulators and law enforcements’ already complicated challenge. Neither financial institutions nor their technological platforms are confined within the borders of a single country, which cybercriminals have long recognized. A U.S. financial institution may have branches with employees accessing the internet in numerous countries or maintain a physical presence solely in the U.S., but allow its U.S. customers to use online banking. Even an institution with no online presence, if such an institution still exists, may be exposed to cybercrime when it installs compromised software on its internal system—not just to cybercriminals within its own country, but from anywhere. Cyberattacks are a global problem in need of global response.
In May 2015, the U.S. House of Representatives Committee on Financial Services heard testimony from a cybersecurity expert of the possibility of a “rapid spike in truly disruptive attacks by a dangerous adversary, which no longer has a stake in a global financial system,” and that “[t]his danger requires immediate contingency planning with the sector and with regulators and other Federal partners, along with coordination with our international partners particularly in Europe.”
This article provides an overview of recent developments in cybersecurity regulation by 1) the U.S., 2) the UK, and 3) the EU, as well as the movement towards international cooperation, and serves as a guide for financial institutions to develop an effective cyber-risk management program.
I. The United States
As we noted in a previous Stay Current,
In 2015, FSOC issued a report discussing the emerging threat of cyberterrorism, and stated that financial institutions “should be prepared to mitigate the threat posed by cyberattacks that have the potential to destroy critical data and systems and impair operations.”
A. Unclear Expectations for Information Sharing
However, in addition to FSOC’s substantive recommendations, FSOC also indicated an expectation that firms participate in information sharing.
B. Emerging Cybersecurity Tools
In June 2015, the Federal Financial Institutions Examination Council (“FFIEC”) developed and released the Cybersecurity Assessment Tool to assist financial institutions in identifying their risks and assessing their cybersecurity preparedness.
The Cybersecurity Assessment Tool contains a two-part test:
Part 1: Inherent Risk Profile – Part 1 contains a series of charts that allow a financial institution to assess its inherent risk level with respect to five categories: (1) technologies and connection types, (2) delivery channels, (3) online/mobile products and technology services, (4) organizational characteristics, and (5) external threats. Each category contains certain activities and products, and depending on the extent and manner of the institutions involvement with respect to such activities and products its risk level is rated least, minimal, moderate, significant, or most.
Technologies and connection types – For this category, a financial institution considers its risk level for various types of connection and technologies, including among other things: its total number of internet service provider (“ISP”) connections, its unsecured external connections, its wireless network access, the extent to which it allows personal devices to connect to its corporate network, the number of third parties (such as vendors and subcontractors) with access to internal systems, and third-party service providers that store and process information that supports critical activities. For example, an institution will assess its risk level with respect to its wireless network access with “least” risk if the institution does not have wireless access and “most” risk if all employees have access and the institution provides access to over 1,000 users via over 100 access points.
Delivery channels – This category enables financial institutions to assess its risk level based on its online presence, mobile presence, and use of automated teller machines (“ATMs”).
Online/mobile products and technology services – This category addresses the risk level associated with certain types of products and services, including, among other things, debit and credit cards, prepaid cards, mobile wallets, person-to-person payments, and correspondent bank services.
Organizational characteristics – For this category, an institution evaluates the risk level associated with its organizational characteristics based on certain factors, such as recent mergers and acquisitions, changes in IT and information security staffing, locations of branches/business presence, and locations of operations.
External threats – In this category, an institution assesses its vulnerability to external threats based on the number and frequency of past cyberattack attempts.
Part 2: Cybersecurity Maturity – Part 2 enables a financial institution to determine its cybersecurity preparedness across five domains: (1) cyber-risk management and oversight; (2) threat intelligence and collaboration; (3) cybersecurity controls; (4) external dependency management; and (5) cyber-incident management and resilience. Based on various assessment factors, an institution can use the charts in Part 2 to match its cyber-preparedness in each domain to the following levels: baseline, evolving, intermediate, advanced, and innovative.
Cyber risk management and oversight – In this domain, an institution assesses its governance, risk management, resources, and training and culture. For example, an institution’s training and culture meets the baseline level if the institution provides annual information security training, makes situational cyber event awareness materials available to employees, has readily available customer awareness materials, and its management holds employees accountable for complying with the information security program. To meet the next level of preparedness, evolving, the institution must meet baseline level expectations and also provide continuing cybersecurity training to cybersecurity staff, provide cybersecurity training to management and business that is tailored to their job responsibilities and particular business risks, require additional training for employees with privileged account permissions, validate the effectiveness of the training, impose formal standards of conduct to hold employees accountable for compliance, actively discuss cyber-risks at business unit meetings, and ensure employees clearly understand how to identify and report potential cybersecurity issues.
Threat intelligence and collaboration – This domain assesses the following factors: threat intelligence, monitoring and analyzing threats, and information sharing.
Cybersecurity controls – For this domain, an institution evaluates its preparedness level based on certain factors, including its preventative controls, detective controls, and corrective controls.
External dependency management – This domain addresses the institution’s preparedness level with respect to its technology connections and relationship management.
Cyber-incident management and resilience – The last domain enables an institution to determine its cybersecurity program’s maturity based on the sophistication of its incident resilience planning and strategy, detection, response and mitigation, and escalation and reporting.
By completing Part 1, a financial institution can identify its overall risk level, but also specifically identify areas of greatest vulnerability. This enables an institution to understand its risk and create strategies to address areas of cybersecurity weakness. By completing Part 2, a financial institution can evaluate is overall cybersecurity preparedness and determine which areas require additional improvement and resources. The Cybersecurity Assessment Tool thus provides a useful measure for financial institutions to evaluate whether their cybersecurity programs comply with the FBAs’ supervisory expectations, as well as significant guidance for identifying and mitigating their cybersecurity risks.
II. The United Kingdom
The UK is often regarded as having the “best developed e-commerce in the world.”
A. Increasing Emphasis on Cyber Resilience
In a significant speech entitled “Cyber in Context” delivered by Andrew Gracie, the Bank of England’s Executive Director for Resolution, this July, Mr. Gracie stressed the regulatory priority for the financial services sector to achieve and maintain “operational resilience” with respect to cybersecurity
The Bank of England’s emphasis on cyber-resilience includes an emerging regulatory focus on financial institutions’ defensive capabilities, recovery capabilities, and effective governance,
Defensive capabilities – Citing to the July 1, 2015 Financial Stability Report by the Financial Policy Committee of the Bank of England, Mr. Gracie described defensive capabilities as capabilities that “enable firms to identify and withstand attack.”The Bank of England expects core financial sector firms, as well as their suppliers and firms they do business with, to maintain cybersecurity programs that ensure they are able to manage persistent threats.Cybersecurity programs must:
(1) Recognize the importance of employees – Cybercriminals do not just exploit potential system and software weaknesses. Often, cybercriminals first target a financial firm’s employees, for example through a spear phishing campaign (sending emails will malicious software attached to employees of the institution, which when opened infect the system through otherwise secure access points). Thus, it is critical that financial institutions implement and maintain adequate arrangements to ensure employees firm-wide understand cyber-risks and their responsibilities for reporting and managing those risks.
(2) Adequately invest in staff and resources.
(3) Regularly test for cybersecurity vulnerability.
Recovery capabilities – Recognizing that “no network is impenetrable,” the Bank of England also expects financial institutions to develop and maintain recovery capabilities that ensure institutions are able to resume secure services upon the occurrence of a cyber-incident.Financial institutions must adapt business continuity planning to address cyber-risks, and should consider imposing greater “segregation between primary and backup systems.”
Effective governance – The responsibility for understanding and responding to cyber-risks extends throughout a financial institution, from the board of directors, to senior management in each business unit, to technology specialists, and to employees.
B. Evolving Cybersecurity Guidance
On January 15, 2015, the UK Cabinet Office, Centre for the Protection of National Infrastructure, CESG, and Department for Business Innovation & Skills updated the 10 Steps to Cyber Security, originally published in 2012 and used by approximately two thirds of the largest 350 companies listed on the London Stock Exchange.
Implement Information Risk Management Regime – Companies should assess the vulnerability of their information assets to cyber-risk and establish an enterprise-wide information risk management regime that is supported by board and management, with a risk management policy communicated to all employees and third party service providers.
Ensure Secure Configuration – Companies should establish secure baseline configurations and manage the use of their information and communications technology systems, including by removing and disabling unnecessary programs and fixing any known software and system flaws/bugs.
Maintain Network Security – Companies should ensure the networks they use are secure, including by monitoring network traffic or use for “unusual or malicious incoming and outgoing activity that could indicate an attack.”
Manage User Privileges – Companies should provide users with only the privileges necessary to perform their job, limit the number of privileged accounts, and monitor account activity.
Educate Users – Companies should train employees on cyber-risks, tailored to their roles.
Manage Cyber-Incidents – Companies should establish “incident response and disaster recovery” plans and regularly test plans to ensure they appropriately address “the full range of incidents that can occur.”
Use Malware Prevention – Companies should develop policies and procedures to directly address processes that are vulnerable to malware, such as email use. System scans should be conducted regularly and all incoming information and vendor supplied software should be scanned.
Monitor – Companies should design and maintain a strategy and procedures for continuous cyberattack monitoring that incorporates lessons learned from prior incidents.
Create Controls for Removable Devices and Data – These controls should include policies that restrict the types of devices that may be used and the types of data that may be transferred.
Assess the Risks of Remote Working – Companies should review the risks associated with employees connecting to the network remotely and develop appropriate policies to address these risks, including training employees how to ensure the security of their mobile devices.
In addition to these ten steps, the UK government has worked with the financial services industry to develop basic security controls to better protect all companies against the most common forms of cyberattacks.
III. The EU
In addition to efforts by individual countries to address global cybersecurity concerns, the EU—the economic and political partnership between various European countries, including the UK—is also taking steps to address cybersecurity concerns. In early 2013, the European Commission published a directive on Network and Information Security (“NIS Directive”) that is intended, among other things, to create a legal obligation for EU Member States to develop national cybersecurity strategies and cyber-incident reporting requirements, designate national authorities to monitor the compliance with these strategies and related measures, and encourage cooperation and information sharing with other Member States.
IV. International Cooperation
In addition to the country/region-specific cybersecurity efforts discussed above, governments are increasingly cooperating with each other to address the global threat of cyberattacks. Earlier this year, the U.S. and UK agreed to “bolster” threat information sharing and engage in joint cybersecurity and defense exercises to test and enhance the capacities of both countries’ financial institutions and law enforcement to “respond to malicious cyber activity.”
The U.S. and UK are not the only countries to collaborate. In February 2015, Europol’s European Cybercrime Centre coordinated a joint international operation—involving investigators from the UK, Germany, Italy, and the Netherlands as well as industry participants—to shut down a botnet that had compromised 3.2 million computers world-wide.
V. Action Plan
The increasing danger of cyberattacks and the enhanced regulatory requirements for cybersecurity compliance programs call for a detailed action plan for addressing both cyber-risk and potential regulatory risk related to cybersecurity. It must be stressed that an effective cybersecurity program requires an integrated strategy for both ongoing regulatory compliance as well as a “break glass in case of emergency” response to cyberattacks. This calls for, among other things, integrated knowledge of bank regulatory, data, and cybersecurity and payment systems law to construct and implement an effective program.
As recently discussed in our Stay Current Alert Caught in the Crossfire: The Rising Threat of Cyberattacks on Financial Institutions and the Heightened Expectations of Financial Regulators, heightened regulatory expectations—and potential attendant regulatory and reputational risk for noncompliance in a changing regulatory environment—call for, among other things, a high level of corporate governance participation by the board of directors, senior management, and global compliance teams; management will be ultimately responsible for any cyber or regulatory problems, so management oversight is clearly required. The old saying that “an ounce of prevention is worth a pound of cure” is certainly an operative approach to plotting a successful strategy in approaching cyber operational and regulatory challenges in a changing regulatory environment. In addition to the best practices outlined
Utilize the FFIEC Cybersecurity Assessment Tool to evaluate their cyber-risk profiles and cybersecurity preparedness, and use the assessment results to develop/revise its policies and procedures to address any gaps and vulnerabilities identified by the assessment.
Evaluate the institution’s cybersecurity governance framework—ensure the Board of Directors discusses and understands the institutions’ specific cybersecurity risk vulnerabilities and recognizes the importance of allocating sufficient resources to maintaining a robust cybersecurity compliance program, and create a chain of communication that ensures cybersecurity policy decisions reach all employees and news of cyber-incidents reaches the Board.
Address cybersecurity concerns in all relevant policies and procedures and tailor cybersecurity policies and procedures to each business line and operation unit.
Conduct cybersecurity training for all employees, with training tailored to each group’s specific cyber-risks. It is critical that employees understand and comply with the institution’s cybersecurity policies and procedures, are adequately trained to identify red flags for cyber-breaches and suspicious activity or emails, and take appropriate precautions when accessing the institution’s system remotely or accessing external sites and applications from the institution’s network.
Monitor systems and controls through network scanning, audits, and independent testing.
Thoroughly vet third party servicers and software suppliers prior to engaging their services.
Consider whether to participate in information exchange fora with peer institutions—be sure to discuss this decision with outside counsel possessing expertise in dealing with cyberattacks and related issues such as consumer protection and regulatory compliance.