According to IBM X-Force research, nearly 20 million financial records were breached in 2015, with each stolen record costing financial institutions an average of $215. Experts believe 2016 will be even worse. What do banks need to know about managing cybersecurity risk to help protect themselves against these attacks? Brian Johnson, AGH’s senior vice president of technology services, puts the threats into context for banking leaders.
What is most important for banks to understand about cybersecurity?
Financial technology continues to change and evolve, so the risks continue to change and evolve with it. That means that cybersecurity risk needs to be evaluated in the context of the industry’s specific technologies – the technologies that the banks and their customers are using and the kinds of technologies and threats that are evolving to eventually exploit bank and customer vulnerabilities.
In your opinion, who or what is the greatest cybersecurity threat to banks?
When I talk to organizations about cybersecurity, I talk about people, process and technology. Technology usually comes to mind first for most – things like computers, security tokens, ATMs, and third-party services like mobile banking providers. Process refers to the business processes and technology processes, such as risk management, incident response, and business continuity practices. The people are the leadership, employees, customers and others who execute the processes and/or use the technology.
A lot of [cybersecurity experts] agree that people are the weakest link, and that’s an area where we need to have increased focus. Cybersecurity also requires good processes and technology, but at the end of the day, if you don’t have people who practice sound judgment, and if you don’t have qualified people exercising the security processes and implementing technologies, you put yourself – and your customers – at increased risk. So, if you need to pick a place to start, or an area where you need continuing focus, people would be the place to do that.
Do you think banks will experience more or fewer breaches in 2016? Why?
That’s tough to predict, but I do believe banks will continue to be a high-value target for cybercriminals for the reasons that they always have been – because that’s where the money is. It’s not masked bandits who are robbing banks these days – now it’s cybercriminals with the ability to take over accounts or trick customers or employees into moving money around, and the attacks are constant. So, it will be important for banks to continue to be vigilant.
The good news is, though, that there is now increased awareness and efforts like the FFIEC Cybersecurity Assessment Tool and the Financial Services Information Sharing and Analysis Center (FS-ISAC) that are shining a light on the kinds of things that banks can do to improve their cybersecurity. And although there is data showing a rising number of breaches, there are also an increasing number of tools to combat them.
What will FFIEC exam requirements mean for bank cybersecurity practices?
Many of the exam requirements are the things that the industry has already been discussing, but there is one thing in particular that financial institutions should be ready for. One of the recommendations for regulators is to review board meeting minutes to see if cybersecurity is being discussed and make sure executive management and boards are taking a more active role in understanding the risks associated with their business lines and processes, evaluating if they have the right resources to address those risks, and applying the right controls. There are a number of best practices recommended by regulators, but the implementation of those best practices is something that must be decided at a business level by management, they need to be actively involved, so that’s one of the things examiners will be looking for.
What makes cybersecurity different for banks vs. other types of organizations?
One of the most obvious things is the nature of what they’re trying to protect and their heavy use of technology. Money is a highly attractive target, and techniques such as social engineering and business email compromise increase the opportunities for cybercriminals to attack without ever setting foot in a facility.
At a high level, what is the process that banks should keep in mind when it comes to cybersecurity?
I’m a firm believer that there is no one-size-fits-all process. Risks are different for different financial institutions, so the evaluation processes will usually result in different combinations of protective, detective, and corrective controls for each one. And every control has a cost associated with it, so it will be important to make sure each organization has identified the right ones.