Tag Archives: confidential data

3 Steps to Improve Cyber Security

In the recent science fiction film Inception, protagonist Dominic Cobb infiltrated his victim’s dreams to gain access to business secrets and confidential data. He would then use this knowledge to influence things in his (or his client’s) favor. Cobb’s success depended on his ability to manipulate victims through greater understanding of their human vulnerabilities. Just like Cobb, cyber crime perpetrators begin by identifying their targets’ vulnerabilities and gathering intelligence required to breach their systems. Armed with this intelligence, they navigate their targets’ complex systems, establish covert presence and often remain undetected for a long time.It is clear that the growth in cyber crime has continued, if not accelerated, in the financial services industry. U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represents the highest average loss across all industries. This number is 44% higher than in 2012, when the industry was ranked third, after the defense and utilities and energy industries. While this trend is not to be ignored, these actual losses are sometimes not meaningful to firms’ income statements. The potentially greater impact from cyber crime is on customer and investor confidence, reputational risk and regulatory impact that together add up to substantial risks for financial services companies. A recent global survey of corporate C-level executives and board members revealed that cyber risk is now the world’s third corporate-risk priority overall in 2013. Interestingly, the same survey from 2011 ranked cybersecurity as only the 12th-highest priority.

In Inception, although Cobb succeeded in conning most of his victims, he faced stiff resistance from Mr. Fischer, whose strong automated self-defense mechanisms jeopardized the attackers’ plans several times. However, every time Cobb’s team faced an obstacle, they persevered, improvised and launched a new attack. Real-life cyber attacks are, of course, far more complex in many ways than the challenges and responses between Cobb and Fischer. That said, the film does provide an interesting analogy that in many ways illustrates the problems that financial services companies face when dealing with cyber crime.

The interplay between attacker and victim is, indeed, a cat-and-mouse game in which each side perpetually learns and adapts, leveraging creativity and knowledge of the other’s motives to develop new offensive tactics and defensive postures. The relatively static compliance or policy-centric approaches to security found in many financial services companies may be long outdated. The question is whether today’s industry can create a dynamic, intelligence-driven approach to cyber risk management not only to prevent, but also detect, respond to and recover from the potential damage that results from these attacks. As such, transformation into a secure, vigilant and resilient cyber model will have to be considered to effectively manage risks and drive innovation in the cyber world.

The evolving cyber threat landscape

Although cyber attackers are aggressive and likely to relentlessly pursue their objectives, financial services companies are not passive victims. The business and technology innovations that financial services companies are adopting in their quest for growth, innovation and cost optimization are, in turn, presenting heightened levels of cyber risks. These innovations have likely introduced new vulnerabilities and complexities into the financial services technology ecosystem. For example, the continued adoption of Web, mobile, cloud and social media technologies has likely increased opportunities for attackers. Similarly, the waves of outsourcing, offshoring and third-party contracting driven by a cost-reduction objective may have further diluted institutional control over IT systems and access points. These trends have resulted in the development of an increasingly boundary-less ecosystem within which financial services companies operate, and thus a much broader “attack surface” for the threat actors to exploit.

Cyber risk is no longer limited to financial crime

Complicating the issue further is that cyber threats are fundamentally asymmetrical risks, in the sense that oftentimes small groups of highly skilled individuals with a wide variety of motivations and goals have the potential to exact disproportionately large amounts of damage. Yesterday’s cyber risk management focus on financial crime was — and still is — essential. However, in discussions with our clients, we hear that they are now targets of not only financial criminals and skilled hackers but also increasingly of larger, well-organized threat actors, such as hactivist groups driven by political or social agendas and nation-states, to create systemic havoc in the markets. An illustrative cyber threat landscape for the banking sector suggests the need for financial services firms to consider a wide range of actors and motives when designing a cyber risk strategy. This requires a fundamentally new approach to the cyber risk appetite and the corresponding risk-control environment.

The speed of attack is increasing while response times are lagging

Threat actors are increasingly deploying a wider array of attack methods to keep one step ahead of financial services firms. For example, criminal gangs and nation-states are combining infiltration techniques in their campaigns, increasingly leveraging malicious insiders. As reported in a Deloitte Touche Tohmatsu Limited (DTTL) survey of global financial services executives, many financial services companies are struggling to achieve a level of cyber risk maturity required to counter the evolving threats. Although 75% of global financial services firms believed that their information security program maturity is at level three or higher, only 40% of the respondents were very confident that their organization’s information assets were protected from an external attack. And that is for the larger, relatively more sophisticated financial services companies. For mid-tier and small firms, the situation may be much worse, both because resources are typically scarcer and because attackers may see them as easier targets. In a similar vein, the Snowden incident has perhaps increased attention on insider threats, as well.

Multipronged approach can supplement traditional technologies that may now be inadequate

Given that 88% of attacks are successful in less than a day, it might be tempting to think taht the solution may be found in increased investment in tools and technologies to prevent these attacks from being successful. However, the lack of threat awareness and response suggests that more preventative technologies are, alone, likely to be inadequate. Rather, financial services companies can consider adopting a multipronged approach that incorporates a more comprehensive program of cyber defense and response measures to deal with the wider array of cyber threats.

Financial services firms have traditionally focused their investments on becoming secure. However, this approach is no longer adequate in the face of the rapidly changing threat landscape. Put simply, financial services companies should consider building cyber risk management programs to achieve three essential capabilities: the ability to be secure, vigilant and resilient.

— Enhancing security through a “defense-in-depth” strategy

A good understanding of known threats and controls, industry standards and regulations can guide financial services firms to secure their systems through the design and implementation of preventative, risk-intelligent controls. Based on leading practices, financial services firms can build a “defense-in-depth” approach to address known and emerging threats. This involves a number of mutually reinforcing security layers both to provide redundancy and potentially slow down the progression of attacks in progress, if not prevent them.

— Enhancing vigilance through effective early detection and signaling systems

Early detection, through the enhancement of programs to detect both the emerging threats and the attacker’s moves, can be an essential step toward containing and mitigating losses. Incident detection that incorporates sophisticated, adaptive, signaling and reporting systems can automate the correlation and analysis of large amounts of IT and business data, as well as various threat indicators, on an enterprise-wide basis. Financial services companies’ monitoring systems should work 24/7, with adequate support for efficient incident handling and remediation processes.

— Enhancing resilience through simulated testing and crisis management processes

Resilience may be more critical as destructive attack capabilities gain steam. Financial services firms have traditionally planned for resilience against physical attacks and natural disasters; cyber resilience can be treated in much the same way. Financial services companies should consider their overall cyber resilience capabilities across several dimensions. First, systems and processes can be designed and tested to withstand stresses for extended periods. This can include assessing critical online applications for their level of dependencies on the cyber ecosystem to determine vulnerabilities. Second, financial services firms can implement good playbooks to implement triage for attacks and rapidly restore operations with minimal service disruption. Finally, robust crisis management processes can be built with participation from various functions including business, IT, communications, public affairs and other areas within the organization.

For the full report on which this article is based, click here.

Kevin Bingham is sharing this excerpt on behalf of the report’s authors, his colleagues Vikram Bhat and Lincy Francis Therattil. They can be reached through him.

A Look At Cyber Risk Of Financial Institutions

Overview Of The Risk
There were more than 26 million new strains of malware released into circulation in 2011. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records. The Ponemon Group, whose Cost of Data Breach Study is widely followed every year, indicated a total cost per record of $214 in 2011, an increase of over 55% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent. NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability Forum” the results of their analysis of 153 data or privacy breach claims paid by insurance companies between 2006 and 2011. On average, the study said, payouts on claims made in the first five years total $3.7 million per breach, compared with an average of $2.4 million for claims made from 2005 through 2010.

And attacks simply don't target large companies. According to Symantec's 2010 SMB Protection report, small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report's opinion that 96% of such breaches could have been prevented with appropriate controls. Bottom line: cyber attacks are here to stay — and in many ways, they are getting worse.

A Look At The Financial Institution Sector
Willy Sutton once infamously remarked that he robs bank because “that's where the money is.” According to Professor Udo Helmbrecht, the Executive Director of the European Networking and Information Security Agency, if Willy Sutton was alive today, he would rob banks online.

Criminals today can operate miles, or even oceans, away from the target. “The number and sophistication of malicious incidents have increased dramatically over the past five years and is expected to continue to grow,” according to Gordon Snow, Assistant Director of the Cyber Division of the Federal Bureau of Investigation (testifying before the House Financial Services Committee, Subcommittee on Financials Institutions and Consumer Credit). “As businesses and financial institutions continue to adopt Internet-based commerce systems, the opportunity for cybercrime increases at the retail and consumer level.” Indeed, according to Snow, the FBI is investigating 400 reported account takeover cases from bank accounts of US businesses. These cases total $255 million in fraudulent transfers and has resulted in $85 million in actual losses.

According to the FBI, there are eight cyber threats that expose both the finances and reputation of financial institutions: account takeovers, third-party payment process breaches, securities and market trading company breaches, ATM skimming breaches, mobile banking breaches, insider access, supply chain infiltration, and telecommunications network disruption.

It was telecommunications network disruption that dominated the news in 2012.

Otherwise known as a distributed denial of service attack, US banks were attacked repeatedly throughout the year by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against this country's infrastructure.

Among the institutions hit were PNC Bank, Wells Fargo, HSBC, and Citibank, among many others. Big or small, it made no difference. At the end of the day, as many as 30 US banking firms are expected to be targeted in this wave of cyber attacks, according to the security firm RSA. And it is likely that we are not at the end of the day. On January 9, 2013, the computer hacking group that has claimed responsibility for cyber attacks on PNC Bank vowed to continue trying to shut down American banking websites for at least the next six months.

That is not to say that financial situations only had to worry about distributed denial of service attacks launched by hostile nation states in 2012.

On December 13, 2012 the Financial Services Information Sharing and Analysis Center, which shares information throughout the financial sector about terrorist threats, warned the US financial services industry that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars. According to the computer security firm, McAfee, the cyber criminal, who calls himself the “Thief-in-Law,” already has infected hundreds of computers of unwitting American customers in preparation to steal that bank account data.

Of course not all threats look like they come from the latest 007 flick. On October 12, 2012, the Associated Press reported TD Bank had begun notifying approximately 260,000 customers from Maine to Florida that the company may been affected by a data breach. Company spokeswoman Rebecca Acevedo confirmed to the Associated Press that unencrypted data backup tapes were “misplaced in transport” in March 2012. She said the tapes contained personal information, including account information and security numbers. It is unclear why the bank waited until October to notify customers. Over 46 states now have mandatory notification laws that dictate prompt notification to bank customers of missing or stolen “Personally Identifiable Information.” Failure to make timely notification can, and often does, prompt customer lawsuits and regulatory investigations.

The bottom line: you cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

The Cyber Insurance Market
With these facts, it is not surprising that the cyber insurance market has grown tremendously from its initial beginning in 2000. Starting with what was the brainchild of AIG and Lloyds of London, the market has grown to over 40 insurance providers. A widely accepted statistic is that the market now produces over $1 billion in premium to insurance carriers on a worldwide basis.

Despite the increasing claim activity, informal discussions with the market continue to indicate that cyber risk is a profitable business. Perhaps, it is for this reason, cyber premium rates are flat to down 5% according to industry reports in the market where rates in property-casualty are generally increasing.

Carriers also see this as an area where there are many non-buyers, and statistics seem to back them up. According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about this cyber risk. A risk area with a high level of concern but little purchase of insurance is an insurance broker's dream. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy.

It is unclear why there aren't more buyers but most of the industry believes it's a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber risk is covered under their general corporate liability policy.

It is then perhaps not surprising that the Betterley 2012 market report stated “we think this market has nowhere to go but up” Although, they quickly qualified, “as long as carriers can still write at a profit.”