Cybersecurity in the banking and financial sector
In a digital world where the number of targets ripe for hacking has grown exponentially, banks and other financial institutions remain a top target for cyberattacks, whether for financial gain, data theft, or retaliation. For nation-state adversaries or hacktivists, disrupting the financial services industry has the potential to grievously wound the global economy, given the interconnectedness and integrated nature of the society we live in today. This chapter underscores that regulation is not enough to address the growing threat to financial institutions. It outlines programs to improve identity verification and authentication protocols. It also underscores the need to streamline cybersecurity regulation to reduce burdens from duplicative or conflicting requirements that have no tangible improvement on cybersecurity. The chapter concludes with a discussion on cyber law enforcement and the need to create international standards for cybercrime investigations and prosecution.
WHAT MAKES THE FINANCIAL SERVICES SECTOR UNIQUE
Banks and other financial institutions remain a top target for cyberattacks, whether for financial gain, data theft, or retaliation. Today’s consumers have higher expectations about service, given the proliferation of technologies available to them. Consumers are more likely to shop around for products and be more interested in direct and mobile channels. However, while the use of innovations such as mobile devices and applications for consumer banking has exploded, the exploitation of these devices has increased significantly.
Commercial banking, too, has seen tremendous benefits from technology and is poised to reap even more as the new distributed ledger system, known as blockchain, enters the mainstream. More than half of exchanges surveyed by the International Organization of Securities Commissions and the World Federation of Exchanges in 2013 reported experiencing a cyberattack during the previous twelve months. Neither is the insurance industry is immune to the changes in how business is conducted in today’s contemporary and interconnected society. Insurers are prime targets to be victimized, given the richness of data—credit-card information, medical information, and other underwriting information.
CHALLENGES FACING THE NEW ADMINISTRATION
The current regulatory model for cybersecurity does not work. Cyber technology and attack methods change constantly, and the regulatory process is inherently time consuming and cumbersome.
The financial services sector continues to see an increase in disparate and fragmented cybersecurity regulation. For many institutions, it began with the Federal Financial Institutions Examination Council releasing in June 2015 a Cybersecurity Assessment Tool incorporating concepts from the voluntary NIST Cybersecurity Framework. Member agencies use the tool in regulatory inquiries. As a result, many large financial institutions expend immense amounts of time and resources determining how to demonstrate compliance.
Complicating matters further, financial institutions receive similar cybersecurity inquiries from different regulators, even from different offices of the same regulator. These duplicative reporting requirements ask largely the same questions but require exhaustive tailoring for each regulator. And the SEC is becoming ever more assertive in monitoring the cybersecurity of broker-dealers and registered investment advisers, even testing firms’ implementation of cybersecurity controls.
Technology innovations have eliminated borders for criminal enterprises. Attackers can exploit vulnerabilities from anywhere and impact entire networks in a matter of seconds. This poses a tremendous risk of cascading failure across the sector. Phishing is a main pathway for cyber theft, and spear-phishing is even more pernicious. The use of phishing is widespread, unrelenting, and a low-cost, high-payoff technique for attackers.
Mobile banking is a boon for consumers but opens up a new front for attackers to exploit. Cyber thieves craft malicious apps targeting banking data, but it’s not just banking apps that pose a cybersecurity challenge.
RECOMMENDATIONS
GOVERNMENT SHOULD RETHINK ITS APPROACH TO CYBERSECURITY
The federal government’s credibility in educating, let alone regulating and mandating, cybersecurity practices is severely undermined by its track record of inefficiency. Agencies have yet to adjust to the interconnected nature of cybersecurity, approach it as if it were a static problem addressable through existing formulations. Punitive checklist compliance is a waste of resources. The number of regulatory agency examiners with specialized information technology training is low, and much of government’s shared cyber-threat data are out of date and stripped of context as to be useless.
HARMONIZE, STREAMLINE, AND IMPROVE REGULATIONS
Regulatory and legislative mandates and compliance frameworks that address information security for the financial sector, such as Sarbanes-Oxley, Gramm-Leach-Bliley, the Fair and Accurate Credit Transactions Act, as well as state compliance regimes, must be consolidated and streamlined.
Regulations should encourage banks to take a risk-based approach, which is customized to the threats they face and takes into account the bank’s business model and resources available. Utilizing a standard mechanism such as the NIST Cybersecurity Framework to align the proliferation of different legal and regulatory cybersecurity requirements enables harmonization and adopts unified fundamental guidance for developing cybersecurity policies and practices within the industry.
OPERATIONAL IMPROVEMENTS
Toss the Password into the Dustbin of History
“Killing the password” has been a long-standing Obama administration priority, one that it reiterated in the National Cyber Action Plan unveiled in February 2016. The new administration should accelerate the work of the National Strategy for Trusted Identities in Cyberspace, a program charged in 2011 with creating market conditions favorable to a wholesale replacement of passwords. Today, it’s clear the effort has stalled.
Incentivize ISPs to Become More Active in Cybersecurity
ISPs are critical players in improving cybersecurity across the Internet but are not incentivized to implement well-established security protocols, such as DNS Security Extension and BGPSec, that would make launching cyberattacks harder for hackers. We are not advocating for heavy-handed regulation but a common set of strong security standards that ISPs can be evaluated against in the market place, much like the “5-star safety rating” system developed years ago by the National Highway Traffic Safety Administration.
Adopt Antiphishing Technology
The existing Internet technology standard known as DMARC (domain-based message authentication, reporting, and conformance) should be implemented by the federal government and even further in the private sector.
ENCOURAGE DEVELOPMENT OF MORE CYBERSECURITY EXPERTS
The new administration should consider leveraging the federal science, technology, engineering, and mathematics program to promote wider interest among students in technology jobs. The current national goal of graduating an additional one million students with STEM majors should be reassessed with an eye toward increasing both that number as well as the number of technology graduates represented within it.