Addressing cybersecurity risks and remedies is a collaborative undertaking involving the federal government, regulatory agencies, and public and private companies. The Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security (DHS) conducts risk assessments, modeling, and data management at a national level to understand critical infrastructure risks and support policy making, process enhancements, and risk-management decisions. The Department of Treasury is responsible for developing a Financial Services Sector-Specific Plan (SSP) to identify cybersecurity and physical risks facing the sector and establish a strategic framework to help prioritize ongoing activities to help secure financial firms and data.
The FDIC’s 2022 “Report on Cybersecurity and Resilience” notes the agency protects systems and sensitive information related to its own operations and the operations of FDIC-supervised banks and service providers through enforcement and initiatives that comply with the Federal Information Security Modernization Act of 2014 (FISMA). As of Dec. 31, 2021, the FDIC employed 357 IT examiners with specialized experience and training who evaluate financial institutions’ administrative, technical, and physical safeguards to ensure they provide controls that protect the security, confidentiality, and integrity of the institution, as well as the financial system and customer information.
The National Credit Union Administration (NCUA) also places top priority on cybersecurity supervisory activities under its enterprise risk-management program. All federally insured credit unions undergo a periodic NCUA examination not more than 20 months after the previous examination. Examinations are risk-focused with the primary goal of ensuring the safety and soundness of the credit union system by evaluating how well management identifies, measures, monitors, and controls potential and existing risks, including cybersecurity concerns.
Tactical Threats
The use of ransomware for extortion continues to be a significant risk. In February 2022, CISA and the NSA issued “2021 Trends Show Increased Globalized Threat of Ransomware,” a report that noted an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations, including the financial sector.
Ransomware attacks are becoming more easily available, too. Experienced cyber criminals offer “ransomware-as-a-service,” making it easier for unsophisticated hackers to target businesses of all types. They are also increasingly successful at accessing bank IT systems through third-party software hosted internally at the bank and as a cloud-based service. An even bigger threat are the tactical targeted attacks on software that controls access to roles such as network management and security software applications themselves.
Strategic Threats
Although they may be more difficult to define and may not result in an actual cyberattack incident, strategic cybersecurity threats – such as geopolitical and global economic events – require ongoing monitoring and planning to avoid disruption and support a resilient financial system. In early 2022, CISA issued multiple alerts regarding Russian state-sponsored cyber threats and cyber incidents in Ukraine. Another strategic threat is the ongoing development of quantum computing technology that attacks cryptographic algorithms and threatens the confidentiality of information, even if encrypted.
Best Practices
According to the U.S. Government Accountability Office, the top five cybersecurity risks identified by financial sector firms and federal agencies are social engineering, malware, third-party access, insider threats, and interconnectivity with global banking networks.
Here are some steps your financial institution can take to strengthen cybersecurity and secure data:
- Implement strong access controls such as multi-factor authentication, random one-time access codes, and biometric identification.
- Assign permissions and access to roles rather than individuals.
- Conduct regular risk and vulnerability assessments along with penetration testing.
- Update incident detection, response, and recovery capabilities through in-house controls, and consider outsourced solutions.
- Provide security awareness information and role-based training to employees and customers.
- Stay compliant with reporting requirements for computer security “notification incidents.”
FDIC and NCUA are member agencies of FFIEC, which recently issued an updated “Cybersecurity Resource Guide for Financial Institutions” that contains links to dozens of free and paid resources that can help banks, credit unions, and other financial institutions strengthen their resilience against cyber incidents. Click here for the Guide
The FFIEC also published “Authentication and Access to Financial Institution Services and Systems” to provide guidance and examples of risk management principles and practices for effective authentication of customers, employees and other users, a key control to mitigate threats such as ransomware. Click here for the bulletin
NCUA offers a wide variety of online resources to assist credit unions with an Automated Cybersecurity Evaluation Tool (ACET), guidance, examination manuals, and more. Click here for resources
The bottom line: business continuity concerns arising from cyber threats should continue to be a focal point of your strategic planning. Contact your Rehmann advisor for guidance on what your financial institution can do to manage these risks and introduce you to a Rehmann IT Solutions expert who can help you protect your technology infrastructure.