Cyber Resiliency – Closing the Gaps in Vendor-Bank Security
Originally published on September 10th on Bank BUSINESS.
As we approach the next decade, data integrity and cyber security have risen to the top of financial institutions’ list of mission-critical initiatives. With instances of government-backed hackers and other unscrupulous individuals seizing and exploiting customer data on the rise, it is crucial to ensure a bank or credit union’s resiliency to cyber-attacks and network intrusions is stronger than ever. Particularly, closing the potential gaps in the interwoven relationships between financial institutions and their third- and fourth-party vendors has emerged as a critical step in this process.
At its core, cyber resiliency can be defined as an organization’s ability to not only withstand various cyber-attacks and threats, but also its plans and capacity for resuming operations with minimal impact or disruption in the event of an actual attack. For banks and credit unions, the priority of cyber resiliency is safeguarding customer and member data (as well the FI’s own) and internal systems from cyber threats, while establishing strong contingency plans that allow for fast, efficient responses should an attack occur. Too often, institutions can be lulled into simply checking a box from a compliance standpoint, but in best practice, they must have an effective response plan in place to address an occurrence and to be prepared for any future cyber events. As part of their planning, financial institutions need to understand how these cyber-attacks can impact their customers — and ultimately their bottom lines. By studying other reported, similar attacks and infiltrations, banks and credit unions can gain valuable insights for becoming more resistant to phishing attacks, DNS breaches, and potential exploits within their vendor/security frameworks. Armed with these “lessons learned” and a committed focus on vigilance, FIs will have a better perspective and a much clearer picture as they to look for any gaps in their own vendor relationships.
When evaluating potential vulnerabilities, it is important to note that hackers do not look solely at the bank or credit union for an attack vector, but they also look at those institutions’ third- or even fourth-party vendors. It is important to consider these soft spots from a hacker’s point-of-view. Hackers recognize the challenge associated with breaching a bank or credit union directly so instead look to the institution’s vendors as an easier pathway to achieve a breach. Recently, Banco de Chile provided a sobering example of this kind of vendor loophole exploitation, as the hackers were able to attack the bank through a third-party DNS server that the bank itself had not considered as a part of its attack vector. Hackers were able to take over the DNS server through vulnerabilities that could have easily been addressed, and then redirect bank customers to a fake website under their control to harvest valid credentials for the electronic banking application.
What information are these individuals trying to access through their intrusion attempts? Typically, DDA account information, credit card information, loan account information, social security numbers, and other sensitive customer data are all on the table in these attacks. Something important, but often overlooked, is that the institution’s size is not particularly relevant for a hacker. Their target could be a small community bank or credit union in a rural area, or the main data center of a large, international institution. Increasingly, hackers primarily care about the availability and ease of access through an institution’s system and/or vendors. In the Banco de Chile case, the hackers who were able to breach the DNS were not specifically targeting the bank. It may very well have started with a phishing email that determined which institutions had connections with a given vendor’s services, and from there they simply focused on the path of least resistance to the bank with the largest gap in security. Often, once a bank or credit union is chosen, malware is sent through to the target institution, and the door is propped open allowing the hacker direct access moving forward. They now essentially have free rein to all the information within the institution.
Mandiant (now FireEye), a forensic data company that traces hacking instances back to their source, released its APT1 report in 2013 that provided some sobering insights into just how pervasive this issue could be. In one case, the company traced the source of the intrusion back to a military installation in China manned with over 1,000 people onsite. What makes this truly concerning is that the report also suggests there are hundreds, potentially thousands, of these installations across the country. With China’s reported workforce estimated to be over 700 million and the U.S. containing approximately 7,000 to 8,000 banks, it is not difficult to extrapolate the potential threat to virtually any bank or credit union in the nation should these resources be leveraged against us.
Given this, how exactly should a bank or credit union ensure that its institution and the vendors it works with are protected and secure?
The due diligence aspect of cyber resiliency is a critical best practice. By planning, it allows financial institutions to test their information security and instant response plans, gauging their readiness level for a possible cyber-attack and how likely they are to deflect one. Applying the knowledge garnered from these tests and other scenarios in which attacks have occurred allows FIs to leverage the lessons and information gained from those events to enhance and “fill in the gaps” in their own institutions. With the cyber resiliency related to vendor relationships being a primary concern for potential attacks, having an overarching vendor management program is the capstone for any effective due diligence and preparedness plan.
Vendor Management and Relationships
The best course of action for banks and credit unions is to create a comprehensive chart or “road map” of all its vendors, both third- and even fourth-party relationships and connections, and clearly marking how they connect and interact with the institution. Doing so will allow them to see exactly where potential vulnerabilities in the framework are and then address those issues directly with the appropriate parties to ensure compliance and effectiveness. It is ideal to have a joint continuity plan in place with the vendor, such as described in the FFIEC’s (Federal Financial Institution Examination Council) Appendix J, which directly addresses core cyber resiliency guidelines.
A final point to consider is how and when to address a vendor that is failing to uphold its own due diligence in protecting its customers. If they do not have the resources available and the subject matter expertise to help in the implementation of a cyber resiliency framework, then it may be time to revisit the relationship. If that vendor cannot provide what is needed, the institution must identify a different vendor that can provide the necessary compliance.
The need for effective cyber resiliency and the ongoing search for methods and tools to enhance security and available countermeasures against attacks and intrusions will continue to be top of mind for today’s – and tomorrow’s — banks and credit unions. As instances of these threats continue to rise and become more complex, it is perhaps more important than ever for financial institutions and their vendors to work together to continuously improve their security in order to safeguard not only themselves, but their customers and members as well.
Terry Ammons, CPA, CISA, CTPRP, and Mike Morris, CISA, CISSP, are partners at Porter Keadle Moore (PKM), an Atlanta-based accounting and advisory firm serving public and private organizations in the financial services, insurance and technology industries as well as a diverse group of entrepreneurial small business clients.