Guy Guzner, CEO, Fireglass
Several months ago, a new cybersecurity regulation was introduced aimed specifically at the finance industry. Some may say it’s about time. The regulation proposed by the state of New York requires every bank and insurance company doing business in the state to establish a cybersecurity program, appoint a Chief Information Security Officer (CISO) and screen the cybersecurity policies of its business partners.Shortly after New York’s announcement,the Federal Reserve weighed in, unveiling a national plan to toughen the country’s largest banks against major cyberattacks.
Why all the new regulations? Recent attacks on the banking sector may be the primary motivation behind this surge. While there have been a number of attacks over recent years, several stand out. The JP Morgan Chase breach of July 2014 saw attackers gain the highest level of administrative privileges to the banks computer servers. In 2013, investigators unearthed a scheme where hackers had conducted a seven-year onslaught on organizations across the U.S., including banks, which targeted over 800,000 bank accounts. At the start of 2016, Bangladesh Bank saw over $81 million siphoned from its accounts in just hours. The hackers targeted the bank’s SWIFT accounts, the international money transfer system that banks have used since the 1970s to make daily transactions between themselves. We are seeing how technologies that have been in place for decades are no longer effective and become the weak points that hackers are leveraging to their advantage.
The rise of the financial tech industry is opening up additional opportunities for cyber attackers. The number of companies in this space is increasing rapidly. The demand from younger generations for digital alternatives to banks and financial institutions has spurred billions in investments in fintech ventures. Some of these companies certainly will commit to making cybersecurity an integral part of their organizational mandate. Still, it’s also inevitable that some will fall short when it comes to security. With more and more people having access to financial services and more interfaces to do so, this is creating more vulnerable scenarios for hackers to take advantage of.
While regulations in the U.S. will enforce the development of crises and risk plans that will help banks prepare for the worst, there is a lot at stake relying on archaic systems. The Bangladesh heist may have scared institutions into action, but the damage resulting from a cyberattack can do much more than leave organizations without cash. Imagine if cyber criminals were able to shut down stock exchanges for long periods of time, blocking trades and access to markets. Not only would this impact day-to-day activity, it could shake the faith of investors to the core. On a large scale,this can destabilize an economy overnight. Most concerning is that breaches can be accomplished using common malicious tactics and tools such as phishing and malware.
Taking a cue from Israel
Regulations like the ones being proposed here in the U.S. may have taken inspiration from similar guidelines effected in other countries. Take, for instance,the way Israel is approaching regulations in the financial world. Israeli banks have had to comply with even tougher regulations than those imposed by the state of New York. For example, they are required to physically separate their internal and external networks. This means the same computer cannot be used to access both networks unless there are two separate network cards and two separate virtual machines running on the computer. By enforcing these types of strict guidelines, Israel prevents malware from entering banks’ principal systems from the risky public internet.
What banks could expect
The New York regulationcould impact financial institutions in several ways.
* Organizational structure changes. The responsibility for security in some organizations have been splintering across multiple departments and business units, and overlapping between IT-focused organizations, Risk or security organizations, and operational organizations. In smaller organizations the security role has often been shared with IT responsibilities. As mentioned above, the regulation directs that the organization must appoint board-level responsibility for cybersecurity as well as a CISO.
* New security measurements. Until recently the security program was measured according to the subjective judgment of security professionals. But now that a prescriptive regulation is in place, there is danger that focus will be to satisfy the regulation and not maintain an effective program. This is always a risk with prescriptive regulation.
- More breaches disclosed. Given the impact breaches inflict on bank reputations and the public trust, there is a powerful incentive to keep breaches quiet. This regulation makes it much harder to hide data breaches, which, in turn, would increase the perceived risk of breaches.
- Increase in oversight over third parties. The regulation mandates that financial institutions take responsibility for the security posture of vendors providing services to them. This is not surprising as many breaches were caused by compromising vendors rather than the organizations themselves However, there are no standard methods today to ensure the security of third party, and this regulation will probably encourage that field. In the short term this may slow down the adoption of cloud technologies and outsourcing, especially for the smaller financial institutions that cannot audit their vendors themselves.
- Industry mergers. The regulation clearly favors the larger financial institutions that already have programs like this in place. This will significantly increase the IT cost of smaller financial institutions and make it more difficult for them to be competitive against their larger counterparts. As such, this may drive mergers and/or consortiums to leverage economy of scale.
Implementing pre-emptive approaches
Like other large businesses and institutions, the banking and finance industries rely on archaic systems prone to modern day attacks. But implementing modern and innovative solutions that don’t require complete overhaul can help bring these systems into the 21st century.
. Additionally, banks can implement pre-emptive approaches to security to strengthen systems and thwart cyberattacks. Taking pre-emptive approaches to security can benefit not only the largest global banks, but also the smallest local banks. While larger banks may have the resources to continually reevaluate their security posture and invest in post breach solutions, smaller banks would need to be prioritize security controls which dramatically reduce risk.
Some modern security strategies financial institutions are starting to deploy have taken inspiration from the separation of internal and external networks.One such technology is based on the concept of “isolation”. It focuses on strengthening the most vulnerable targets — the users, by preventing malicious web content from reaching them. This allows users to click with confidence from any device by minimizing exposure to malware and phishing from web and email.
Unlike traditional security solutions that need to distinguish good from bad, isolation assumes all content is malicious and should not be allowed into the corporate network. Isolation creates a secure execution environment placed between users and the web where all browsing sessions are executed remotely and only a safe visual stream is sent users’ devices. Because all content is executed away from endpoints, users are completely protected from malicious websites,emails and documents. Gartner recently published a research recognizing isolation as one of the single most significant ways to reduce attacks.
With ever increasing opportunities for attackers to compromise sensitive networks, financial organizations must do their part to not only prepare for compliance with tightening regulations, but also adopt advanced technologies to secure their networks. Relying on traditional methods will only get them so far. Instead they need to implement solutions that can help strengthen an infrastructure relying on seemingly stalwart technology.