GBAF Logo
THE SCENARIO:  A CYBER-ATTACK ON A MAJOR LONDON-BASED BANK. - Top Stories news and analysis from Global Banking & Finance Review
Top Stories

THE SCENARIO:  A CYBER-ATTACK ON A MAJOR LONDON-BASED BANK.

Published by Gbaf News

Posted on June 11, 2014

4 min read

· Last updated: December 10, 2018

Add as preferred source on Google
Banking cybersecurity Regulation risk management

 By Ted Julian, security expert and CMO of Co3 Systems

Details known:  Very few.

Immediate Response to the Breach

Initial steps:  Stop the bleeding and assume the worst. 

When a cyber incident is discovered, organizations often don’t have all the facts initially. This can pose a major challenge to those charged with incident response.  Given this reality, what should be done first?  Of course, organizations should already have a plan in place for dealing with potential security incidents.  Having a plan and following it will help to calm the initial chaos.  But what steps must be taken as part of that response plan?  And what about banks unique breach response requirements like those required by regulators and the risk of financial harm both to customers and the bank itself?

Ted Julian, CMO, Co3 Systems

Ted Julian, CMO, Co3 Systems

Simulating a Worst-Case Bank Breach

To answer these questions, we simulated a cyber breach using the Co3 platform.  We modeled a worst-case system intrusion in order to highlight potential disclosure requirements as part of the broader response effort. We indicated that the breach included the compromise of unencrypted, personally identifiable information (financial information, to be exact), thereby creating foreseeable harm to bank customers.

Simulated Breach Parameters and Task Breakdown

Specifically, our simulated breach parameters included:

  • Incident type: System Intrusion
  • Personally Identifiable Information involved:  Yes
  • Harm foreseeable: Yes
  • Data encrypted:  No
  • Data types involved:  first and last names, addresses, phone numbers, email addresses, financial account numbers, and passwords
  • Number of records involved:  100,000

The resulting response plan includes 37 tasks broken into the following categories:

  • Engage Phase: 5 tasks
  • Detect/Analyze Phase: 13 tasks
  • Respond Phase: 8 tasks
  • Data Breach – Authority Notifications:  3 tasks
  • Data Breach – Individual Notifications:  1 task
  • Data Breach – General: 1 task
  • Post-Incident Phase:  6 tasks

Key IT Tasks in the Incident Response

IT-related, “stop the bleeding” tasks include items like collecting system data, analyzing intruded systems and network traffic, and creating backups of affected systems.  In addition, known vulnerabilities should be evaluated and any other intelligence that may be available should be consulted.

Legal and Regulatory Notification Requirements

From a breach notification point of view, the risk of harm is a key factor.  According to guidance issued by the Information Commissioner’s Office (ICO), organizations that experience a data breach must look at the potential harm to those involved when deciding whether or not to disclose the breach to consumers or regulators.  The ICO provides a list of details to consider when making such an assessment.   Some things to consider are what type of data is involved and how sensitive is it?  Are there protections in place, such as encryption?   What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?

Financial institutions in the UK have an additional step when it comes to data breaches.  According to the Financial Services Handbook, banks and other financial firms must notify either the Prudential Regulatory Authority or the Financial Conduct Authority, as appropriate, as soon as it becomes aware of “any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm”.  Clearly, a system intrusion at a financial institution that results in unauthorized access to or acquisition of personal data falls under that category.  When notifying the regulator, the notice should contain information and circumstances about the breach, as well as any steps that the firm has taken or intends to take to rectify or remedy the breach or prevent any future potential occurrence.

As you can see from this exercise, cyber attack incident response spans not only a range of IT systems and processes, but also – and this is crucial for banks – a multitude of regulatory requirements, potentially including privacy breach disclosure. As such, effective incident response must span all of these functions and include representation from across the organization: IT, legal, compliance, privacy, marketing, HR, and so on. The only way to ensure the effectiveness of such a far ranging exercise is through practice.

Key Takeaways

  • Banks must act swiftly to contain breaches and assume worst-case scenarios.
  • UK GDPR requires notifying the ICO within 72 hours if individuals’ rights are at risk.
  • Banks must also notify PRA or FCA when breaches could impact service delivery or cause serious customer detriment.
  • A robust incident response plan including detection, analysis, and post-incident review is essential.

References

Frequently Asked Questions

What’s the first step after detecting a cyber‑attack?
Contain the breach by gathering system data, analyzing intruded systems and network traffic, and creating backups while assuming worst‑case scenarios.
When must a bank notify the ICO?
Under UK GDPR the bank must notify the ICO within 72 hours of awareness if the breach likely risks individuals’ rights and freedoms.
Do banks need to notify any other regulators?
Yes, UK banks must notify the PRA or FCA as soon as aware if the incident could impact their ability to serve customers or cause serious customer detriment.
What should be included in regulatory notification?
Details of the breach, affected data and number of records, likely consequences, and steps taken or planned to remediate and prevent recurrence.

Tags

Related Articles

Image for Why Curiosity Is the Hidden Engine Behind Every Big Idea

Why Curiosity Is the Hidden Engine Behind Every Big Idea

Image for The Silent Shift Reshaping Global Finance

The Silent Shift Reshaping Global Finance

Image for The Invisible Forces Rewiring Global Finance—And Why the Shift Is Already Underway

The Invisible Forces Rewiring Global Finance—And Why the Shift Is Already Underway

Image for The Global Finance Reset No One Is Talking About—But Everyone Is Feeling

The Global Finance Reset No One Is Talking About—But Everyone Is Feeling

Image for The Financial Trend Hiding in Plain Sight—Why Everything Feels the Same, But Isn’t

The Financial Trend Hiding in Plain Sight—Why Everything Feels the Same, But Isn’t

Image for The Financial System’s New Rhythm—Why Change Is Happening Without Disruption

The Financial System’s New Rhythm—Why Change Is Happening Without Disruption

More from Top Stories

Explore more articles in the Top Stories category

Image for The Subtle Forces Reshaping Global Finance—And Why They Matter Now
The Subtle Forces Reshaping Global Finance—And Why They Matter Now
Image for The Quiet Realignment of Global Finance—Why the System Is Changing Without a Shock
The Quiet Realignment of Global Finance—Why the System Is Changing Without a Shock
Image for The Global Financial Shift That Feels Small—But Is Changing Everything
The Global Financial Shift That Feels Small—But Is Changing Everything
Image for The Financial System’s Invisible Pivot—Why the Biggest Changes Don’t Make Headlines
The Financial System’s Invisible Pivot—Why the Biggest Changes Don’t Make Headlines
Image for Why Global Supply Chains Are Becoming Smarter, Faster, and More Resilient
Why Global Supply Chains Are Becoming Smarter, Faster, and More Resilient
Image for Why Workforce Agility Is Becoming Critical in the Future of Work
Why Workforce Agility Is Becoming Critical in the Future of Work
Image for Why Global Trade Is Entering a New Era of Resilience and Reinvention
Why Global Trade Is Entering a New Era of Resilience and Reinvention
Image for Why Cybersecurity Is Becoming a Core Business Priority in the Digital Economy
Why Cybersecurity Is Becoming a Core Business Priority in the Digital Economy
Image for Why Data-Driven Decision-Making Is Becoming the Backbone of Modern Business Strategy
Why Data-Driven Decision-Making Is Becoming the Backbone of Modern Business Strategy
Image for How Real-Time Data Is Redefining Decision-Making in the Digital Economy
How Real-Time Data Is Redefining Decision-Making in the Digital Economy
Image for Why Cash Flow Visibility Is Becoming the Most Critical Metric for Business Survival
Why Cash Flow Visibility Is Becoming the Most Critical Metric for Business Survival
Image for How Digital Payments Are Redefining the Speed and Scale of Global Commerce
How Digital Payments Are Redefining the Speed and Scale of Global Commerce
View All Top Stories Posts