Financial institutions are under attack by all manner of cyber thieves. And why not? As Willie Sutton said when asked why he robbed banks: “because that’s where the money is.” More important today is the fact that only about 10% of the world’s population has more than $65,000 in assets. That leaves 6+ billion people with fewer assets, some of whom may decide to participate in criminal activities. While such activities were once confined to local targets, the rise of cyber arms dealers enables almost anyone to join a global cyber hacker gang.
To combat these threats State and Federal financial regulatory agencies have issued new cybersecurity standards and guidelines. Unfortunately, these regulations do not suffice to protect your institution from cyber-attacks. Instead, organizations need to add continuous risk management to baseline compliance requirements. In this note, we look at evidence-based risk analysis as one technique to build a better cyber defense.
Banks today complain that they are over-regulated. The cluttered landscape of cybersecurity regulations supports this claim. Here is a short list of applicable regulations that require a cybersecurity program.
It’s difficult to build an effective security program around all of these compliance requirements. For one thing, they are updated only infrequently, while hackers are changing tactics on a monthly basis. Secondly, there are simply too many masters to develop a comprehensive security program, without significant holes or overspending.
Focus on Security, Not Just Compliance
Nevertheless, many organizations try to build a good cybersecurity program around compliance. This is understandable since compliance regulations are traditionally top of mind in the financial industry. The resulting program looks like this:
The challenge is that compliance needs do not make a good security foundation. Gaps may exist, and compliance requirements may not be keeping up with threats. A better approach is to turn this diagram upside down to give:
A strong and comprehensive security program can support any compliance requirement. The security program itself is built on a strong risk management effort based on best practices. One such “best practice” is the NIST Cybersecurity Framework (CSF). A key part of the CSF is to identify threats to the organization. An important component to facilitate threat identification is “evidence-based risk assessment.”
Using Evidence-Based Risk Management
Cyber risk management is the process of minimizing information security risks across the organization. Risk itself is:
Risk = Likelihood x Impact
Risks are best enumerated around business assets and processes. These might include risk of ATM machines being hacked, risk of insider wire fraud, risk of third party being breached, etc. The difficult part of this equation is determining the likelihood of an attack. I am a big believer in evidence-based risk analysis to help answer this question. This is the process of figuring out how many similar events have occurred in your industry or location. This information, in turn, can be obtained from news reports, databases or court cases. You wouldn’t think of opening a new branch without obtaining crime reports for the area. You can’t prevent crimes, but you can implement appropriate and necessary security controls for your location. It’s the same thing for defending your digital assets. You need to evaluate the relevant “cybercrime” reports. You cannot defend all types of cyber-attacks equally well. Evidence-based analysis helps prioritize security investment plans.
Example: Financial Institution Privacy Breaches
The Privacy Rights Clearinghouse maintains a public database of breaches across industries. The total number of records breached is 907,453,926 since they started record-keeping in 2005. I looked at the financial industry results for two time periods, 2010 and 2016-2017 to try to see any trends in the data. The results are shown in the chart.
It’s pretty obvious that hacking attacks have been increasing and that financial institutions’ defenses in this area need to improve.
This type of thought process should be used in your risk management process. You need to look at not only privacy breaches but also data integrity breaches (wire fraud) and denial of service attacks. You should have external industry data and data regarding security events and incidents that have occurred in your own organization. In this way, you can prevent surprises and be best prepared to deal with the inevitable cyber attack.