As we approach the next decade, data integrity and cyber security have risen to the top of financial institutions’ list of mission-critical initiatives. With instances of government-backed hackers and other unscrupulous individuals seizing and exploiting customer data on the rise, it is crucial to ensure a bank or credit union’s resiliency to cyber-attacks and network intrusions is stronger than ever. Particularly, closing the potential gaps in the interwoven relationships between financial institutions and their third- and fourth-party vendors has emerged as a critical step in this process.
At its core, cyber resiliency can be defined as an organization’s ability to not only withstand various cyber-attacks and threats, but also its plans and capacity for resuming operations with minimal impact or disruption in the event of an actual attack. For banks and credit unions, the priority of cyber resiliency is safeguarding customer and member data (as well the FI’s own) and internal systems from cyber threats, while establishing strong contingency plans that allow for fast, efficient responses should an attack occur. Too often, institutions can be lulled into simply checking a box from a compliance standpoint, but in best practice, they must have an effective response plan in place to address an occurrence and to be prepared for any future cyber events. As part of their planning, financial institutions need to understand how these cyber-attacks can impact their customers — and ultimately their bottom lines. By studying other reported, similar attacks and infiltrations, banks and credit unions can gain valuable insights for becoming more resistant to phishing attacks, DNS breaches, and potential exploits within their vendor/security frameworks. Armed with these “lessons learned” and a committed focus on vigilance, FIs will have a better perspective and a much clearer picture as they to look for any gaps in their own vendor relationships.
When evaluating potential vulnerabilities, it is important to note that hackers do not look solely at the bank or credit union for an attack vector, but they also look at those institutions’ third- or even fourth-party vendors. It is important to consider these soft spots from a hacker’s point-of-view. Hackers recognize the challenge associated with breaching a bank or credit union directly so instead look to the institution’s vendors as an easier pathway to achieve a breach. Recently, Banco de Chile provided a sobering example of this kind of vendor loophole exploitation, as the hackers were able to attack the bank through a third-party DNS server that the bank itself had not considered as a part of its attack vector. Hackers were able to take over the DNS server through vulnerabilities that could have easily been addressed, and then redirect bank customers to a fake website under their control to harvest valid credentials for the electronic banking application.
information are these individuals trying to access through their intrusion
attempts? Typically, DDA account information, credit card information, loan
account information, social security numbers, and other sensitive customer data
are all on the table in these attacks. Something important, but often
overlooked, is that the institution’s size is not particularly relevant for a
hacker. Their target could be a small community bank or credit union in a rural
area, or the main data center of a large, international institution. Increasingly,
hackers primarily care about the availability and ease of access through an institution’s
system and/or vendors. In the Banco de Chile case, the hackers who were able to
breach the DNS were not specifically targeting the bank. It may very well have
started with a phishing email that determined which institutions had
connections with a given vendor’s services, and from there they simply focused
on the path of least resistance to the bank with the largest gap in security. Often,
once a bank or credit union is chosen, malware is sent through to the target
institution, and the door is propped open allowing the hacker direct access moving
forward. They now essentially have free rein to all the information within the
(now FireEye), a forensic data company that traces hacking instances back to
their source, released its APT1 report in 2013 that provided some sobering insights
into just how pervasive this issue could be. In one case, the company traced the
source of the intrusion back to a military installation in China manned with
over 1,000 people onsite. What makes this truly concerning is that the report
also suggests there are hundreds, potentially thousands, of these installations
across the country. With China’s reported workforce estimated to be over 700
million and the U.S. containing approximately 7,000 to 8,000 banks, it is not
difficult to extrapolate the potential threat to virtually any bank or credit
union in the nation should these resources be leveraged against us.
this, how exactly should a bank or credit union ensure that its institution and
the vendors it works with are protected and secure?
due diligence aspect of cyber resiliency is a critical best practice. By planning,
it allows financial institutions to test their information security and instant
response plans, gauging their readiness level for a possible cyber-attack and how
likely they are to deflect one. Applying the knowledge garnered from these
tests and other scenarios in which attacks have occurred allows FIs to leverage
the lessons and information gained from those events to enhance and “fill in
the gaps” in their own institutions. With the cyber resiliency related to vendor
relationships being a primary concern for potential attacks, having an
overarching vendor management program is the capstone for any effective due
diligence and preparedness plan.
Management and Relationships
best course of action for banks and credit unions is to create a comprehensive
chart or “road map” of all its vendors, both third- and even fourth-party
relationships and connections, and clearly marking how they connect and
interact with the institution. Doing so will allow them to see exactly where
potential vulnerabilities in the framework are and then address those issues
directly with the appropriate parties to ensure compliance and effectiveness. It
is ideal to have a joint continuity plan in place with the vendor, such as described
in the FFIEC’s (Federal Financial Institution Examination Council) Appendix J, which directly addresses core cyber
final point to consider is how and when to address a vendor that is failing to
uphold its own due diligence in protecting its customers. If they do not have the
resources available and the subject matter expertise to help in the
implementation of a cyber resiliency framework, then it may be time to revisit
the relationship. If that vendor cannot provide what is needed, the institution
must identify a different vendor that can provide the necessary compliance.
need for effective cyber resiliency and the ongoing search for methods and
tools to enhance security and available countermeasures against attacks and
intrusions will continue to be top of mind for today’s – and tomorrow’s — banks
and credit unions. As instances of these threats continue to rise and become
more complex, it is perhaps more important than ever for financial institutions
and their vendors to work together to continuously improve their security in
order to safeguard not only themselves, but their customers and members as
Terry Ammons, CPA, CISA, CTPRP, and Mike Morris, CISA, CISSP, are partners at Porter Keadle Moore (PKM), an Atlanta-based accounting and advisory firm serving public and private organizations in the financial services, insurance and technology industries as well as a diverse group of entrepreneurial small business clients.