In the first four months of 2014, news reports have regularly detailed cyber-attacks that have affected victims ranging from small companies to nation-states. An existential threat to many organizations, cyber-attacks can target the fidelity and integrity of an industry, from financial services to power generation. Due to this, regulators throughout the world are stepping in to try and drive meaningful action where they believe it is required. These early efforts may be the harbingers of future legislation and give birth to standard approaches and forums to debate the efficacy in approaches. Just this week, the Governor of New York State, Andrew Cuomo, announced “the release of a cyber security report that shows the growing risk and sophistication of cyber attacks facing New York banks, and directed the Department of Financial Services (DFS) to conduct new, regular, targeted cyber security preparedness assessments of the banks DFS regulates.”
Attacks continue to change the information security landscape and this change hasn’t gone unnoticed by regulators. Now, depending on where your business operates, you must demonstrate your diligence to these threats. Here for your review are six organizations that are currently addressing cyber threats.
Organization: National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
In response to a Presidential directive, on Oct. 22nd 2013, the United States NIST released the latest version of its cybersecurity framework which aims to better secure U.S. companies and government agencies. The new draft goes into significantly greater detail than an earlier version released Aug. 28 and it laid out higher level principles of the framework, items referred to as ‘pillars.’
Three central pillars to the new framework were designed to provide industry and government with common cyber security taxonomy, establish goals, intended targets, identify and prioritize opportunities for improvement, assess progress and improve communication among stakeholders.
The final framework was announced on February 12, 2014 and should be the driving force behind the way in which all US Government operated and US Government-procured systems will be secured from cyber-attacks going forward.
Organization: Office of the Superintendent of Financial Institutions (OFSI) DDoS Memorandum
Earlier this year, large Canadian-based banks were hit by cyber-attacks whereby one or more hackers used a brute force "denial of service" attack to disable some bank websites and mobile applications. Similar to Operation Ababil, which targeted US-based banks in 2012; these attacks slowed down website operations and caused many bank sites to be inoperative for a significant portion of their customers.
Mindful of this very real threat and the need to manage risk, on October 28, 2013 OSFI released a memorandum to federally regulated Canadian financial institutions ("FRFIs") discussing the measures that should be taken to prevent, manage and remediate cyber-attacks. The memorandum states that cyber security is growing in importance because: (i) FRFIs increasingly rely on technology; (ii) the financial sector is interconnected; and (iii) FRFIs play a critical role in our economy. As part of this memorandum, OSFI required all FRFIs to conduct a self-assessment of the risks and take actions against those risks. OSFI also will be reviewing the fidelity of the assessment and the corresponding risk mitigation steps.
Organization: FFIEC Joint Statement Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources (US)
The Federal Financial Institutions Examination Council (FFIEC) members are issued statements to notify financial institutions of the risks associated with cyber-attacks on Automated Teller Machine and card authorization systems and the continuation of DDoS attacks on public-facing websites.
The statements describe steps the members expect institutions to take to address attacks and highlight resources institutions can use to help mitigate the risks posed by such attacks. The members also expect financial institutions to address DDoS readiness as part of their ongoing information security and incident plans. More specifically, each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate.
The FFIEC is guiding its members to do the following:
- Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
- Monitor Internet traffic to the institution’s website to detect attacks
- Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts.
- Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack.
- Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement. Attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics.
- Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
Organization: Securities and Exchange Commission Cyber Exams (US)
On April 15, 2014 the SEC announced inaugural exams of member companies along with a list of questions they will be using as a guide to these reviews. The SEC governs most of the financial services which do not fall under the FFIEC jurisdiction. So, all mutual funds, wealth management and hedge funds (among many others) are regulated not by FFIEC guidelines, but rather SEC guidelines. Unlike the FFIEC and there regulatory arms (OCC, FDIC, OTS, & NCUA) up to this point the SEC did conduct ad-hoc reviews, however, routine security reviews were maintained.
Assessment questions directly address the cyber-attack scenario sets:
Since January 1, 2013, has your Firm experienced any of the following types of events? If so, please provide a brief summary for each category listed below, identifying the number of such incidents (approximations are acceptable when precise numbers are not readily available) and describing their significance and any effects on the Firm, its customers, and its vendors or affiliates. If the response to any one item includes more than 10 incidents, the respondent may note the number of incidents and describe incidents that resulted in losses of more than $5,000 the unauthorized access to customer information, or the unavailability of a Firm service for more than 10 minutes. The record or description should, at a minimum, include: the extent to which losses were incurred, customer information accessed, and Firm services impacted; the date of the incident; the date the incident was discovered and the remediation for such incident.
Malware was detected on one or more Firm devices. Please identify or describe the malware.
- Access to a Firm web site or network resource was blocked or impaired by a denial of service attack. Please identify the service affected, and the nature and length of the impairment.
- The availability of a critical Firm web or network resource was impaired by a software or hardware malfunction. Please identify the service affected, the nature and length of the impairment, and the cause.
- The Firm’s network was breached by an unauthorized user. Please describe the nature, duration, and consequences of the breach, how the Firm learned of it, and how it was remediated.
- The Firm was the subject of an extortion attempt by an individual or group threatening to impair access to or damage the Firm’s data, devices, network, or web services.
Organization: Office of the Comptroller of the Currency Guidance (US)
In December 2012, the Office of the Comptroller of the Currency (OCC) notified its member financial institutions that DDoS attacks are on the rise and that they expect their members to take steps to identify the risks associated with the attacks and to provide notification to the OCC and others if they are under attack. The guidance reads: “Recently, various sophisticated groups launched distributed denial of service (DDoS) attacks directed at national banks and federal savings associations (collectively, banks). Each of the groups had different objectives for conducting these attacks ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information. This alert provides a general description of the attacks, along with risk mitigation information and sources of related risk management guidance.”
The alert reiterates the Office of the Comptroller of the Currency’s (OCC) expectations that banks should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk. The OCC expects banks that are victims of or adversely affected by a DDoS attack to report this information to law enforcement authorities and to notify their supervisory office. Additionally, banks should voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects critical information of the institution including customer account information, or damages, disables or otherwise affects critical systems of the bank.
Organization: National Credit Union Administration Risk Alert (US)
In February 2013, the National Credit Union Administration (NCUA) issued a Risk Alert to member credit union institutions on “Mitigating Distributed Denial-of-Service Attacks.”
The alert included the following verbiage: The increasing frequency of cyber-terror attacks on depository institutions heightens the need for credit unions to maintain strong information security protocols. Recent incidents have included distributed denial-of-service (DDoS) attacks, which cause Internet-based service outages by overloading network bandwidth or system resources. DDoS attacks do not directly attempt to steal funds or sensitive personal information, but they may be coupled with such attempts to distract attention and/or disable alerting systems.
Clearly the sense of urgency and ferocity of the attacks came through in the alert and provided for an understanding of the issues being broader than the availability of credit union systems.
No one can say for certain how all of this will play out, however given the increased frequency, directed attacks, and effectiveness of the techniques, we can safely assume that regulators and government legislators will take heed from public calls-to-action and will continue to drive prescriptive steps for all relevant organizations to follow.