Maintaining Strong Cybersecurity Controls Is Imperative as Online Threats Increase
by Benjamin Clem, Senior Bank Examiner, Supervision, Regulation, and Credit, Federal Reserve Bank of Richmond and Michelle Fitch, Advanced Bank Examiner, Supervision, Regulation, and Credit, Federal Reserve Bank of Richmond
Leading up to the COVID-19 pandemic, bankers, regulators, and trade groups consistently mentioned cybersecurity as a top risk facing the banking industry.1 Cyberthreats are evolving, and cybercriminals are launching an increasing number of attacks. The coronavirus pandemic has created new opportunities for hackers to use these tactics. Bank management is encouraged to maintain a strong cybersecurity program to deter cybercriminals from exploiting this current health crisis.
This article discusses online threats and the prudent controls bank management can use to protect their financial institutions from these threats. In particular, this article focuses on ransomware, which is a specific type of malware2 that cybercriminals are using more frequently, and explains the importance of staying up to date on industry best practices and guidance. In this article, the risks and controls are discussed at a high level; therefore, this should not be considered a comprehensive guide for mitigating cybersecurity risks. More detailed guidance and examination considerations can be found in the Additional Resources box.
Supervision and Regulation (SR) Letters
SR Letter 11-9 “Interagency Supplement to Authentication in an Internet Banking Environment”
Discusses risk assessment requirements and expectations on controls to mitigate risk of identification theft and incidents www.federalreserve.gov/supervisionreg/srletters/sr1109.htm
SR Letter 05-23 “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice”
Describes components of a response program and procedures to notify customers about incidents
SR Letter 05-19 “Interagency Guidance on Authentication in an Internet Banking Environment”
Discusses security measures to reliably authenticate customers
FFIEC IT Booklets
Business Continuity Management
Focuses on pertinent information related to incident response
Discusses effective information security programs
FFIEC Cybersecurity Assessment Tool
Provides a tool to help assess an institution’s cybersecurity risk and preparedness
Ransomware Attacks on the Rise
Ransomware is a type of malware that encrypts the files on a computer or within a system, enabling an attacker to demand a payment in exchange for the user regaining access. Perhaps the most significant ransomware attack was the WannaCry attack in 2017,3 which gained notoriety because of its widespread reach infecting computers across the globe. The number of ransomware attacks has increased steadily in recent years. According to the 2020 Beazley Breach Briefing,4 which provides information on cyber trends based on information from its clients, ransomware attack notifications against its clients increased 131 percent year over year to 775 incidents in 2019. Financial institutions represented 16 percent, or 124, of the reported incidents.
The Beazley Breach Briefing also states that the two most common means of deploying ransomware are phishing emails and poorly configured or secured remote access. The pandemic has provided cybercriminals with more opportunities to use these tactics, as many banks are operating in a modified environment in order to protect their staffs and serve their customers and communities. This environment includes more remote work by employees and vendors, which could increase the possibility of a breach if appropriate controls and security systems are not in place. Additionally, hackers are using targeted phishing schemes that give the appearance of legitimate coronavirus-related emails. According to Barracuda Networks,5 coronavirus-related email attacks began in January and grew exponentially in March. Through March 23, 2020, coronavirus-related email phishing attacks increased 667 percent from February 2020 totals to 9,116 incidents.
Key Internal Controls
To prevent ransomware attacks and secure customers’ information, senior bank management should validate that key controls are in place. Additionally, proper cyber hygiene, with a focus on endpoints and connection points to the bank’s network, can help neutralize the spread of ransomware in the event the systems are breached. Listed below are several key internal controls that can help protect an organization against ransomware attacks:
- Antivirus and Antispam Applications — Verify that antivirus and antispam solutions are current and actively running on all network devices. In particular, enable antivirus programs to automatically update virus signatures. Antispam software will assist in stopping phishing emails from reaching the network. If possible, a warning banner should appear on all external emails. This will alert users to review external emails thoroughly and help prevent clicking on links and opening attachments from suspicious sources.
- Patch Management — Patching all hardware, operating systems, software, and applications (including cloud locations) helps mitigate and fix known vulnerabilities that can be used in a ransomware attack. If possible, use a centralized patch management system and implement appropriate application6 and software restriction policies to prevent the execution of programs in common ransomware locations, such as temporary folders. Implementing configuration management or standardizing the settings and installations for hardware and software configurations can help limit the areas of vulnerability within the network and the patching required. Lastly, given the increased remote work by employees and vendors, it is important to validate that patch management tools and practices are in place for timely and systemic patching of remote devices.
- Identify and Authenticate — User access controls are a cornerstone for any information security program and can help prevent poorly secured remote access. Bank management should continue to apply the principles of least privilege and network segmentation where possible.7 It is important that employees access the bank’s network using a secure connection and equipment that is approved for use based on the bank’s remote access policy. Remote access protocols can be strengthened by adding time-of-day restrictions to each user, in accordance with business needs. Additionally, employees should use multifactor authentication, such as one-time passcode generators or physical tokens, and encryption to secure communications. Consider the use of a proxy server for internet access points and ad-blocking software. Restricting user access to common ransomware entry points, such as social networking sites and personal email accounts, while logged into the bank’s network will help reduce the possibility of clicking on malicious links. Finally, bank management should include appropriate security requirements in contracts with third-party vendors that have access to the organization’s network and monitor compliance with the agreed-upon cybersecurity protocols.
- Data Backups —Bank management should establish a backup system that allows multiple iterations of backups to be saved in case a copy includes encrypted or infected files. The bank’s information technology (IT) management should routinely test the backup system for data integrity and to determine if recovery point and recovery time objectives (established in the business continuity plan) are met.
- Training — The most common threat to any organization is human error, which can undermine any sound system of controls. Successful training programs provide concentrated and frequent education on how to avoid these human errors and include information on phishing schemes, ways to identify phishing attempts, and the bank’s incident response plan. Employees should be trained on how to identify suspicious emails and to avoid clicking links or opening attachments in such emails. Encourage employees to exercise caution before visiting unknown websites. Providing frequent reminders to staff to remain vigilant is particularly important as cybercriminals attempt to capitalize on the pandemic. Finally, taking steps to educate customers on how they can protect themselves from cyberthreats may help reduce fraud at the bank while also adding value for the customer. Customers can be educated through a variety of means, including providing educational pages on the bank’s website, sponsoring outreach events, or making informational pamphlets available in the branch lobbies.
Incident Response Plan
In order to respond effectively to a ransomware attack, bank management should establish an effective incident response plan. Responsibilities for executing the plan should be assigned, adequate training should occur, and the plan should be sufficiently tested. When possible, relevant stakeholders and third-party providers should be included when testing the plan. Additionally, bank management should periodically review and update the incident response plan based on changes to the bank and/or the cyberthreat landscape. A key component of this plan is how bank management will act in the event of a ransomware attack. When reviewing the bank’s incident response plan, personnel can consider the following key elements of a comprehensive plan:
- Identification — The incident response plan should outline indicators used to identify potential security breaches. Indicators may come from a variety of internal and external sources, including anomalies identified in monitoring logs, alerts from intrusion identification systems and tools, or information obtained from customers, law enforcement agencies, or other organizations. Additionally, the plan should define the roles and responsibilities for staff or outside vendors to investigate potential indicators. The tools available to the institution to assist in performing the investigation should also be detailed within the plan. When a breach is confirmed, the investigation should identify the systems and information affected.
- Containment — Once the source of breached systems and information is identified, the incident response plan should detail how to contain the damage. Bank management should perform the following:
- Stop the virus spread by isolating any systems that have been compromised
- Employ enhanced monitoring activities to identify if any additional systems become compromised
- Reset passwords for accounts that were breached or block accounts that may have caused the incident
When forensic analysis is necessary, the incident response plan should also detail which firms the bank may use for forensic analysis (considering any applicable cyber insurance policy). The plan should also discuss by what means evidence will be collected and preserved.
- Restoration — Bank management should perform restoration and follow-up strategies as outlined in the Federal Financial Institutions Examination Council (FFIEC) Information Security IT Booklet.8 The strategies should include:
- Eliminating the attacker’s means of further accessing the system
- Restoring the bank’s systems, programs, data, and files to their previous working state
- Monitoring the bank’s systems to quickly identify similar or related incidents
- Communication — When navigating through an incident, management should be responsible for keeping key stakeholders informed:
- Customers: The incident response plan should outline how security events will be reported to customers in a timely manner, adhering to applicable statutory or regulatory compliance obligations. SR letter 05-23, “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,”9 highlights “if the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.”
- Insurance Company: If the bank has purchased a cyber insurance policy, notifying the insurance company as soon as the breach is identified is imperative. Most carriers have reporting windows in which clients must file a claim. These windows will typically begin on the day the breach is identified, and claims are often denied if filed after the designated time period.
- State and Federal Regulators: The incident response plan should align notification requirements with state and federal regulatory guidelines. As it pertains to federal regulators, SR letter 05-23 notes an institution should “notify its primary regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers.” This notification allows regulators to use incident information “to inform future supervisory guidance and identify trends in information security developments.” Finally, bank management should determine if a Suspicious Activity Report will be filed.
The Federal Reserve and the other member agencies of the FFIEC issued a joint statement on April 10, 2018, “Cyber Insurance and Its Potential Role in Risk Management Programs,” to provide awareness of the potential role of cyber insurance in financial institutions’ risk management programs.10 While cyber insurance may be an effective tool for mitigating financial risk associated with cyber incidents, the agencies do not require banks to have this insurance.
Some banks have purchased cyber insurance policies to offset financial losses resulting from cyber incidents. If an institution already has an insurance policy to cover cyber incidents or is considering obtaining coverage, bank management should involve the IT individuals who best understand the bank’s policies, procedures, and internal controls so that the appropriate coverage is obtained. These individuals should also be consulted to evaluate whether or not the bank’s policies, procedures, and internal controls are aligned with the requirements specified in the insurance policy; they should also make sure any insurance application or renewals are filed appropriately. Misrepresentations, omissions, concealments, or incorrect statements in a bank’s application for insurance may be grounds for rescission of the policy.
Cybercrimes are evolving, and cybercriminals are exploiting the disruptions caused by the global pandemic. Therefore, individuals who are responsible for bank cybersecurity should stay informed on the latest industry guidance. A sound control environment is the most effective way to prevent incidents at financial institutions. In the event the bank’s system is breached, it is imperative that bank management and staff are well trained to execute the bank’s incident response plan. This is a challenging time for the banking industry; however, maintaining a strong cybersecurity program should remain a priority to prevent cybercriminals from getting a foothold in your institution.
- 1 For example, 571 institutions responded to the 2019 Conference of State Bank Supervisors’ national survey of community banks, and the results indicate cybersecurity is viewed by bankers as the most important risk to their organization. For more information, see www.communitybanking.org/~/media/files/publication/cb21publication_2019.pdf.
- 2 Malware is a malicious code used by cybercriminals. A computer virus is an example of malware.
- 3 For more information about the WannaCry ransomware, see U.S. Department of Homeland Security, “What Is WannaCry/WanaCryptor?,” available at https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf.
- 4 The 2020 Beazley report is available at www.beazley.com/news/2020/beazley_breach_briefing_2020.html.
- 5 This information is based on spear-phishing email attacks detected by Barracuda Sentinel. See https://blog.barracuda.com/2020/03/26/threat-spotlight-coronavirus-related-phishing/ for more information.
- 6 Only applications that have been added to a pre-approved list should be allowed to run within the network. Consequently, any applications that are not on this list should be blocked from running.
- 7 Network segmentation is the process of splitting a network into subnetworks, each protected by a firewall. This can help mitigate the impact of a malware attack by isolating it to a particular subnetwork.
- 8 See the FFIEC Information Security Booklet.
- 9 SR letter 05-23 is available at www.federalreserve.gov/boarddocs/srletters/2005/sr0523.htm.
- 10 Refer to the FFIEC website at www.ffiec.gov/cybersecurity.htm for the joint statement on “Cybersecurity Awareness” and other related materials.