New technologies often bring with them new vulnerabilities, and in this period of rapid innovation, banks’ need to manage the associated operational risks is the most urgent, a top U.S. banking official advised this week.
Speaking before the American Banker Regulatory Symposium in Arlington, Va., Martin J. Gruenberg, chairman of the Federal Deposit Insurance Corp. (FDIC), noted in his prepared remarks the growing importance cybersecurity is playing in risk management.
“We all know that the continual adoption of new technologies has long been a vital part of maintaining the competitiveness of financial institutions in a rapidly changing marketplace,” he said. “Whether a community bank, a regional, or a mega-bank, they are continually making strategic investments in new information technologies that can help serve their customers, manage risks, and improve efficiencies.”
Risk never stops
But risks remain. JPMorgan Chase & Co., for example, recently was attacked by cyberthieves who accessed data through a security hole in a Chase consumer-facing site after having done extensive research that equipped them with custom malware specifically targeted at the financial institution. Fortunately, according to the FBI, the attackers limited their actions to just Chase and did not attack other financial institutions.
But one of the troubling lessons from the Chase data breach is that organized cybercrime gangs today are quite good at avoiding the patterns detectable by most security software.
“Most of the many millions of dollars spent on cybersecurity are focused on opportunistic attacks—hackers that enter through a security flaw and use common malware to steal information,” reported Venturebeat. “The security software that prevents against these kinds of attacks is predictive and attempts to know what attacks will look like if hackers infiltrate the system so it can neutralize the problem quickly.”
The news source quoted Eyal Firstenberg, vice president of cyber research at cybersecurity firm LightCyber, as saying today’s cyberthieves deliberately avoid such predictability. “It is just now that that we are witnessing the emergence of companies and technologies that do not presume to predict a specific attack vector, but it is still not widespread,” he said in the article.
In his remarks this week, Gruenberg noted that in an increasingly interconnected banking environment, Internet cyber threats have rapidly become the most urgent category of technological challenges facing U.S. banks.
“The large number and sophistication of cyber attacks directed at financial institutions in recent years requires a shift in thinking,” he said. “Cybersecurity is no longer just an issue for the IT department. Instead, it needs to be engaged at the very highest levels of corporate management.”
Cybersecurity has become an issue of the highest importance not only at the FDIC, but also for the Federal Financial Institutions Examination Council (FFIEC) and its member agencies as well as the federal government as a whole, Gruenberg said.
In June 2013, the FFIEC formed a new Cybersecurity and Critical Infrastructure Working Group to serve as a liaison with the intelligence community, law enforcement, and the Department of Homeland Security on issues related to cybersecurity and the protection of critical infrastructure. Its purpose is to help the banking agencies collaborate in developing examination policy, in training and information sharing, and in coordinating their responses to cybersecurity incidents, Gruenberg noted.
The working group also is undertaking an assessment of the banking sector’s overall readiness to address a significant cyber threat. Its report will include a self-assessment of regulatory practices to ensure that our own guidance and response capabilities are up to date, he said.
In addition, the FDIC has initiated a number of programs this year to assist community banks in their awareness of cyber threats and to provide practical tools to help mitigate these risks.
“We're clarifying our expectations with regard to actions community banks should take when problems are identified at their [third-party service providers] and guiding these banks to zero-cost resources that can assist them in assessing their vulnerability to cyber threats,” Gruenberg said. “Clearly, this work will be ongoing.”
Many of the operational risks emerging threats pose are really not all that new, Gruenberg added.
“Instead, new technologies are forcing us to think differently about familiar categories of operational risk,” he said. “Today, ‘business continuity’ increasingly means preserving the ability to maintain access to customer data and to consistently ensure the integrity and security of that data. For this reason, we encourage banks to practice responding to cyber threats as part of their regular disaster planning and business continuity exercises.”