Corporate Account Takeover (CATO) issues and the fraud losses that financial institutions suffer continue to escalate. The Federal Reserve Bank of Atlanta shared a statistic that Corporate Account Takeover (CATO) fraud reached $4.9 billion in 2012, representing a 69% increase over 2011. In 2014 data breaches are setting record highs and news headlines from Target, Home Depot, JP Morgan, Ebay, Jimmy Johns, DQ, and other headlines monthly. In addition to these reported breaches, two mega vulnerabilities were announced in 2014, Heartbleed and Shellshock. These both have dramatically increased risk within third party environments. Security analysts are monitoring a new wave of losses from small merchants; the secret service announced in August that an estimated 1,000 local businesses have been victims of Point Of Sale malware. These incidents create concentrated debit/credit card fraud in smaller communities and these local financial institutions often suffer the losses. A shift has also been observed in cybercrime targeting more vulnerable opportunities such as mobile devices and this will likely continue especially with the rapid adoption of mobile payments. Last, we see an increase in the crimes against ATM networks and ATM systems, where criminals jackpotting the systems and scoop up the cash.
Financial Institutions Targeted
Cybersecurity is a threat that is facing financial institutions on multiple fronts. Social engineering attacks against employees and hacking attempts against the institution’s network infrastructure are encountered on a daily basis. Cyber threats also target third party relationships who serve as data warehouses of information. And if that wasn’t enough to concern institutions, their business customers are also being targeted with sophisticated CATO attacks. This article will explore each of these area and focus on the responsibly to defend against cybersecurity threats.
Planning and Taking Responsibility
Most individuals understand they are ultimately accountable for the decisions and actions they make. When an incident or event affects our lives by placing an unprovoked burden on us, we look to apply accountability to someone for this event. It’s easy to understand the importance of this when hearing about the doctor leaving surgical equipment inside a patient or an architect failing to make the foundation of a building strong enough. This is because we know these situations involve highly educated decision makers and professionals who are aware of the consequences of their actions. A famous warrior, SunTzu, stated that “The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.” Are small to medium sized financial institutions doing many calculations to ensure they are preparing to win the battle? Does the risk assessment analyze threats and help make decisions? Are we training employees and business customers on an adequate basis? Do we ask our third parties the difficult questions about security? Do we know what we need to know, to adequately prepare for battle? The secret to preparing for a battle is having the knowledge to fight your opponent. Financial Institutions can’t realistically make calculations about battle if you are unsure what you are fighting against. The motivation to understand these issues comes from with clear understanding of responsibility of customer information and accountability for our actions.
Information Security Program
Most security experts would suggest that Social Engineering (particularly phishing) is a significant threat and a primary tool of cybercriminals. In 2014, Verizon stated that 67% of breaches started with a phishing scam. In 2012, the ICBA Technology Survey suggested that only 45% of community banks test their employees with Social Engineering Assessments which would include phishing assessments. This suggests we have room for improvement when understanding our cybersecurity threats and building a risk management approach that drives appropriate controls in financial institutions. As an institution, we need to empower our organization with knowledge and create accountability. Increasing the current understanding of cybersecurity threats amongst employees will dramatically improve security within the organization. This team can then also be augmented with industry experts and resources to assist as necessary; if the team understands its opponent, then it can make the necessary calculations.
Accountability Begins With the Board of Directors
With that, it appears that education and awareness is critical for employees, board members, and senior management. But where does this culture start? To create accountability for the security threats we face today, we need to ensure adequate education and awareness has been made to all levels of your instuition. This allows the institution to build Information Security Programs that drive adequate security processes. The FFIEC Information Security Booklet states that “The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program”. The FFIEC statement can be applied to the responsibility of any Board member at any type of business. Most bankers can relate to a lack of education and awareness at the board level, so the accountability may be real but its ability to oversee the entire process may not truly be effective. This culture and understanding of information security needs to be effective, it can’t simply be assigned through the title and actions of a particular person. Senior management in every financial institution needs to take on this mission to resolve these issues and help provide those opportunities to the board, to themselves, and to employees. Today, senior management is the most well positioned and generally carries the accountability to build an adequate Information Security Program and needs to drive this process both upward towards the board and downward towards the employees; and inevitably out towards customers and third parties.
Managing Third Party Relationships
Financial institutions are adopting technology at a faster rate each year. The ICBA survey also suggests that most organizations are exploring mobile banking, online account opening, customer payment solutions, and cloud technologies. Financial Institutions will likely leverage third party relationships in most, if not all, of these new technology initiatives. The FDIC FIL-44 2008 states “A financial institution’s board of directors and senior management are responsible for identifying and controlling risks arising from third-party relationships to the same extent as if the third-party activity were handled within the institution.” In so many cases we see financial institutions assuming the third party is handling the responsibility. The key issue is understanding financial institutions outsource the operationalizing of the solution and its security controls, not the responsibility to understand risk. Third party relationships introduce an increased amounts of risk to the financial institution, as implemented security controls are not as transparent as in-house solutions. An example of this responsibility is that financial institutions are responsible to know if customer data is protected from threats like “Shellshock” and “Heartbleed”; when a third party holds customer data it becomes a bigger challenge to verify that these issues are resolved but the responsibility remains. Financial institutions who are accountable for this responsibility need trained staff to handle these complex relationships and ensure the institution is protecting its information entrusted to third parties.
Effective Planning and Increasing Employee Accountability
When taking a closer look at the systems financial institutions have more control over and transparency into, we can identify accountability concerns as well. If an employee of a financial institution clicks on a phishing email that was sent as part of a social engineering test, how accountable do most institutions hold that employee today? As discussed earlier, phishing is responsible for most breaches experienced today. SBS does phishing tests for many financial institutions around the country and 83% of the time, at least one employee of an institution clicks on a phishing email, which in most cases is enough to compromise a financial institution. Financial institution risk analysis processes must be identifying this risk and require better mitigating controls. Employees need improved and more frequent information security training opportunities and tighter management of employee behavior. Institutions need to develop a solid understanding of threats and control options, and closer oversight by the Board on information security program components.
Take the Lead with Business Customers
Now compare your employee’s level of education and awareness in the phishing situation to that of an employee at a small business. It is less likely a small business employee is better prepared for a phishing threat than an employee of a financial institution. Clicking on that phishing attack can cause an infection in the business customer’s computer, leading to a Corporate Account Takeover (CATO). Financial Institutions would like to hold that employee, and the business, accountable for the CATO losses. There are a lot of variables in this situation and our court systems are working to establish case law around this accountability. It seems clear to most financial institutions that business customers need to be accountable, as institutions simply cannot reasonably secure a business’s computer. If workstations that initiate ACH and Wire transactions continually become infected with banking malware, institutions will continue to fight a losing battle. Who should be ultimately responsible and who is responsible today are simply not the same. Recognizing the weakness here; business customer employees are less educated and trained than financial institution employees, most financial institutions are more knowledgeable about these threats than small businesses.
Regulation and case law are clarifying this responsibility for financial institutions. The FFIEC’s “Authentication in an Internet Banking Environment” guidance dedicated an entire section to “Customer Awareness and Education”. NACHA Operating Rules now requires financial institutions to ensure originators have a security framework in place to secure non-public personal information related to ACH entries. One significant court case with Choice Escrow ruled in favor of the financial institution, this primarily was won after multiple security controls were suggested by the financial institution and rejected by the business. Most other court cases have ruled in favor of the business customer, and none of these rulings have been regarding cases after the date of release of new FFIEC guidelines, which impose more requirements on financial institutions. Some financial institutions have voiced hesitancy in regards to getting involved with educating business customers about cybersecurity threats, as it might increase the liability in the event of a security breach at a business customer. The fact of the matter is: in every CATO case, 100% of the time the financial institution suffers reputational damage and most of the time suffers the fraud losses. Today, if financial institutions are not assigned the responsibility of educating business customers, who will?
Cybercrime of Tomorrow
If you believe that our culture will become more reliant on technology, then logic suggests that security threats will increase. In the small to medium size financial intuition space; it seems unlikely the adoption of technology solutions will slow for mobile banking, mobile cash management, online account opening, interactive teller machines and electronic payment solution. It just doesn’t seem likely that cybercriminals will not innovate and attack new technology, online products, third party data warehouses, and cash transmitting business customers. It is also unlikely that employees, board members, senior managers, vendor managers, and business customers will independently become cybersecurity defense conscious.
To begin addressing these concerns, start by understanding that the misuse of technology for nefarious purposes will continue to increase indefinitely in the financial industry and that financial institutions will be looked upon to address these issues. Equip yourself with knowledge, then share that knowledge to the board, employees, and customers. Become more efficient at the repeatable information security processes, so more focus can be given to designing and implementing risk mitigations. Don’t delay taking action; the responsibility that was deferred yesterday, may resurface tomorrow. Create accountability through education and awareness at all levels of the institution and in all aspects of business, including customer actions.
“The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.” – SunTzu
SBS understand that education in security processes and awareness to security threats is necessary to assist financial institutions in addressing cybersecurity issues. Without knowledge, proper calculations cannot be performed and battles will be lost for financial institution, third parties, and customers. Leverage your association’s conferences, webinars, and certification programs for information security opportunities. Take responsibility for customer information and hold all individuals accountable for their actions.
This article can be found featured in the November 2014 issue of Transactions. Not a subscriber? Visit the Transactions page on this website or call PACB at 717-231-7447 to start receiving the magazine.