Key insights
This year has seen a significant rise in cyberattacks on financial institutions, with new regulations like NCUA’s 72-hour reporting rule expected to increase the number of reported incidents.
Key strategies to enhance cybersecurity include committing to continual risk assessment, implementing reliable technologies, and leveraging audits for regular risk examination.
Due diligence on third-party and fourth-party service providers is crucial, as their cybersecurity posture can significantly impact your financial institution’s overall security.
A daunting year of cyberattacks
This year has seen a significant rise in cyberattacks on financial institutions, with new regulations like the National Credit Union Administration’s 72-hour reporting rule expected to increase the number of reported incidents.
Several cyberattacks this year have been attributed to a third-party service provider that fell victim to a ransomware attack in February. This incident is part of a larger trend in recent years, with financial institutions and their third-party service providers becoming frequent targets of ransomware attacks.
- In 2022, a state-owned commercial bank in Costa Rica experienced a massive ransomware attack disrupting online banking services and causing significant financial losses.
- A financial institution in the southwest United States faced a ransomware attack in 2023, exposing sensitive account holder data and highlighting vulnerabilities in its cybersecurity infrastructure.
- Earlier this summer, another financial institution experienced a ransomware attack compromising the account information of several hundred thousand account holders, potentially due to poor user authentication mechanisms, a lack of up-to-date security patching, or inadequate system hardening, among other possible weaknesses.
Financial institutions and their third-party service providers are becoming an increasingly popular target among cybercriminals due to their perceived lack of cybersecurity sophistication, particularly with smaller institutions — though financial asset size doesn’t necessarily correlate with cybersecurity strength and resilience.
If your financial institution has yet to embrace a culture of cybersecurity, here are some fundamental strategies you should implement to help solidify cybersecurity practices throughout your entire organization.
Commit to continual risk assessment
Your financial institution should have a regular risk assessment process for continually evaluating cybersecurity-related risks. Conducting regular risk assessments can help reduce financial risk, operational risk, and reputational risk among account holders and prospective account holders.
Risk assessments should focus on analyzing threats, vulnerabilities, and potential adverse impacts to account holder information and financial integrity of system data. This process should include conducting monthly internal and external vulnerability assessment scanning of all systems in the IT environment.
Vulnerability assessments of systems that handle account holder information, particularly those that are internet-facing, may help expose recently discovered software vulnerabilities, missing security patches from the vendor, and unnecessary services running on the host system expanding the attack surface for cybercriminals.
Additionally, the assessment process must consider risks presented by third-party service providers, such as cloud-based storage or file transfer services with access to account information. Lastly, fourth-party service providers represent a supply chain risk many financial institutions .
Conduct due diligence with internal controls audits
Because the cybersecurity posture of third-party service providers is beyond your control, it’s critical to conduct due diligence on the provider prior to initial engagement — and every year thereafter where services are used.
Due diligence requires the third-party service provider to undergo a yearly external audit of their internal controls, such as a SOC audit — a cybersecurity assessment leveraging a known framework and regular external and internal network penetration testing.
While the audit results may give some assurance about the effectiveness of the provider’s internal control structure, remember outsourcing the maintenance and support of networks and systems to a third-party provider doesn’t eliminate your institution’s accountability for compliance and security.
Implement solid, reliable technologies
Financial institutions don’t need to be on the “bleeding edge” of implementing the latest and greatest cybersecurity solution. However, tried and true technologies — such as implementing encryption on account holder information while stored in a database or data warehouse, and requiring multi-factor authentication for accessing e-banking systems and the corporate network —help decrease the probability of a cybercriminal gaining access to account holder data.
Some conventional network defense technologies, like firewalls and endpoint protections for workstations and servers, have built-in performance anomaly analysis capabilities to detect network traffic and any unusual activity.
Newer capabilities incorporate artificial intelligence to correlate activity collected and analyzed by other systems — like host-based intrusion detection systems and logging and monitoring systems — to effectively thwart an attack.
As the functionality and capabilities of these technologies are continually evolving, you should carefully evaluate the many tools to identify those fitting your financial institution’s needs and level of risk tolerance.
Align your cybersecurity program with leading practices and regulations
If you’re unclear how to align your financial institution’s cybersecurity program with clear, solid guidance, a good place to start is by identifying regulations to which your financial institution is subject, namely the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). A financial institution institutionalizing the GLBA’s safeguard controls has a solid foundation to refine and build on while maturing their cybersecurity program.
GLBA compliance can be augmented by aligning controls with an established cybersecurity framework or with other industry regulations — such as the Payment Card Industry Data Security Standard, which provides technical control requirements focused on securing debit and credit card information but generally enforces good security practices throughout an organization.
Incorporating regulatory compliance efforts and practices from a known framework into day-to-day business operations may help reduce the risk of a successful and enterprise-wide cyberattack.
Leverage audits for regular examination of risk areas
Managed service providers contracted by financial institutions to provide some aspect of securing, maintaining, and managing the IT environment are often too close to the situation to really see risks that could adversely impact the security of account holder information. The same notion applies to financial institutions with in-house IT staff.
Instead, financial institutions should leverage IT audits performed by independent, objective parties to identify risk areas associated with how the IT environment is maintained and secured.
IT audits should be multifaceted, covering various potential weak points such as:
- System patch management processes (including firmware)
- Network and system hardening processes
- Incident response and disaster recovery planning and testing
- System change management processes and quality assurance checks
Furthermore, an independent, third-party firm specializing in cybersecurity can conduct regular penetration tests against your network infrastructure and any internet-facing web applications. Such measures can serve as a quality assurance function and validation the network and systems have been configured appropriately to mitigate cyber risks and attempts at system exploitation.
Connect
Kevin Villanueva
Kevin Villanueva