Assessing cyber risk and effectiveness of controls as techniques and threats evolve

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Philip Masquelette, Chief Risk Officer, Ulster Savings Bank

How can improving risk culture help Financial Institutions be more aware of cyber risks?

On March 3, 2023, the Biden-Harris Administration released the National Cybersecurity Strategy, which ‘details the comprehensive approach President Biden’s Administration is taking to better secure cyberspace and ensure the United States is in the strongest possible position to realize all the benefits and potential of our digital future.’[1].  Thwarting ransomware attacks is of significant importance to  individuals, small businesses, and local governments, and especially financial institutions, whether global in size, regional, or part of the community banking space.  The goal is to keep our digital ecosystem safe, reliable, and secure.

Risk and regulations within the industry over the next 6-12 months will become stricter, which would transcend the political climate.  Culturally, there is more of a demand for information security and physical security. This increased need for safety and security is a major issue.  Program needs include preparation for analyzing and identifying, collection of audit trails and evidence, communication channels, corrective action and recovery, and proactive procedures to ensure appropriate functional response of systems, going forward.  Readiness is key.

Penetration tests should take place regularly. The covered entity may want to purchase a vendor product to provide personnel with enhanced capability to conduct effective internal and external vulnerability tests, efficiently.  Penetration tests are recommended to take place at least quarterly. These are crucial points because of the high level of concern regarding the vulnerability of cybersecurity and safeguarding important nonpublic information from outside sources.

Change, compliance, cost, continuity, and coverage cyber security elements compose priority protection of the confidentiality of nonpublic digital information and information systems. Ransomware infections derive substantially from various phishing episodes.  Accordingly, employee training by cautioning employees is the key to reducing ransomware incidents.  Periodic phishing quizzes are a must.  And follow up by management regarding repeated phishing test failures is a necessity to hold ‘habitual clickers’ accountable; roundtable discussions are also not just highly recommended but warranted.

Why should Financial Institutions look to understand the systematic nature of cyber risks?

Sabotage, theft, espionage, fraud, and competitive advantage are part of the world where we live. “Systemic cyber risk” is an integral part of “systemic risk” – and how could one event bring about or lead to a development that might trigger widespread failures across different levels, entities, industries, or nation states.  Commonplace threats can quickly evolve into multi-stage attacks…Reduction of systemic cyber risk is centered around finding concentrated sources of risk that, if mitigated, not only provide the organizations cost benefits for heightened risk management but also manage critical risks to the Nation’s security and economic security.[2]

What should Financial Organizations include to ensure continuity in the event of an attack?

Have a Cyber Risk Incident Response Plan in place.  The plan should describe who, what, when, and how communication will take place by express guidelines. The processes of responses to customer inquiries, law enforcement notification, and press/media interaction should be delineated, so that these requirements may be addressed immediately. A common task list for reference by team members, who are named, should be in the covered entity’s business continuity plan software, and handy three-ringed binders.

Business continuity plans should include a cyber resilience strategy that can help a business withstand disruptive cyber incidents.  The plans typically include ways to defend against those risks, protect critical applications and data and recover from breach or failure in a controlled, measurable way.  Specific types of incidents such as cyberattack, denial of service or disruption, malicious code, unauthorized access, and inappropriate usage will set in motion what to do, how to do it, and what are the roles and responsibilities of designated members of the incident response team.

Mitigants, such as data backups, mitigating controls, anti-malwares, disaster recovery planning, training to increase awareness, incident response planning, and risk assessments, audits, exams, and retention of third-party vendors to provide tabletop exercises and other practice drills, are all in play.  As to risk mitigation, avoidance, reduction, transference, and acceptance are different pieces of the same puzzle.  Resources, both internal and external, can be implemented to perform whatever is necessary when (not if) a cyberattack has occurred within the company.  There, of course, will be pressure to return to normal operations, quickly and efficiently, as possible, yet not before complete forensics with appropriate patching has occurred.

How can Financial Institutions ensure security across third parties and supply chain?

Third-party risk management is important because failure to assess third-party risks exposes an organization to supply chain attacks, data breaches, and reputational damage.  Economic, environmental, political and ethical risks could disrupt an entity’s operations.  Cyberattacks have become a predominant risk in modern supply chain management.  Coordinated security measures to ensure the integrity of supply chain date, the safety of goods, and global economic security are crucial.

Beyond that on a purely non-technical level, for those not working remotely, employees should wear identification badges in office locations, and stop to ask unaccompanied strangers if they need assistance.  Vendor representatives, such as auditors, outside counsel, and other consultants are to be provided visitor badges when they arrive at the reception area, and this approach applies to bank examiners, also.  And they are accompanied to scheduled conferences within the premises.  Tailgating into restricted areas should not be allowed.

The potential threat is that information may be accessed to cause harm to customers, colleagues, and the community whether through compromise of data, disruption of business function, and/or monetary or physical damage.  In all cases, understand that third-party vendors may and likely will continue to be targeted, ultimately for ransomware and malware injuries to those third parties’ clients, and their users.

How has the threat of cyber-attacks increased due to the Ukrainian war?

Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S., our allies and partners.  Keep in mind, it is not just about Russia.  China, Iran, North Korea, and other autocratic states with revisionist intent are also potential threat actors in digital technologies.  Every U.S. based organization (large and small), and those of our allies and partners must be prepared to respond to disruptive cyber incidents.[3]

[1] National Cybersecuriy Strategy, March 2023, The White House, Washington

[2] Source (2^nd part): cisa.gov, systemic-cyber-risk-reduction.

[3] Source: cisa.gov

Philip will be speaking at our upcoming Risk Americas Convention