By Philip Masqullette, SVP, CRO, Ulster Savings Bank
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
As Senior Vice President and Chief Risk Officer for Ulster Savings Bank, located in Kingston, NY, I am responsible for oversight of all Bank risk management functions, including the Bank’s Legal and Compliance departments; I also serve as the Chief Information Security Officer. I previously served as Vice President and Risk Manager at Bankwell in Bridgeport, CT, as First Vice President and Audit/Compliance Officer at Naugatuck Valley Savings and Loan in Naugatuck, CT, and as Senior Attorney with the FDIC. I hold a Master of Business Administration degree from the University of Rhode Island, a Juris Doctorate from the University of Houston, and a Bachelor of Arts degree in Economics from Tulane University.
What, for you, are the benefits of attending a conference like Risk Americas 2019 and what can attendees expect to learn from your session?
In today’s ever changing threat environment, enterprises, especially financial institutions, need focus on detection, interception, and eliminating cyber intruders from successfully creating havoc and economic harm on our institutional structures and customer bases. This conference increases awareness and provides tools, if used appropriately, to combat such attacks and other nefarious incidents.
While, the top internal risk remains people, specifically the officers and employees of the covered entity through inadvertence, misconduct, or both, mitigation of such risk should be discussed regularly at management and employee meetings. All employees, including officers, need cybersecurity awareness training. Relevant risk assessments and audits will show how this is working and how the process might be improved.
For external risk, whether by hacking or any other illicit method, continued adherence to the New York State Department of Financial Services Cyber Security Framework including risk assessment and mitigation can help to reduce the chances of a cyber attack. Controlled phishing attacks can be staged if staff clicks on what could have been harmful links. Personnel who make this error can then be re-educated on the phishing topic.
In your opinion, how can we look to effectively prevent and account for cyber attacks?
Penetration tests should take place regularly. The covered entity may want to purchase a vendor product to provide personnel with enhanced capability to conduct effective internal and external vulnerability tests, efficiently. A plan to adopt the regulatory criterion of performing penetration tests should take place at least quarterly.
I note these key points because of the high level of concern regarding the vulnerability of cybersecurity and safeguarding important non-public information from outside sources.
– Have a Cyber Risk Incident Response Plan in place. The plan should describe who, what, when, and how communication will take place by express guidelines. The processes of responses to customer inquiries, law enforcement notification, and press/media interaction should be delineated, so that these requirements may be addressed immediately. A common task list for reference by team member who are named, should be in the covered entity’s business continuity plan software.
Without giving too much away, could you provide insights on the future evolution of cyber risks?
While information technology continues to accelerate, and demands for computer fluency in cyberlinguistics will add to the learning curves for all risk professionals, the ability to read, digest, understand, communicate, and make meaningful ever changing regulatory implementations will be of much value to CROs and other risk managers in their demanding career roles.
A keen awareness of economics, law, and business issues will be critical, going forward. There is a distinct conflict between national security and personal privacy. As nation states, non-state actors, hacktivists, and criminal groups continue to assault our infrastructure, civil liberties may take a back seat to what is really going on. Cyber threats will increase and intensify.
This is not to minimize the potential for extreme harm of incidents. They may be in the form of cyber attacks, denial of service disruptions, malicious code, unauthorized access, inappropriate usage, or ransomware. When such an incident occurs, identify, detect, contain, notify, collect and analyse, eradicate, recover, and follow up.
What are the key implications in identifying vulnerabilities and how can we overcome them?
– Increased knowledge of information and physical security procedures;
– Identification of any possible malfunctions within the process; and
– Effective and efficient response, whether it is a cyber or a physical threat. Each scenario would require a different response plan, including a different crisis communication plan.
What are some considerations for financial institutions to stay ahead in a rapidly evolving market?
Risk and regulations within the industry over the next 6-12 months will become stricter, which would transcend the political climate. Culturally, there is more of a demand for information security and physical security. This increased need for safety and security is a major issue.
Program needs include preparation for analysing and identifying, collection of audit trails and evidence, communication channels, corrective action and recovery, and proactive procedures to ensure appropriate functional response of systems, going forward. Readiness is key.