Data security, cyber risk, and electronic documents are topics that are always top of mind of executives across the world on a daily basis. ESRA gathered a number of industry experts together to discuss these issues and their impact on its constituents.
The participants were:
Rena Mears: Managing Director, BuckleySandler LLP
Nick Brown: Associate Director, Navigant Consulting
T.J. Parks: Senior Advisor, Treliant Risk Advisors
Brown opened the discussion by referencing a bank hacking incident. It involved cyber hacking and what he called “the old time boiler room operation, with the penny stocks and the dialing for dollars.” But this time, though, he noted that this operation was more sophisticated because the scammers were able to raise their legitimacy by getting their hands on information that would only be known by financial services companies.
“You’d think people would have learned, but they never will,” Brown said of the operation. “I’m surprised there wasn’t a Ponzi scheme running too,” he added. He noted that even though people should know better about such scams, even the ones who do realize what they’re getting into think they will outsmart everyone else and pull their money out before getting ripped off.
Brown then went on to discuss other threats the financial services industry is facing, such as external vendors who become insider threats, by which he means hackers have formed partnerships with consultants who sell them user IDs and passwords. “In one case, we were so sure the hacker was coming in under a vendor’s name that we set up a digital recorder and found the hacker coming into the account and collecting credit card data from malware stored on the machine,” he said.
Of course, even if you don’t have a turncoat vendor to deal with, Brown noted, you can be sure that simply putting a server online means it will be tested by hackers, including rogue nations. “We see brute force attacks every day from China and eastern Europe,” he said. “We also se open source code vulnerabilities out there. Hackers have scanners that detect those vulnerabilities and then they exploit those pages to plant malware and get them into the company network, or obtain credit card information, user names and passwords, and so forth.”
He continued: “We’ve seen them targeting credit unions especially this year. The hacker community has learned that as bank security is tightened, credit unions are becoming more like banks. And when all else fails, there are the traditional phishing emails. Why would people fall prey to those? That happens in not only in financial services but also doctors who are fearful they will be locked out of patient medical records if they don’t turn over a user name and password. It’s the suspension of disbelief, as psychologists say, that causes this.”
So what should you do when you have a breach in progress? Brown listed the steps:
- Understand where the hackers entered your system. “One of the lessons learned is that network architecture isn’t what we thought it would be,” Brown said. “Controls are often degraded because projects change, with the intention that the controls will then be strengthened again.”
- Preserve and collect as much information as possible, which is paramount to a breach investigation. Information can be lost because logs roll off on a daily basis.
- Figure out where the data is and who will put it together. Various internal parties typically need to work together, but sometimes they can’t for political reasons or there’s miscommunication that hampers them.
- Figure out how to end the situation. “My team and I go through a series of draining exercises onsite to plug up holes and stop them from coming back in through back doors,” Brown said.
The components of an effective risk mitigation program
Parks then took his turn. “What we’ve seen that will help mitigate the risk of these attacks is to take a three-pronged approach,” he explained. “Protecting, detecting, and responding to the attacks is the first one, and then privacy and security are the other two prongs. You need to take those three functions and move away from the internal silos to defend yourself from the attacks.”
He also listed the components of an effective program:
- Senior management commitment: Boards need to be aware of the risks and environment
- Code of conduct policies and procedures that employees really understand
- Oversight, autonomy and resources
- Risk assessments: The more you do them, the better
- Training: Management needs to know what to do
- Disciplinary measures
- Third party due diligence: Risk assessments need to happen every time a contract is renewed
- Confidential reporting: How do you confidentially report to management and the board and effectively conduct investigations?)
- Continuous improvement: Everything goes stale after a while, so keep up on what your industry is doing to keep your programs current
Risk mitigation isn’t simple
Parks then handed the discussion over to Mears, who talked about why a risk mitigation program isn’t as simple to maintain as Parks made it sound. “You think you’re through the worst of it when you’re told the hackers are gone, but you’re never quite sure they’re gone,” he said. “But equally scary are the regulators: Once there’s a high-value target for hackers, it’s high-value to regulators too, who can be inquisitive to the point of distraction.”
She added: “If you’re talking about a breach of information, you quickly get involved in state breach laws. Nearly all of them have breach notification laws. There are some commonalities, but some are far afield too. You often find yourself having to define what didn’t happen in a breach, for example. The average person in a company assumes that a breach means data left the building, but that’s not the definition in many states, which don’t see data loss as relevant.
“There are also disagreements among the states regarding how long you have to respond to the breach. So now if you can’t prove what information got out and who got in, but you also have to inform the public and talk to regulators, you find yourself having to change the facts of what happened, which doesn’t make regulators happy. You typically have multi-state investigations after that, and then federal regulators who step in.”
She continued with a list of the things regulators look for:
- A lack of “reasonable” cyber security measures. (She noted the case involving Wyndham Hotels, most of which are franchises. There were security lapses and the FTC decided that Wyndham hadn’t had reasonable security, but Wyndham objected because they said there weren’t any guidelines. The courts decided that because the FTC has put out consent agreements, they’ve articulated what is reasonable. Since that’s in the eye of the beholder, it can be tough for companies to figure that out.
- Not designating people who are accountable, such as a chief security officer or having the board review security risks.
- Overly broad data collection.
- No privacy risk assessment.
- The lack of a response plan.
- Lack of employee training.
- Spotty testing of security protocols, especially in new products and online applications.
“You’re responsible for yourself and your vendors,” she noted. “You can’t delete cyber security.”