State of Affairs: Cybersecurity & Privacy Regulations
“A Cyberattack can’t blow up the world, but it can upend geopolitical stability. It can destroy national alliances, and work to undermine the most powerful democracy on Earth. It can even undercut the very idea of truth. Short of nuclear weapons, hacking has become the most destabilizing tool in geopolitics.”
Cyberattacks seem to be making headlines all over the world, leading to the growing concerns over privacy and security for consumers, enterprises, and governments alike. The issue affects counties, businesses, and individuals all over the world. Cybersecurity is a global problem.
With such widespread issues and so much at stake, what rules and regulations are currently in place to address the issue?
The primary federal acts that address cybersecurity are the; Health Insurance Portability and Accountability Act of 1996 (HIPPA), Gramm-Leach-Bliley Act of 1999 (GLB), Homeland Security Act of 2002, and Federal Information Security Management Act of 2002 (FISMA). Many of these regulations are nearly a decade old and since technology evolves at a rigorous pace, so do the criminals.
Viruses dominated headlines in the 1990s affecting consumer and commercial devices. Credit Cards began falling victim to attacks in the late 2000s. As early as 2005, criminals began targeting payment card information from retailers. Companies learned the hard way the consequences of being unprotected and thereby started using more sophisticated security systems (Julian, 2014). The Target Breach in 2013 ushered in the new modern era of data breaches involving the theft of 40 million credit and debit cards and more recently, the Equifax breach affecting 145.5 million people. The pace of regulation has thus far not kept up with the advancements in technology and the brazen hacker criminals exploiting vulnerabilities of antiquated corporate systems. New rules would join other existing mandatory state, federal, and foreign cybersecurity regulations.
There are also some voluntary standards that many financial institutions already follow, such as the Cybersecurity Framework published by the Nation Institution of Standards and Technology (NIST), the Payment Card Industry Data Security Standard, and the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool. However, these tools do not work well together, and as a result, the adoption of yet another cybersecurity regulation could add to the chaos and the massive regulatory burden already facing financial institutions (Global, USA, 2017).
On October 19, 2016, three federal banking regulators – the Federal Reserve System (FRS), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) – issued advance notice of proposed rulemaking for new cybersecurity regulations for large institutions with over $50 billion in assets. The framework is intended to address “cyber incident or failure” that could “impact safety and soundness.”
The proposed Federal Cybersecurity framework broadly address five cybersecurity categories:
- Cyber Risk Governance – A cyber strategy must; identify cyber risk, address mitigation strategies, establish reporting structures of cyber incidents, and provide a means of testing the effectiveness of the cyber strategy.
- Cyber Risk Management – requires institutions to adopt “three lines of defense”;
- Assess risk and report incidents,
- Independent risk management function that would identify, measure and monitor the effectiveness of cyber risk controls and report exceptions to senior management, and
- Independent audit function to assess whether the cyber risk management framework complies with applicable laws and regulations and is appropriate for the financial institution.
- Internal Dependency Management –maintain a current and complete list of all internal assets and business functions, including mapping the connection and information flow between those asset functions.
- External Dependency Management – maintain complete lists of all external dependencies, to analyze the risks associated with external relationships, and to identify and test alternative solutions in the event an external partner is compromised or otherwise fails to perform as expected.
- Incident Response, Cyber Resilience, and Situational Awareness – an effective plan for, responding to, and quickly recover from disruptions caused by cyber incidents, including incidents targeting external service providers. The rules would require the institution to provide backup storage for critical records; establish contingency plans if unable to perform a service due to a cyber incident; testing for cyber events; and identify and gather intelligence on potential threats (Global, USA, 2017).
What Guidance is there today?
For now, it seems there is scattered guidance available for financial institutions at the federal level in terms of expectations for a cybersecurity framework. The National Institute of Standards and Technology (NIST) is also in the process of developing a “Framework for Improving Critical Infrastructure Cybersecurity.” The Cybersecurity Enhancement Act of 2014 (CEA) updated the role of the NIST to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators. The Framework was initially established under Executive Order 13636 in February 2013 and continues to evolve according to CEA. The Framework Core Functions are currently outlined as; Identify the risks, Protect with appropriate safeguards, Detect the occurrence of a cybersecurity event, Respond regarding a detected cybersecurity event, and Recover with a plan for resilience. The last revision to the Framework plan was on December 5, 2017 (National Institute of Standard & Technology, 2017).
The United States is trailing behind its European counterpart in the arena of Cybersecurity. On April 27, 2016, the European Union adopted the General Data Protection Regulation (GDPR) which will be effective May 25, 2018. The rule was intended to strengthen and unify data protection for all individuals within the EU and will affect all enterprises doing business in the European Union, even if they aren’t headquartered in the EU. Cybersecurity is an issue that usurps borders and politics. Data protection is a time sensitive matter that should be at the forefront of every nations list of growing concerns.
Social engineering is still the biggest threat to data security. The best way a financial institution can protect itself is to stay educated and current on all the scams and hacking techniques that are out there. Social engineering is the act of tricking people into divulging confidential information (such as passwords or ID numbers) or taking actions (such as clicking on an attachment to an email that contains malicious code) that gives the attacker access to computer systems that include valuable personal data. There are dozens of known social engineering tactics both in-person and online. Criminals work on the premise that all employees have some access or corporate knowledge, and they seek to exploit an employee’s trusting nature.
Source: Verizon 2016 DBIR
What are some of the risks and how to avoid them?
In person, a social engineer tries to “blend in,” “lurk,” or simply “impersonate.” With the proper fake credentials, people are easily duped. Impersonators usually play one of the following roles: a fellow employee (especially a new employee, seeking help), someone from another office in the company, a vendor, someone in authority (i.e., building “management” or “security”). Online and telephone social engineering tactics include fake phone calls and messages, phishing emails and face texts (SMiShing) seeking to deceive or scare users into divulging personal data or credentials or clicking on links that contain malware that will compromise the security of the computer or electronic device. Common scams include: a forgery of the standard message notification received when a Google Doc or Dropbox doc is shared; a message appearing to come from a bank or favorite payment app telling you that your account has been frozen and to “click here.” People are still being duped by these schemes and evidence suggests that more and more are falling for the scams every year. According to Verizon’s 2016 Data Breach Investigation Report, 30% of phishing messages were opened, and 12% of recipients went on the click the malicious attachment or link, and these stats were worse than the previous year. There’s always the passive or Low-Tech scams to worry about as well including dumpster diving and shoulder surfing (USA, 2017). Ultimately, ignorance is not bliss and education is the key to cutting down on the types of data breaches stemming from social engineering tactics.
The best way financial institutions can mitigate their risks is to listen and learn from past missteps of their peers. Banks should consider the Equifax breach as a loud wake-up call. The Equifax hack took place between mid-May and July of 2017, and the breach was discovered on July 29, 2017. Where Equifax failed and managed to make matters even worse was the manner in which the company responded to the discoveries. Company executives waited six weeks before letting the public know about the breach, and in that time three Equifax execs sold off a combined $1.8 million in company stock days after learning of the breach. Equifax is offering free credit monitoring for a year but given the magnitude of the breach and its long-term impact, a year isn’t enough. Disturbingly, this was the third time Equifax had been hacked in 2017. This breach was massive, but the two previous breaches within a year should have told Equifax executives they had vulnerabilities they needed to patch up (Editorial, 2017). The 2013 Target breach settled costing the $140 million to financial institutions, consumers, and government bodies. Target reports it has incurred costs of over $292 million from the data breach, partially offset by insurance recoveries of $90 million (Cybersecurity Bits and Bytes, 2017).
These are hardly unique events. As depicted nicely here, there have numerous major and recent data breaches. In case you forgot, here are some others, just to name a few breaches that have occurred since 2013:
- 2014 Neiman Marcus: 1.1 million credit cards exposed
- 2014 J.P. Morgan Chase: 76 million households accounts exposed
- 2015: SWIFT international bank network heist resulted in millions of dollars being stolen
- 2015: US Office of Personnel Management: 22.1 million individual Social Security numbers and other sensitive information were exposed (~7 percent of the U.S. population)
- 2016: Yahoo!: 1 billion accounts compromised since 2013
- 2016: Uber: 50+ million users and drivers account information exposed. Uber attempted to cover this up until they confirmed the hacks in 2017.
Long story short, the costs of data breaches can be immense, the hits are both financial and reputational, and they are not restricted to specific industries.
Not only should we take breaches seriously, and react swiftly and efficiently, but we should also stay in “the know” regarding the evolving industry-specific cybersecurity guidelines, frameworks and specifications We should closely follow regulatory activity related to cybersecurity and privacy topics, specific to our industry. Obviously, there is a lot of noise and chatter in the mainstream news, and tracking relevant agency activity can be cumbersome. No organization can say with certainty that it has completely safeguarded itself from cyber threats, yet. We are all learning from one another and implementing defense safeguards as we go. As with most things, staying informed is critical. Keeping track of cybersecurity and privacy-related updates from regulatory agencies and standardization bodies, and keeping an eye on industry activities and trends at a global level, is an important first step.
Compliance.ai allows financial services organizations to focus on consequential regulatory content relevant to their business. Try a free 30-day trial to see how Compliance.ai can help you monitor regulatory activity related to cybersecurity and privacy topics. Sign-up only takes a few seconds and you’ll get immediate access to the full product.
Cybersecurity Bits and Bytes. (2017, June 12). Yet Another Target Settlement Highlights Data Breach Costs. Retrieved from Compliance.ai.
Dreyfuss, E. (2017, July 21). As Cyberattacks Destabilize the World, the State Department Turns a Blind Eye. Retrieved from Wired: https://www.wired.com/story/state-department-cybersecurity/
Editorial. (2017, September 12). The Equifax Breach: What lesson will other companies learn? Retrieved from Chicago Tribune: http://www.chicagotribune.com/news/opinion/editorials/ct-edit-equifax-data-breach-0913-20170912-story.html
Global, USA. (2017, March 13). Proposed Federal Cybersecurity Regulations for Financial Institutions Face an Uncertain Future. Retrieved from Compliance.ai (Lexology).
Julian, T. (2014, December 4). Defining Moments in the History of Cyber-Security and the Rise of Incident Response. Retrieved from Infosecurity Magazine: https://www.infosecurity-magazine.com/opinions/the-history-of-cybersecurity/
National Institute of Standard & Technology. (2017, December 5). Framework for Improving Critical Infrastructure Cybersecurity.
USA. (2017, December 5). Despite Equifax Breach Causes, Social Engineering Still Biggest Threat to Data Security. Retrieved from Compliance,ai.
USA. (2017, July 19). Rise of State Cybersecurity Rules in Financial Services. Retrieved from Compliance.ai.