Prior to COVID-19, cybersecurity had already risen to the top of financial institutions’ mission-critical initiatives. The threat to data integrity has steadily increased, from individuals who seize and exploit customer data to government-backed hackers. Now financial institutions’ resiliency to cyber threats and network intrusions is being tested more than ever as employees have largely shifted to a remote working environment and consumers head online in record numbers to manage their financial needs.
With millions now working from home, entire workforces have shifted to digital-only access. If there are any gaps in an organization’s security protocols and procedures, this new altered reality has the potential to expose them. Handling the interwoven relationships between financial institutions and their third- and fourth-party vendors has emerged as a critical step in closing this potential gap in security in what has become the industry’s new normal.
In the know
Cyber resiliency is both an organization’s ability to withstand cyberattacks and threats, as well as its capacity to resume operations with minimal impact in the event of a business disruption. For financial institutions, the importance and need to prioritize the safety of both consumer data and internal systems is paramount. Frequently, however, institutions tend to “check the box” of compliance without ensuring their actual security posture and remediation processes are suitable or comparable to the risk faced. With COVID-19 changing the business landscape for many, it is reasonable to expect security protocols to change with it.
Part of this is understanding the recent history of cyberattacks and the impact they can have on both consumers and the bottom line. By studying similar attacks and infiltrations, financial institutions can gain valuable insights for becoming more resistant to phishing attacks, DNS breaches and potential exploits within their vendor/security frameworks. With a committed focus on vigilance, financial institutions will gain a better perspective and a much clearer picture as they look for any potential problem areas within their own vendor relationships.
Case in point
Hackers know where an organization’s weaknesses are and recognize the challenge associated with breaching a financial institution directly. Oftentimes an institution’s vendors are an easier pathway to achieve a breach. Banco de Chile underwent a sobering example of this kind of vendor loophole exploitation when hackers attacked the bank through a third-party DNS server that the bank itself had not considered part of its attack vector. The hackers were able to take over the DNS server through unnecessary vulnerabilities, and then redirected bank customers to an imposter website to harvest valid credentials.
The Banco de Chile hackers, like many others, were trying to access sensitive information for DDA accounts, credit cards, loan accounts, social security numbers, and more. Notably, the size of an institution has nothing to do with either its vulnerabilities or readiness and is certainly not important to hackers. Hackers primarily care about the availability and ease of access through an institution’s system and/or vendors.
In the Banco de Chile case, the hackers who were able to breach the DNS were not specifically targeting the bank. It may very well have started with a phishing email that determined which institutions had connections with a given vendor’s services, and from there the hackers simply focused on the path of least resistance to the bank with the largest gap in security. Often, once a financial institution is chosen, malware is sent through to the target institution, and the door is propped open allowing hackers direct access moving forward. They now essentially have free reign to all the information within the institution. Given this, how exactly should a financial institution ensure that it and its vendors are protected and secure?
Due diligence is the easiest, most efficient and effective means of ensuring cyber resiliency. Throughout this process, financial institutions must not only develop but also critically test their information security and incident response plans and make sure their critical vendors are testing theirs as well. By doing so, they can gauge the overall cyberattack readiness level and how likely they are to deflect one. The knowledge gained from these tests is invaluable in identifying and solving any potential vulnerabilities and provides institutions with a baseline standard to implement and navigate an overarching vendor management program — the capstone for any effective due diligence and preparedness plan.
From here, the best course of action is for financial institutions to create a comprehensive roadmap of all their vendors, including third- and even fourth-party relationships and connections, in order to clearly mark how the institutions connect and interact with their vendors. It is ideal to have a joint continuity plan in place with the vendor, something that the FFIEC refers to in its Appendix J, which directly addresses core cyber resiliency guidelines.
This will give financial institutions the ability to see exactly where potential vulnerabilities in the framework are and then address those issues directly with the appropriate parties to ensure compliance and effectiveness. If a weakness is uncovered, institutions must address the vendor that is failing to uphold its own due diligence in protecting its customers. If that vendor does not have the resources available or the subject matter expertise to help in the implementation of a cyber resiliency framework, then it may be time to revisit the relationship. If a vendor cannot provide what is needed, it is time to identify a different vendor that can provide the necessary compliance.
The ongoing search for methods and tools to enhance security and for available countermeasures against attacks takes on new importance as millions around the world shift to a new, digital and mostly remote working and banking environment. Cyber resiliency has become make or break for financial institutions as instances of these threats continue to rise and become more complex. It is perhaps more important than ever for financial institutions and their vendors to work together to continuously improve security in order to safeguard not only themselves, but their customers as well.