CyberWire Daily - Risk and regulation in the financial sector. [CyberWire-X]
Episode Date: December 21, 2018In the third episode of our four-part series, called “Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace,” we take at risk and regulation in the financial... sector, specifically how it intersects with cyber security. How do organizations operate in a heavily regulated global financial environment, while protecting their employees, their customers, and the integrity of a system largely built on trust? Joining us are Valerie Abend from Accenture and Josh Magri from the Bank Policy Institute. Later in the program we'll hear from Jason Hart, CTO for enterprise and cybersecurity at Gemalto. They're the sponsors of this show. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. affecting organizations around the world. This is part three of a four-part series called Ground Truth or Consequences?
The Challenges and Opportunities of Regulation in Cyberspace.
Today, we look at risk and regulation in the financial sector,
specifically how it intersects with cybersecurity.
We'll examine how organizations operate in a heavily regulated global financial environment,
all while protecting
their employees, their customers, and the integrity of a system largely built on trust.
A program note, each CyberWire X special features two segments. In the first part of the show,
we'll hear from industry experts on the topic at hand. And in the second part, we'll hear from our
show sponsor for their point of view. And speaking of show sponsors, a word from our sponsor, Gemalto.
Your enterprise is rich with sensitive data at rest and in motion throughout the network.
But what happens if that sensitive data isn't secure or if it's improperly accessed?
that sensitive data isn't secure or if it's improperly accessed.
We're guessing that regardless of what defenses you have currently implemented,
the thought of your data being stolen or manipulated keeps you up at night.
Gemalto tackles the two main causes of cyber attacks,
identity theft and data breaches.
They do this by providing next-generation digital security built from two technologies,
secure digital identification and data encryption. Gemalto already operates these solutions for many well-known
businesses and governments, protecting trillions of data exchanges. And as independent security
experts, they guarantee digital privacy and compliance with data protection regulations.
digital privacy and compliance with data protection regulations.
Gemalto puts you back in control of your own data.
Visit Gemalto today to learn more about their access management and data protection solutions.
You can also check out the most recent findings from the Breach Level Index,
which tracks the volume and sources of stolen data records.
Go to gemalto.com slash cyberwire to subscribe and learn more. That's gemalto.com slash cyberwire. And we thank Gemalto for sponsoring our show.
The financial services sector is a complex web of financial regulators, all with different missions and different authorities specifically to support those missions.
That's Valerie Abend.
She leads Accenture's Financial Services North America security practice, and she's also their global cyber regulatory lead.
It's perhaps the most complex in the United States. Many of the other
jurisdictions around the world have, you know, one central bank that also is their prudential
regulator. It's their safety and soundness regulator. It regulates their markets, their banks,
payment systems, you know, every kind of aspect of the financial system.
kind of aspect of the financial system. We have nine federal U.S. supervisory agencies.
That's Josh Magri. He's senior vice president and counsel for BITS. They're the technology policy division of the Bank Policy Institute. We have three self-regulatory organizations.
And then at the state level, there tends to be a split between insurance, state supervisory agencies, securities and banking, all of which are appropriately concerned about cybersecurity and regulation pertaining to cybersecurity.
But it has created a very complex environment over the past three to four years? The cyber regulatory side is relatively new
from the concept of truly around cyber oversight. For more than a decade, almost two decades now,
particularly in the banking sector of financial services, there has been a long-time focus on, we'll say, IT, IT risk management, information security,
and some aspects actually go into third-party oversight. But it's only been as of late that
there's really been a focus on cyber attacks and what that means from a regulatory standpoint.
The banking regulators try to address this through an
organization called the Federal Financial Institutions and Examination Council.
The shorthand for that is the FFIC. That is a statutory body that brings together all of the
regulators that are in the banking segment. So the credit unions, the federal banking regulators,
and they come together to address a myriad of issues, which also include cybersecurity, and how to kind of coordinate the examination policy, the training of examiners on a range of sector was quite involved in the National Institute
of Standard and Technology's development of the cybersecurity framework.
And the cybersecurity framework, what it amounted to and what it was developed out as, was not
only a means to talk about cybersecurity and cyber risk management, but also an organizational structure
to do just that. And the financial services sector was very involved in its creation,
and it came out in 2014. Many of the financial services sector firms started to move toward
organizing around the cybersecurity framework. Right around that time, we started to see some
regulatory issuances from the supervisory agencies, the financial services supervisory
agencies. And we started to see that the way that the issuances were written, they were written in
such a way as to be different in terms of the taxonomy between the NIST cybersecurity framework and what was in the documents themselves.
So we put it to a survey and we used the FSI SAC as our distribution mechanism, and the results that we got back in 2016 were somewhat astounding.
Chief Information Security Officers were saying that about 40% of their time and their team's
time was spent doing cybersecurity regulatory compliance and not security-related activities.
So with this survey result, we realized that as a sector that we needed to do something about it
because the number of job openings for cyber was only increasing.
The way that we decided that we needed to tackle this was at the organizational structure and the taxonomy level. So for the better part of two years, we've been developing what we've called
the cybersecurity profile for the financial services sector. It is true that financial
services is often pointed to as the most mature or as mature as, say, the defense industrial base
relative to what we would say are the critical infrastructures supporting,
you know, the global economy and the systems that we'd all rely upon every day.
It is true part of it's because it's where the money is.
It's also true because they're so heavily dependent for their business on IT.
At the end of the day, financial institutions, they don't really have a lot of assets outside
of the money they actually manage, which is all digital
now. The delivery channels, which is largely becoming, you know, incredibly digital, you know,
many of them are even building branchless banks now where you have a financial institution that
literally has no physical presence in terms of a branch. And, you know, they just depend on IT systems. And so maintaining trust, all they have is the
ability to maintain trust and to manage your digital assets in terms of money really well
and smart people. That's what they have. And so in order to maintain that trust,
they are more mature in terms of their thinking about IT and digital services, and of course, how to maintain
not just security, but resilience, right? That ability to have a high availability to your
customers to provide a strong set of services to them. That said, there is this incredibly
complex area and nothing is foolproof. And so while they do have a higher level of maturity,
they are constantly challenged with addressing not just new areas of vulnerability,
but new areas of their business that could present additional vulnerability
that might be very attractive to cyber attackers.
We fully anticipate that there will be additional regulations.
But when there is, we ask that they use the organizational structure and the taxonomy that's integrated within the profile and use that within the regulation itself. be in the legalese up front, but what we've asked for is, you know, essentially after they get
through all the legalese and what the regulation is and what it's about to put an appendix saying
all that stuff up front, what we're really saying is that we're going to ask you these three or four
additional questions during the examination and they fit within the profile here, here, and here.
examination, and they fit within the profile here, here, and here. It's also hard when we look at regulation in isolation, different ends of the spectrum or different parts of that pyramid,
if you will, around how folks think about GDPR and GDPR compliance. So say for at the bottom of
that pyramid, where unfortunately many people may be, they may think to themselves,
I don't have a branch in the EU, so this doesn't apply to me. And unfortunately, that's not the
case. And then maybe in the middle of that pyramid, you have a fair amount of entities who
understand it does apply, and they're looking at it as a very compliance-driven activity.
How do I make sure that I am checking all of the boxes?
But at the top of the pyramid, I think where you're most strategic is not only thinking about
it, yes, I have to comply. Yes, it applies to me. Yes, I need to think about my overall data
management strategy. But how do I actually think about the fact that the GDPRs of the world,
not just this one regulation,
but that the future regulation is going to continue down this path and that I don't look
at regulation in isolation, that I don't look at one specific regulation and think only
how I comply with that.
But I actually internalize all of this, understand that the future is going to become more complex
around security, privacy,
what I'll call data localization requirements that actually require you to think about your
business model maybe a little bit more strategically than you have in terms of its
use of data in perpetuity. I think we are at a time of increasing complexity from the standpoint of not only securing digital assets and for
financial institutions to provide their services in a secure and sound way, but I think from a
regulatory compliance standpoint, it's particularly complex. I like to call it demonstrable risk
management. How do you not only comply with what's being asked,
but you actually have to do it in a demonstrable way. It's not enough just to say on paper that I
have this set of controls and I have this type of governance around the process to ensure that we're
understanding where the risk is, that we're consistently changing our risk management
processes based on that risk, using threat intelligence, it's increasing complex to show how you're doing it. That that control is working up to
X percentage level of the time, and I have confidence in it actually behaving the way
we intended it to behave. And that is really hard. And it's also hard when we think about the fact
that these are highly competitive environments.
Customer experience is incredibly important to what financial institutions do.
The pace with which they're operating at is very fast.
We are moving in the financial services world.
We've always talked about what we call real-time gross settlement.
This is how do we make sure that our wholesale payments and transactions happen and they settle in real
time. So once that payment is out there, it is immediately received and that's it. That's the
end of the payment. That has been what we call a batch processing largely until now. And in places
like Australia, Canada, and other parts of the world, we are moving to
real-time payments. And that is very hard to get back if you've issued that payment to the wrong
place or if a cyber criminal has exploited that system. And so the risk is actually increasing
as we try to move to these real-time systems. And that's a big challenge.
In terms of the regulatory community, this is something where we have been able to collaborate.
We do feel that there's certainly room for improvement in terms of the process for
collaboration. We think that the NIST process of open multi-stakeholder engagement is a good
one that could be modeled not only within our sector, but across others. But that said, you
know, the regulators, when we have gone to them, have provided feedback and direction, and that
has been immensely helpful into the development of the overall profile. for the past, but we're actually creating a regulatory environment that, yes, holds us to
task and make sure that we're doing the right things and operating in a safe and sound manner,
but that don't stifle what needs to be done because we're stuck in practices of the old.
And so from that standpoint, I do think there's a robust dialogue that needs to happen.
How do you get a handle of what those things are so that you're writing regulation in a way that allows for that room to outpace the bad guy?
The thing that has always kept me up at night is a destructive attack in certain key sets of data
where data could be changed in the financial services industry is really the potential for
the highest level of risk. And when you think about that from a potential insider threat perspective,
or even a third party that could be incredibly important,
that maybe isn't truly a chartered financial institution,
but supports the backbone of the financial system,
that to me is where a lot of the regulation and time and effort
and focus should be. But I do think we spend a lot of time focusing on maybe some of the things
that while important and difficult for institutions to deal with, probably don't represent the
potential for systemic risk across the entire financial sector.
And so I think the one thing I would want to stress is, as we think about
where oversight and focus needs to go, I would argue that better collaboration, better focus,
stronger sets of eyes on those things that are truly supporting potential systemic risk.
So I think certainly what I've seen from the financial sector over the past five,
six years is their maturity to information security, cyber risks, etc.
That's Jason Hart. He's CTO for enterprise and Cybersecurity from our show's sponsors, Gemalto.
However, I still think there is a view that because they are following a particular standard or a particular regulation that they are secure, when actually this isn't always the case.
Now, they are heavily regulated, so they have to operate within those guardrails.
Without a doubt, but one of my bugbears is I see many financial organizations around the world of all different sizes and demographics.
A lot of them still don't use multifactorial authentication.
And I'm just like, really?
They have a form of step-up or step-up authentication.
They have a form of step-up or step-up authentication.
But from a bad guy's point of view, the ability to conduct social engineering attacks is still very simple and very easy.
So I still think there's certain parts of the financial industry which are low-hanging fruit to the bad guys.
And why do you suppose that is? I mean, obviously, you know, it seemed to me that no organization has a bigger bullseye on their back than the financial sector, because that's where the money is. Great question. So often I get into conversations with these types of organizations,
and, you know, say so multi-factor authentication, two-factor authentication, or step-up authentication,
factory authentication or step-up authentication, surely this is required. And their answer most of the time is, well, the users don't like it, it's the user experience. But my argument is, well,
the user to one side, sure you have an obligation of protecting that, you know, that organization's
data, their account or the financial information. So surely you as an organization should make it
simpler, easier to remove that barrier and provide a seamless user experience. The technology is out
there. For me, the ultimate security control is the one where an individual doesn't actually know
that they're going for a particular security control or going through a particular motion
which is providing a higher level of security.
And do you suppose, I mean, this is a result of this rapid evolution that we've seen,
how more and more of the financial operations that we do day to day,
both from a business and personal point of view, they've shifted online?
I think we're seeing a huge amount of disruptive technology
coming into the financial sector. You know, it's a sector which, you know, is open for disruption.
Ultimately, the new organizations coming into the market, and I think about the concept of what I
talk about a lot is the user need. As a customer, as a user need, what is it actually I want?
as a customer, as a user need, what is it actually I want? What is it I'm trying to achieve?
You know, open banking is a great example where, you know, suddenly now I can sign up to a service, I can see all four or five of my bank accounts in one visual pane. I've got real time cash flow.
I get a report every month that I've spent $200 on coffee, which was a shock. So, you know, that's the user need.
So now that that's driving the consumption, but at the same time, it's creating more data,
which can be used, you know, to further enhance those services. So for me, disruption in the
financial industry is, it's fantastic as a user, because I get a better user experience.
But at the same time, more data is being created,
multiple bank accounts are being brought together, which suddenly then increase the potential risk.
And so how do organizations need to respect that gathering of data?
Again, as we've said on previous podcasts, there are some very well-known security controls, encryption, key management, which categorically minimize risk.
By default, these organizations, from a financial point of view, should be applying the appropriate
cryptographic controls and key management to the critical sets of data.
If I'm in the technical department of one of these organizations, and I need to make that case to my board of directors.
I'm going to them hat in hand asking for the money to make this happen.
How do I make that case?
From the conversations I've had, a lot of organizations believe they're actually applying the appropriate security control.
But then when I dig deeper to say, say okay that particular database brilliant you've encrypted
it is it by column is it by row whatever so where is the key stored to unlock that encryption
oh it's actually stored within the application so what we have is a knowledge gap to say you
know people think they are actually applying the appropriate security controls they're doing 50%, but actually the other 50%, there's a lack of knowledge
on actually securing that key as an example.
Can you walk us through the process when you do engage with an organization? Can you take
us through, I mean, what are the steps from gathering information? Where does it begin?
And what's the process like for you?
Yeah, so for me, the process I'm going to outline now is for any particular industry.
For me, it's the concept of situational awareness. So I tend to think like a, I try and think like
a bad guy as much as I can. So the first of all is, I start with, I create a bucket of data.
Okay, what types of data do you as an organization have? Then I create a bucket of data. Okay, what types of data do you as an organization have?
Then I create a bucket of people who has access to that data,
contractors, third parties, supply chain, employees, board members, etc.
Then I create a bucket of locations to say, okay,
do you have systems internally in the cloud for parties,
GitHub repositories, etc.
So now I have three buckets. So now I start drawing process flows between these three buckets. And I essentially follow the data. So then, you know,
we'll see that there's a database with data in, there's a backup database, there's a repository
in the cloud, there's a bit of AWS. So very quickly, I have a visualization. And from a bad guy's point of view, they call that footprinting, amelioration.
I have a footprint of that organization.
Then what I do, we identify the critical sets of data.
And at each phase, to say, right, what are the potential attack vectors?
So within the database, could that database be cloned?
Could it be copied?
Could it be a rogue administrator?
Could the traffic be sniffed? Point to point encryption,
you know, okay, into a dev environment. So we basically start identifying the key sets of risks.
And then once we've identified those, we can start applying the appropriate security controls.
But we can only do that if we have a full visualization of people, data, process, and location. Do you find that organizations are often too close to their own structure to be able to take that high level view of it?
Totally, 100%. You know, they assume that because they've encrypted the database that actually,
in the event of a breach, they're fine. But what they don't realize is that critical element of when they've encrypted the database,
the key to unlock it is actually on the network or it's actually within the application.
And they're shocked to say when they've seen that they've been compromised
and that actually the key to unlock the data has been kind of taken with it as well.
Forgive me the level of this question, but it's a fundamental one, I think, when we're talking about the financial sector.
In the modern economy, is there a difference between what you and I would refer to as money and data?
Are they the same thing these days?
For me, data is the new oil, okay?
Depending on the type of data, it can actually be more
valuable than actual money itself. So again, let's think in the world of a bad guy. If I can
compromise an organization and capture a lot of personal information on that individual, I can
take that data and create other downstream attacks. So ultimately, it's a multiplier effect.
So data is money. I can sell, I can use that data,
or I can use it to conduct other attacks. In addition, if I've got multiple data sets from
multiple breaches, now I get a very good visualization of an individual and a profile
of that individual. Suddenly, you have a data set on individuals, which then can allow some
very sophisticated attacks, account takeover,
you know, compromising someone's, you know, doing social engineering attacks against them,
you know, conducting further financial fraud against them.
Now, we've spoken about some of the technological approaches here using things like encryption,
but what about the social engineering side? We hear more and more that that is the way that
folks are getting into systems. I mean, a matter of of training or or should the technology be
protecting our our users our employees from this from the get-go social engineering is nothing new
you know i was doing it you know 20 24 years ago the only difference then back then it would take
a lot longer to actually conduct the social engineering attack. The stuff, you know, the adverse or the increase in technology has allowed a social engineering attack to take place very, very quickly and also at multiple channels.
You know, I could send you a text message now, you know, portraying to be one of your colleagues, actually masquerading to be one of your colleagues.
You know, there's multiple channels now.
So for me, social engineering is more about the people is the awareness, technology can mitigate.
So again, you know, the social engineering attack is ultimately about getting, you know,
one of the key or kind of main attacks is capturing the username and password or
getting information from that individual to kind of access. So normally,
it's around the password. If we can start removing some of the static passwords or eradicating static
passwords and replacing it by a one-time password, we're vastly reducing, you know, that particular
social engineering attack. Of course, there are ways of socially engineering multi-factor,
sort of two-factor authentication passwords, but at least we're one step further.
engineering, two-factor authentication passwords, but at least we're one step further.
So social engineering, the best mitigation to social engineering attacks is training and awareness.
Are there any specific challenges that the financial sector faces that other groups do not?
I think it's the level of risk. It's more, it's financial, it's real money in most cases.
I think what we, you know, we are starting to see it now where, you know, a bank's customer has mainly inadvertently, you know, exposed his logon credentials to the bank account and suddenly someone's come along and siphoned their money, their life savings. We are starting to see now the banks initially were accepting that risk and
refunding the monies. But we're starting to see cases where now if the bank can actually prove,
the financial institute can actually prove that the individual mistakenly gave their details away,
that is the user's or the customer's problem. So I think there is a large financial risk
exposure there. I still think that there's further steps that the banks can take.
For me, what the banks or financial institutes need to do is apply security controls
transparently. So the customer doesn't isn't aware that those controls are there, it just happens.
So obviously, machine learning, artificial intelligence are all going to bring advances in this.
But ultimately, we need to start by ensuring that the basic security controls are in place and being used.
That's Jason Hart, CTO for Enterprise and Cybersecurity at Gemalto.
Thanks to them for underwriting this edition of CyberWireX. Be sure to visit gemalto.com slash CyberWire to
learn more about their access management and data protection solutions, and also find out about the
breach level index, which tracks the volume and sources of stolen data records. That's gemalto.com
slash CyberWire. And thanks to Valerie Abend from Accenture and Josh Magri from the Bank Policy Institute for their participation.
CyberWireX is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity startups and technologies.
Our coordinating producer is Jennifer Iben.
Our CyberWire editor is John Petrick.
Technical editor is Chris Russell.
Executive editor is Peter Kilpie.
And I'm Dave Bittner.
Thanks for listening.
CyberWire X.