By Israel Levy, CEO of BUFFERZONE
It seems that not a week goes by without news of a major hack attack on a bank or financial services organization. The latest hacker attack targeted the Russian Central Bank, and cyber-criminals made off with sensitive data from customers of Indian banks who held three million debit cards at five banks. And before that, Danish banks warned that 100,000 credit cards were at risk due to cyber theft.
Cyber risks associated with banking are high – financial services is third on the list of industries most vulnerable to cyber attacks, according to IBM – and the risks grow by the day. With losses due to cybercrime anticipated to reach an astounding $2 trillion by 2019, much more work is obviously needed to mitigate attacks.
Unlike with most businesses, banks are in a unique situation; they’re licensed by the government to administer the money of customers, and as such they are – and should be – more closely regulated than other industries. In an effort to put some legislative bite on protecting the communities that depend on banks to keep their money safe, a number of government regulations have just been or are about to be proposed.
Among the first US states to act has been New York, which recently proposed regulations that would require banks to invest millions in cybersecurity systems. Banks would be required to invest in security systems, hire a chief information security officer (CISO) and implement measures to inform authorities of a data breach within 72 hours of its occurrence. But hiring a CISO is not enough; regulations in New York, as well as proposed federal rules, require active participation of the institution’s board of directors to ensure cyber safety. Instead of dumping cybersecurity in the hands of the IT department – or worse, making the customers bear the brunt of security lapses – banks will now be required to deal with security issues at the highest echelons of management.
Following the New York rules, proposed federal regulations will require banks to develop an official cyber risk management strategy, implement a cyber risk assessment test and, most importantly, add an individual with knowledge of cybersecurity issues to their boards of directors. Banks will also need to appoint official top-level security officers and develop a specific plan for dealing with various types of cyber emergencies. The UK is also considering a similar law, and even China has passed a cybersecurity measure, although many in the industry see it as a tactic to more closely control the internet.
The new rules could bring about a sea of change in the way banks handle cybersecurity. With the new regulations, it appears that the government will leave the choice of defense to the institutions themselves – probably a wise move. But with the regulations shifting responsibility for those choices to higher-level management, the question is, how will institutions deal with their new responsibilities?
For many in the cyber protection business, “more is better.” From basic anti-virus to big data to artificial intelligence-based advanced threat detection systems, banks equip themselves with a gamut of protective systems. According to the proposed federal regulations, “covered entities would be required to be capable of operating critical business functions in the face of cyber attacks,” meaning that institutions would be expected to invest in the most effective defense systems available while ensuring effective disaster recovery systems as well.
That, of course, could get quite expensive quickly, and although a cyber team’s first priority has to be complying with regulations, ROI definitely plays a key role. Now, though, boards of directors will be face-to-face with the ROI vs. “more is better” issue. If it were up to the IT department, the cybersecurity budget would probably be limitless – or at least significantly higher than the board is willing to spend. But under the new regulations, the board – presumably far more cognizant of ROI issues than the IT people – is the responsible entity. To achieve a reasonable balance between expenses and effective protection, managers and directors will certainly need to educate themselves on what solutions are available, how they work and how effective they are.
In fact, one of the specifics listed in the federal guidelines involves requiring directors and managers to educate themselves on cybersecurity. The point is not to create a class of “geeky wonks” – directors who need to immerse themselves in the details of the various cyber protection technologies in order to pass a test that regulators will give – but rather to prevent disruptions to the financial system.
Obviously, they also need to be concerned about ROI. As the old saying goes, “an ounce of prevention is worth a pound of cure.” So before investing in complex detection and analytics systems and the expensive teams required to operate them, banks should make sure that they are blocking as much as possible. The more directors understand the complexion of their cybersecurity budget and what they are getting for it, as well as what the costs (economic and regulatory) are for failing to do so, the more they will be motivated to choose the most effective systems that will ensure that they and their customers are protected.