On January 16 of this year, the FDIC and OCC issued the Joint Statement on Heightened Cybersecurity Risk. This Statement came amid increased geopolitical tensions between the U.S. and Iran and was an effort to bring awareness to the potential of a cyber attack and how financial institutions (FIs) should prepare themselves. The Statement does not provide any new information, but rather emphasizes standards previously outlined in the Interagency Guidelines Establishing Information Security Standards and FFIEC resources. The Statement reminds FIs that adhering to previously recommended principles and risk mitigation strategies will help to reduce the risk of a successful cyber attack.The Statement highlights areas in which FIs should focus attentions – response and resilience capabilities, authentication, and system configuration. Let’s explore each of these sections in a bit more detail.
Response, Resilience, and Recovery Capabilities
If you have ever read my previous articles, you know I like talking about incident response – so do the regulators. The intention of this section in the Statement is to emphasize that sometimes, no matter how well an FI has prepared and implemented all the proper preventative controls, cyber attacks can still happen. Enhancing the resilience of your systems and operations against these types of attacks is key. In particular, it is recommended that FIs “maintain comprehensive, documented, and current, incident and business resilience plans, that address responding to and recovering from a destructive cyber attack.” That translates to having plans that are updated and tested and, when possible, pre-identifying law enforcement and forensic resources.
The Statement also encourages having a comprehensive system and data backup strategy. In particular, the Statement highlights the need for FIs to have the ability to reconstruct data in the event of a destructive attack. Translation: Ensure that your FI not only has the necessary backups, but that they are free from malware. Many FIs and other organizations have experienced malware attacks and attempted to restore from backups only to find the malware has corrupted their backups as well.
Another item that is crucial for FIs to consider is whether or not their backup and restoration practices are consistent with industry standards and frameworks, such as Sheltered Harbor. For those readers who may not be aware, Sheltered Harbor is a voluntary industry initiative that provides a source for data vaulting of critical data in the event of a destructive malware attack. Jack Henry is currently developing a data vaulting solution for SilverLake System® core clients that is Sheltered Harbor compliant. Be on the lookout for updates as the solution roadmap progresses in 2020.
Identity and Access Management
Given the seemingly unending cyber attacks that are now a daily reality for FIs, effective and appropriate identity and access management are more important than ever. This applies to customers, employees, and vendors who have access to your FI’s systems. The Statement goes on to emphasize the need for effective authentication controls such as multifactor authentication (MFA), authentication and controls based on risk, role-based access controls and limited permissions (if an employee does not need it for their job, do not give it to them), limited administrator and privileged user accounts, and finally, regular review of access rights.
Network Configuration and System Hardening
For this section, the Statement has highlighted the need for network and software system settings that are regularly reviewed and appropriately configured. Of special importance is the review of default system settings and user profiles, configuring security settings, and implementing security monitoring tools. Too often, FIs implement new technologies without making changes to the default system setting and user profiles. These can easily be exploited by malicious actors. And of course, updates and patch management continue to be a critical requirement for maintaining secure systems.
In addition to these, the Statement goes on to outline configuration controls and cyber hygiene principles. These points of emphasis include securely configuring network components so that only approved ports, protocols, and services are allowed and those that are unnecessary are disabled. As part of this effort, FIs should be documenting and approving security configuration standards for operating systems and system components. Consider the following: limiting removable media access to the network, performing vulnerability scans, implementing and updating anti-malware software, and logically segmenting critical network components and services.
In addition to these three main sections, there are also a few bonus sections the Statement includes. These can and should be considered when your FI is evaluating risks associated with destructive malware and operational resilience. The first of these sections is employee training and ensuring that FI employees are trained on social engineering risks and know how to recognize cyber threats. The next section is security tools and monitoring, underscoring the need for participation in information sharing groups (think FS-ISAC and US CERT). In addition, the FI should have qualified staff who can monitor for potentially applicable threats and vulnerabilities identified by these sources. It is not enough to just receive the alerts; someone at the FI should have the expertise to sort through all the notifications, interpret them, and take action. The Statement also includes the importance of audit logs and reviewing for anomalous activity as well as a scoped penetration testing program. Finally, the Statement concludes with a section on the necessity of data classification in order to identify and protect confidential data. Data classification is a key part of understanding how to best protect your FI’s assets.
While this information was released by the FDIC and OCC, it serves as an excellent reminder for any institution, regardless of their regulator. And again, the Statement does not provide new information or requirements for FIs. These are all measures that FIs should already have in place. Now is a fantastic time to capitalize on the Statement as an opportunity to review your FI’s current procedures and determine if there are areas where you can make improvements.