NYDFS Cybersecurity Regulation (NYCRR)

Risk Facing Financial Services

Risk Facing Financial Services

Financial services institutions have changed significantly over the last decade – from utilizing technology in new ways to stay competitive and drive efficiencies, to adapting business practices in light of the global financial crisis and recent narrow interest margin markets.

As these businesses evolve, they’re faced with a new range of exposures that can result in significant and lasting commercial costs, and traditional exposures come to light in a different context. Crime has also changed for these businesses, with a growing number of attacks against financial institutions taking place online and through digital means.

To better understand this changing landscape, we’ve outlined the top risks facing financial institutions today:

 

Social engineering and funds transfer fraud

Financial Services .jpg

Some of the most frequent cyber claims made by businesses in the past year involved funds transfer fraud and some form of social engineering. Funds transfer fraud is often carried about by criminals leveraging fraudulent emails or phone calls to request the transfer of funds from a legitimate account to their own. In some cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. While financial institutions have greater control processes, including separation of responsibilities, both banks and their clients are at risk of falling victim to these types of attacks, and as long as they continue to prove successful, we expect this threat to grow in both frequency and severity. Financial institutions should consider employee training on these newer forms of fraud, including how to identify phishing emails. Banks should also be concerned about their customers’ susceptibility to social engineering fraud, and should consider education campaigns where relevant.

 Adherence to post-crisis regulation

Following the mortgage crisis in 2007-2008 and the subsequent global financial crisis, the regulatory burden for banks has increased significantly. This brings additional costs when meeting these new requirements, along with higher potential penalties if an institution fails to comply. In many instances, resultant fines and penalties following regulatory failures are uninsured or uninsurable. Financial institutions should seek cover where regulatory enquiry costs and expenses are covered.

 Falling prey to predatory banking

Financial institutions have found themselves in a narrow interest margin environment, which means the pressure on banks to generate revenue from non-interest earnings is intense. In some cases, the desire to drive revenue through new or existing products has led to instances of selling inappropriate products to consumers, resulting in significant consumer claims. Institutions must ensure that their products are suitable and that they meet the needs of the consumer and the consumer’s expectations. It’s also important for institutions to ensure their remuneration policies do not inadvertently encourage the miss-selling of products. The fallout from consumer protection scandals can be costly not only from a legal and regulatory standpoint, but also in terms of damage to the brand.

 Reputational damage

Predatory banking is only one type of behavior that can bring reputational harm to financial institutions. Large institutions can suffer backlash for a variety of misdeeds made public, for instance the failure in anti-money laundering controls by Wells Fargo or HSBC, who were hammered in the media for their behavior. On a smaller scale, for regional and community-based institutions, the power of social media can mean that reputational damage spreads far faster than ever before.

 Systemic instability

Nearly a decade later, the effects of the global financial crisis are still being felt by financial institutions around the world. Recent concerns over Deutsche Bank’s operational cut backs and stock price decline have shown there is still uncertainty around the performance of even the biggest financial organizations. Additionally, recent instability in Europe – particularly in Italy and Spain, as well as the still incomplete negotiation – could have effect elsewhere, including the US, where European headquartered institutions such as Deutsche Bank, Barclays and HSBC are systemically significant institutions.

 Challenger banks and new technology

The traditional banking model is increasingly challenged by newcomers trying to use technology to replace existing processes and disrupt the status quo. In the UK and Europe, challenger banks are gaining steam and traction among younger generations and early adopters. In the US, there are few online-only challenger banks, but there is increasing competition from payment processors, online non-bank lenders and other providers who are edging their way towards areas conventionally controlled by banks. The risk for traditional institutions will not only be economic, but they will also need to provide more services to their clients to ensure they are competitive and relevant, and they may need to reassess their cyber exposure as they put more systems online.

 

Corporate Information Security Steering Committee

Organizations are becoming increasingly aware that if they fail to implement successful security management processes, it could expose them to untenable risk.

The role of the corporate information security steering committee has become an important tool in the quest for a coordinated corporate security strategy, for reducing duplication in security spending, for taking control of complex infrastructures and ultimately, for reducing security risk. 

One of the first steps for many organizations has been to set up a common security team and to embark on enterprise-wide information security programs. However, many of these teams have struggled to align corporate business objectives with strategic security investment.

META Group's research indicates that the majority of new security teams struggle to define and establish their corporate missions, scope, influence and power bases. Furthermore, these security teams have poorly defined executive charters and operate without effective communications plans. The unfortunate result of such poor grounding is the temptation for newly established teams to immerse themselves in technology quests, searching for elusive enterprise-wide technical solutions.

In contrast, the most effective security organizations are those with clear responsibilities and well-defined processes, based upon five primary organizational roles:

  • Leadership - this is the role of the chief information security officer who deals with both the day to day management of the security team as well as continuous communication of the importance and value of security measures
  • Analysis/design - these security analysts help information owners develop meaningful security policy as well as effective security solutions
  • Security administration - these people look after the day to day administration of access rights, passwords, etc
  • Security operations - resources that continuously monitor the security status of the organization, and manage incident response procedures.
  • Awareness communication - resources that design and manage ongoing security awareness and training programs. 
    Executive custody and governance -represented by an information security committee

The role of the corporate security steering committee is to coordinate corporate security initiatives at the executive level and thus enable an organization to optimize spending, manage their infrastructure and minimize security risk. Obtaining consensus and support for corporate-wide security initiatives is especially difficult in highly decentralized and multinational organizations with a high level of devolved authority and autonomy. In this type of organization, an executive governance body becomes essential.

Corporate information security steering committees (CISSC) must have a clear charter with a range of functions that should include:

  • Managing the development and executive acceptance of an enterprise security charter.
  • Assessing and accepting corporate-wide security policy (e.g., the corporate policy on security incident response, general behavioral policy). A major objective of this function is ensuring that business requirements are reflected in the security policy, thus ensuring that the policy enables rather than restricts business operations.
  • Assessing any requests for policy exceptions from individual business units.
  • Assessing, accepting, and sponsoring corporate-wide security investment (e.g., identity infrastructure deployment, remote access infrastructure), as well as requests to be excluded from common investment.
  • Providing a forum for discussion and arbitration of any disputes or disagreements regarding common policy or investment issues.
  • Acting as custodian and governance body of the enterprise security program by ensuring visible executive support, as well as monitoring progress and achievements. The role of a permanent governance structure reinforces the message that enterprise security becomes an ongoing, long-term initiative.
  • Assessing and approving the outsourcing of common security services, as well as coordinating investment in appropriate relationship management resources. As the lack of skilled resources increases the need to outsource operational services, executive due diligence, risk assessment, and ongoing effectiveness assessment must be coordinated through the steering committee.
  • Initiating ad hoc projects to investigate the advantages, disadvantages, risks, and cost of common security initiatives, and advising the committee with appropriate recommendations.
  • Representing the executive (board of directors) or its nominated information governance body (e.g., an information executive board) in all corporate security matters. Reporting back to these forums on the activities and effectiveness of corporate security programs and investments.
  • Acting as custodian of corporate-wide strategic security processes (e.g., role analysis, data classification) by validating process ownership, responsibilities, and stakeholders.
  • Acting as respondent to enterprise-level audit exceptions (i.e., those audit exceptions where a specific individual cannot be found to be responsible).
  • Coordinating and validating any external, security-related corporate communications plans and activities (e.g., in the event of a high-profile, publicized security breach).
  • Tracking major line-of-business IT initiatives to identify opportunities for synergy or to leverage security investment.
  • Governing trust relationships with major e-business partners.

It is very important that steering committee members can make decisions at meetings. This requires the active participation of senior executive business managers or it must be a permanent subcommittee of an executive information board. To prevent the committee becoming an ineffective 'debating society' or forum for driving political agendas, the scope, powers and objectives of the committee should be clearly documented and measured.

Typical members of an information security steering committee include: line of business managers, application owners, regional managers, IT managers, the IT director, the chief security officer, the corporate risk manager and the chief internal auditor. A clear distinction must be made between the role of the CISSC (i.e., executive custody and governance) and the leadership role (i.e., day-to-day management of the security team) of the chief information security officer.

By developing the emerging role of the chief security officer (CSO) and the security team, enterprises can foster a holistic approach to information security - one that recognizes that policy, process, and communication are as important as technology.

Cyber Security Developments

Cyber Security Is The Backbone Any Online Businesses – Here Are Some Quick Tips To Keep Yourself Informed About The Latest Threats Surrounding Your Business.

                                    Cyber Security Developments

                                    Cyber Security Developments

Within a standard nine to five working day, it’s said that there are almost two million data records lost or stolen. Cybercrime has become something of an epidemic in recent years – and it’s no exaggeration to say that everyone is at risk.

Hackers operate in an increasingly complex way and are happy to target small businesses and individuals, who are most likely to be vulnerable to attack. The nature of the threat changes as technology advances and so the only way to stay safe is to stay up to date.

But that’s easier said than done, right? How do you keep up to date with the latest cybersecurity developments?

Follow The News

When it comes to cyber security, ignorance is not bliss – it’s a recipe for disaster. It’s imperative that you identify and follow a news feed that you can trust. By doing so, you can keep on top of any fresh threats that have emerged, learn lessons from other cyber attacks and pick up the latest tips and advice from influencers and experts in this field.

News from this sector really shouldn’t be seen as the preserve of IT specialists – the scale and nature of the threat suggest that this should be of interest to everyone. There’s a burgeoning band of podcasts available on the subject for people who prefer to digest content in this way too.

Bring Up The ‘Security Question’

If you think that installing an anti-virus program is enough, then you’re mistaken. Don’t just presume that you’re safe because you have this because this is merely the first line of defense to root out attacks. By adopting a safety first mindset you can ensure that the way you handle your data is less risky.

Whether it’s securing your Wi-Fi network at home, managing and updating your passwords on a regular basis or the way you collect, collate and analyze data throughthe point of sale software at work, continually ask yourself ‘is this safe?’ Just as ignorance isn’t bliss, complacency could prove your undoing. Place ‘security’ high on the list of credentials to consider when buying new software or hardware, don’t just go for the cheapest option.

Training

Even the experts are constantly having to refresh their understanding of the threat posed by cyber attacks. It pays to search out training opportunities, especially if you’re a business. You are, after all, only as safe as the people operating your software and systems and you don’t want to put the security of your business in the hands of someone who is unsure about what they are doing. Individuals and businesses alike can find free learning materials on Cybrary to help plug any knowledge gaps they have.

It’s Good To Talk

Cyber attacks are incredibly common – but people don’t often enough talk about their experiences. Perhaps you’re afraid or embarrassed to have been caught out? There’s no need to be. In fact, talking with friends and colleagues could really help you to stay safe. Pass on tips about new apps, good software, neat tips and tricks and any new cyber attack tactics you have come across and you can help to do your own bit to combat the criminals.

By keeping up to speed with security news, refreshing your training, sharing tips and tricks and adopting a safety first attitude you’ll give yourself the best possible chance of staying on top of cyber security developments and, best of all, safe.

Malware on Android devices made $115k revenue in 10 days

Check Point Mobile Security Team discovered a massive, on-going malware campaign that so far has claimed 5 million victims. Reportedly, the malware dubbed as RottenSys has managed to create a massive army of botnets comprising of 5 million mobile devices from across the globe.

The malware is hidden in a System Wi-Fi service application that is already installed-by-default on countless models of smartphones manufactured by prominent companies including Honor, Huawei, GIONEE, Samsung, Oppo, Vivo, and Xiaomi.

According to the blog post, Researchers believe that these firms cannot be held directly responsible for the malware and the devices must have been infected during supply chain phase. Probably the distribution firm or a rogue employee is to be blamed for the installation of malware.

                              Pre-installed malware on Android devices

                              Pre-installed malware on Android devices

 


 
It is worth noting that the affected devices were shipped through the same Hangzhou, China-based mobile devices distributor Tian Pai. However, the researchers are not yet sure if this particular firm has any direct involvement in the installation of RottenSys malware.

Check Point researchers claim that RottenSys is a highly sophisticated and advanced program that acquires almost all sensitive permissions on an Android mobile phone to perform its malicious acts. Such as it asks for silent download permission (DOWNLOAD_WITHOUT_NOTIFICATION permission), accessibility service permission and user calendar read access privilege. The campaign started in September 2016 and until March 12, 2018, it has infected 4,964,460 devices.

The fake Wi-Fi service app manages to evade detection by employing a submissive approach in the beginning and doesn’t instantly start its malicious tasks. Later, the malware dropper component communicates with its C&C server to receive a list of components it needs. The required component is actually the malicious code. The malware is capable of assembling an army of botnets and within only ten days attackers have made profits of approx. $115,000.

Pre-installed RottenSys malware Infected 5 million botnets and made $115,000 revenue in just ten days

“RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times, and 548,822 of which were translated into ad clicks,” read the blog post from Check Point.

Originally the malware was used to display fraudulent ads on mobile devices’ home screen. Check Point researchers claim that since the onset of 2018, malicious threat actors have been trying to improve the malware code by adding a new module and created brand new malware campaign using the same C&C server. This campaign has remained active from February 2018.

“The attackers plan to leverage Tencent’s Tinker application virtualization framework as a dropper mechanism. The payload which will be distributed can turn the victim device into a slave in a larger botnet,” read the blog post from Check Point.

NYDFS Cybersecurity Retain a CISO, CSO -Regulation Compliance

NYDFS Logo.jpg

With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training, and controls in place in order to protect data and information systems, said Superintendent  in a press release issued by DFS, CyberSecOP helping financial organisation comply with the NYDFS manadates.  

With the New York Department of Financial Services’ (NY DFS) new terms poised to come into effect next month, banks and financial services companies operating in the state must start preparing for the change.

One of the most discussed issues in the controversial proposal is the requirement to appoint a CISO (chief information security officer). The move was met by heavy criticism at a hearing in December last year, leading to a massive backtrack from the DFS in a revised proposal.

Requirements of the CISO

The latest proposal removes any explicit requirement to hire a CISO, which is good news for many smaller or rural financial institutions that don’t currently have one in place. What this means, practically, is that the position is no longer necessarily exclusive. Banks can choose to designate someone to complete the tasks of a CISO while also performing other duties. Alongside this, the proposal does not state that the specific title of ‘CISO’ is required.

So what will the CISO (or CISO by any other name) be asked to do? The role now covers a broader set of responsibilities but in a less detailed manner. The designated person will have to provide an annual report to the board of directors (previously proposed as a biannual report) on the “cybersecurity program and material cybersecurity risks”, according to the proposal. It is now specified that the report must be “in writing” but it no longer needs to be provided to the NY DFS upon request.

The required content of the report will now also be less extensive. The CISO must identify and report only on material cyber risks rather than all cyber risks. This will involve “consider[ing]” those issues “to the extent applicable.” Additionally, the CISO will be able to tailor their focus to the issues appropriate to their organization.

Finding the right candidate

The NY DFS’ revision allowing the CISO to be an employee of the covered entity (i.e. an internal hire), or an affiliate or third-party service provider offers crucial flexibility for smaller financial institutions.

Companies with only a handful of employees – the most vocal in their frustration at the DFS’ initial plans – may look to shuffle their existing staff.

When doing that – or in making a new hire – there are certain things organizations need to look for. The CISO role is not just a tech-specific position, notes John Linkous, RSA Conference’s technology advisor, but they must now be “a trusted advisor to the business as a whole”. He adds:

“One of the most critical capabilities is simply the ability to understand the business much more intimately than his or her predecessors. Business drives the need for technology, and so security must be focused on how data is used within those business functions, across the end-to-end spectrum. Without a solid understanding of what the organization does, and how it makes money, an information security officer is going to have a fundamental disconnect with what’s needed to protect the enterprise.”

Third-party service providers or affiliates

Given the responsibility placed on the CISO, outsourcing the role to a third party can be an appealing proposition.

Going down this route presents its own set of issues, though. As TechTarget reported, third parties are “almost always” involved when it comes cyber breaches – arguing that it is either through a lack of accountability or oversight. While service-level agreements (SLAs) are always advised, the DFS has taken steps to ensure the right measures are in place. In response to the fear that financial services firms would not always have sufficient power to force third parties to accept their preferred provisions, the NY DFS now dictates that all third-party services must be performed under contractual provisions rather than by way of “relevant guidelines for due diligence.”

Source: www.itgovernanceusa.com