Cybersecurity in Financial Services
Transcription
Cybersecurity in Financial Services
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response strategies such as compliance driven controls and siloed solutions. This approach has resulted in cyber attacks becoming more frequent and widespread. The likelihood and potential impact of such attacks has subsequently made cybercrime a business risk on most executive boards’ agendas with a clear mandate to manage the same across all levels of the organisation. This paper discusses the top challenges faced by financial services institutions and presents CSC’s point of view on how to prepare and defend against an increasingly sophisticated, well-funded and persistent threat environment. The financial services industry forms the backbone of today’s globalised monetary and economic environment and is therefore highly regulated. The prospect of direct access to money with a capitalisation expected to exceed $143 trillion1 worldwide in 2014 has resulted in the financial services industry becoming a prime target for cybercrime – such as financial fraud, identity theft, unauthorised access or loss of data and denial of service attacks. Hackers and organised criminal groups with potential government funding have been constantly developing and improving techniques to circumvent information security controls and safeguards, in order to commit fraud, financial theft and other cybercrimes with advanced capabilities to execute persistent and targeted attacks. Today’s organisations enable multi-country operations through centralised shared services and regional hubs and are dependent on partner ecosystems to provide cost effective, efficient and customer focused business services. As a consequence, modern banking systems have evolved across legislative borders with increased interconnection and complexity. This evolution has led to complex regulatory requirements, greater exposure to internal and external cybersecurity threats, and intensified concerns around data security and privacy across virtual borders. This paper highlights the cybersecurity challenges faced by the financial services industry due to the changing nature of threats and business and provides a view on mitigation strategies in order to strengthen the security posture. CHALLENGE 1 – REGULATORY COMPLIANCE ACROSS GEOGRAPHIES The financial services industry is highly regulated with a variety of sometimes contradicting regulatory requirements on country and state levels. Consequentially, organisations are challenged with multiple views on compliance obligations with a large overlap and inconsistencies between mandates. As a result excessive controls and silo-based solutions are leading to an increase in cost and complexity. Significant security breaches at Target, KB Kookmin Card, Montana Department of Public Health and JPMorgan Chase, etc., illustrate that being compliant is not necessarily a guarantee that all risks are adequately managed and mitigated. Our point of view is that information security should be risk based with compliance being a significant driver but not the sole focus. It is essential to identify and monitor compliance, however, it is equally important to prepare the organisation to respond to previously unknown threats in a timely manner. This is achieved by Market Line Report, Report Linker http://www.reportlinker.com/ci02418/Banking.html 1 1 CYBERSECURITY IN FINANCIAL SERVICES – POINT OF VIEW building sufficient flexibility into the organisation’s risk and control framework to ensure continuous monitoring and identification of new and emerging threats via a comprehensive information security risk management framework. Furthermore, financial services organisations should develop an overarching global compliance framework by identifying all the applicable requirements followed by an elimination of overlapping obligations. Subsequently, requirements should be mapped to the operating environment and country specific regulations. To further reduce the cost of compliance, testing and reporting on the effectiveness of controls should be centralised where feasible to ensure consistency. This further enables the organisation to provide a compliance status for multiple regulatory bodies by facilitating the mapping of controls to country specific regulations. CHALLENGE 2 – DATA SECURITY, PRIVACY PROTECTION AND CROSS BORDER DATA TRANSFER Many organisations do not identify and clearly classify data based on sensitivity and criticality and therefore lack an understanding of which information matters most. Financial services institutions traditionally focus on the deployment of multiple point solutions (e.g. data leak prevention, access logging, rights management and encryption tools) to manage intentional or unintentional data loss, however, they lack an organisational wide integrated approach to adequately protect data on risk-based decisions. Yet another challenge is the difficulty in aligning the organisation’s operating model and supporting environment to meet regulatory requirements. For example, managing privacy protection in the context of cross border data transfer as a consequence of shared services and centralised processing facilities. Concerns over privacy of sensitive information have resulted in countries adopting specific national and regional jurisdictional mandates across the globe with an increasing number of countries introducing mandatory disclosure of data breaches. Our point of view is that financial services institutions should have a holistic view on data security requirements managed by a comprehensive data governance framework which includes roles and responsibilities, geographic compliance requirements, inventory and reporting on assets, data classification and handling, and technical solutions like data leak prevention. One key element of a solid data governance framework is the identification of data flow inside and outside the organisation and mapping those to the organisational control environment. Furthermore, a risk assessment should be conducted to identify control gaps and an implementation roadmap developed to mitigate risks outside the organisation’s risk appetite. The above initiatives should be complemented by a global security incident response plan with local notification and reporting. Mandatory disclosure of a data breach requires a comprehensive analysis of incidents to determine whether a breach has occurred. Organisations therefore require either sophisticated internal or readily available external forensics capabilities provided by a trusted partner. 2 CYBERSECURITY IN FINANCIAL SERVICES – POINT OF VIEW CHALLENGE 3 – MANAGING INFORMATION SECURITY REQUIREMENTS BEYOND THE ENTERPRISE’S BOUNDARIES Partnerships, outsourcing and offshoring have become the reality and accepted business practice in the financial services industry to enable cost effective, efficient and customer focused business services. Traditional models used to outsource non-essential internal functions, like the maintenance of IT equipment, whereas recent models reach significantly further into the supply chain. Most financial services institutions have started to actively consume cloud services and engage a variety of business partners to provide material business functions such as claims management and insurance brokerage. These trends introduce complex data sharing requirements and new information security challenges which need to be proactively managed to ensure that the services meet business objectives and information is protected throughout its lifecycle from its collection to its destruction. Our point of view is that financial services institutions should implement a comprehensive vendor risk management framework to ensure that vendor risks are adequately managed, taking into consideration the sensitivity of information, criticality of the business activity and possibility of outsourcing and offshoring. The importance of adequate vendor risk management is also represented in a variety of regulatory requirements such as the Australian Prudential Standard CPS 231 for Outsourcing. A comprehensive vendor risk management framework includes, but is not limited to, roles and responsibilities that are clearly defined and understood throughout the organisation, as well as periodic vendor risk and due diligence assessments, to ensure due care and reduce risk and legal liability. It further ensures that minimum information security requirements, service level agreements and standard terms and condition are defined and contractually agreed on in legally binding contracts with the right to monitor and audit. CHALLENGE 4 – BUSINESS CONTINUITY (BC) AND DISASTER RECOVERY (DR) The shift from traditional brick and mortar based business models to fully digitalised customer focused distribution channels has resulted in customers and prospects expecting exceptional experience on a 24x7 basis. Furthermore, service level agreements may impose financial penalties in the event the financial institution breaches the contractual agreement with its customers. To support the business in its objectives a close to zero tolerance in regards to downtime and data loss has to be accomplished by highly interconnected centralised shared services and banking systems. Our point of view is that financial services institutions should acknowledge that BC and DR are key business requirements and therefore need to be managed throughout the organisation. This should be accomplished by establishing an understanding of what impact service outages have on business objectives and subsequently translated those impacts into adequate recovery time and recovery point objectives for internal and third party provided services. In addition business units need to prepare contingency plans including alternative work practices and processes to support the business during a disaster. It is essential to periodically test DR and BC plans to ensure that involved parties are aware of their responsibilities and to identify opportunities to improve and 3 CYBERSECURITY IN FINANCIAL SERVICES – POINT OF VIEW enhance the plans. Furthermore, a vendor risk management framework should ensure that vendors can provide agreed service and are equally prepared to handle a disaster. It is also advised that alternative suppliers for critical services are identified in case of a complete failure of the primary service provider. Lastly, the globalisation of travel and the world economy requires modern organisations to proactively monitor events around the world and prepare a Pandemic Plan as a worst case scenario. As communication with clients and business partners is a critical element of every DR and BC planning, organisations should consider using social media as highly available communication channel. CHALLENGE 5 – MANAGING CYBER RISK FROM EMERGING AND ADVANCED THREATS Cybersecurity is a dynamic problem of velocity, volume and value, in that the threat agent is unknown, covert and laced with skills and arms (funds and channels) looking for the weakest link to exploit. On top of this, cybercrime is widespread and aggressive and poses a major threat to economic and national security, however many financial services institutions do not share information about threats or cooperate externally. Our point of view is that financial services institutions should consider a risk based approach to cybersecurity with actionable threat intelligence by collaborating internally and externally. The risk based approach consists of two parts. Firstly, organisations need to identify risk at a point in time and then undertake periodic reviews to identify changes in the threat landscape, threat actors, the likelihood of threat and any associated impact. Secondly, organisations should undertake continuous risk assessment by introducing a monitoring process for unknown threats. Increasing the source of information using threat indicator behaviour monitoring with notification and analytical capabilities, will enhance an organisation’s defence. While the first part is traditional, known and done periodically, the second part is more complex. Continuous risk monitoring requires financial institutions to leverage internal and external threat intelligence, add proactive components of honeypots and malware analysis and collaborate with other financial institutions for sharing threat intelligence to construct a risk based holistic approach to cybersecurity. The benefits of a risk-based approach allow the identification of value and risk related to the significance of data and the weakest link, i.e. point of vulnerability. It helps prioritise efforts and focus on the weakest link to patch, gives visibility into the threat environment and enables better and informed information protection. Authored by Christian Haider, CSC Cybersecurity, senior security consultant, and Chandra Prakash Suryawanshi, CSC Cybersecurity, associate partner, business strategy, CSC Cybersecurity Consulting. www.csc.com/cybersecurity 4 Worldwide CSC Headquarters The Americas 3170 Fairview Park Drive Falls Church, Virginia 22042 United States +1.703.876.1000 Europe, Middle East, Africa Royal Pavilion Wellesley Road Aldershot, Hampshire GU11 1PZ United Kingdom +44(0)1252.534000 Australia Level 6/Tower B 26 Talavera Road Macquarie Park, NSW 2113 Sydney, Australia +61(0)2.9034.3000 Asia 20 Anson Road #11-01 Twenty Anson Singapore 079912 Republic of Singapore +65.6221.9095 About CSC The mission of CSC is to be a global leader in providing technology-enabled business solutions and services. With the broadest range of capabilities, CSC offers clients the solutions they need to manage complexity, focus on core businesses, collaborate with partners and clients and improve operations. CSC makes a special point of understanding its clients and provides experts with realworld experience to work with them. CSC leads with an informed point of view while still offering client choice. For more than 50 years, clients in industries and governments worldwide have trusted CSC with their business process and information systems outsourcing, systems integration and consulting needs. The company trades on the New York Stock Exchange under the symbol “CSC.” © 2015 Computer Sciences Corporation. All rights reserved.