Cybersecurity Regulation Increases and Threat Intelligence Reduces Risk
July 25, 2017
By Louis Bruno
Contributing Author Eli Dominitz, Q6 Cyber
Organizations in all industries struggle with the ability to identify all of the emerging cyber threats while addressing legal and regulatory consequences of cyber breaches. Federal and state regulators mandate that financial services firms in particular implement a robust cybersecurity program that should not only defend the firm against cyberattacks but also proactively identify cybercriminal activity.
Higher Regulatory Expectations
Financial services firms in New York, including banks, are now subject to explicit cybersecurity requirements. Beginning in March 2017, the New York Department of Financial Services (“NYDFS”) requires its covered financial institutions (“Covered Entities”) to adopt cybersecurity programs.1 Key requirements from the NYDFS include:
- Adopting cybersecurity policies, procedures, training and monitoring
- Designating a Chief Information Security Officer (“CISO”) and utilizing qualified cybersecurity personnel
- Conducting cyber risk assessments
- Defining responsibilities of third-party service providers
- Using a defensive infrastructure to protect confidential data
- Establishing an incident response plan
- Certifying the cybersecurity program annually to the NYDFS
Be Ready to Certify the Cybersecurity Program
The NYDFS regulation is high on the radar of many senior bank officers as they now must file an Annual Board Resolution or Compliance Finding certifying compliance. Specifically, the board of directors or senior officer(s) are required to confirm that (1) they have reviewed all documents, reports, certifications and opinions of the bank’s officers, employees, representatives, outside vendors and other individuals or entities as necessary; and (2) to the best of their knowledge, the program complies with NYDFS’s regulations for the relevant reporting period.2
Gain a Level of Comfort with Cyber Threat Intelligence
To adequately mitigate cyber risk, reduce financial exposure, protect brand reputation, and be able to comfortably certify the firm’s cybersecurity program to the NYDFS, senior officers should consider a more proactive approach to mitigating cyber risks. Cyber threat intelligence programs can meet those needs.
Traditional cybersecurity and fraud prevention solutions are typically designed to detect and repel malicious activity in real time. For example, a firewall can block a connection attempt to an IP address that is “blacklisted.” Such defensive or “perimeter security” approaches, however, have done little to curtail cyber attacks and breaches, as hackers constantly improve their capabilities and tools.
Cyber threat intelligence programs can look beyond an organization’s network perimeter to gain early visibility of adversaries’ malicious activities, plans and tools. This visibility allows security teams to detect emerging threats before they materialize into damaging attacks and to contain attacks at earlier stages. Consider the following analogy: To physically protect a building, a traditional defensive approach includes tall fences, security cameras and sensors, and a patrol of armed guards. A proactive, intelligence-driven approach includes all of the above, as well as sensors and cameras placed five miles outside the facility’s perimeter to detect incoming threats (i.e., who is approaching? What weapons are they carrying?) and allow the armed guards to prepare accordingly.
It’s easy to see how this analogy translates into the digital world. Similar to the physical world, traditional cybersecurity solutions rely on known vulnerabilities and threat indicators to detect security incidents and risks. As a result, existing security tools and assessments, such as firewalls, intrusion detection systems, and penetration tests, are defensive measures and are typically backward-looking and ineffective at detecting new vulnerabilities, exploits, and attack tactics, which may take days, weeks, or even months before they are discovered and understood.
Indeed, data breaches can often go undetected for months; in 2015, attackers were present on a victim company’s network an average of 146 days before being discovered3 and more recently, a major U.S. retailer disclosed a year-long data breach.4
Traditional cybersecurity solutions monitor the corporate network, but cannot monitor the environment that exists beyond the network perimeter (e.g., social media, vendors, partners, employees’ personal devices). This external environment is growing in magnitude and complexity, and cybercriminals are leveraging it in creative ways.
Cyber threat intelligence addresses the shortcomings of traditional cybersecurity solutions. Cyber threat intelligence programs focused on tracking and monitoring malicious activity outside the organization’s network perimeter are specifically designed to detect previously unknown vulnerabilities, tactics, and techniques, and to cover the entire relevant environment. Such programs cover a wide range of data sources, including the “DarkNet,” “DeepWeb,” and other hacker and criminal digital communities that can be leveraged to obtain actionable evidence on threats to financial institutions. Intelligence professionals experienced in collecting and analyzing data from such sources can produce valuable insights on a multitude of threats and risks not otherwise visible to financial services firms. Identified threats can cover many areas including:
- Compromised customer data, including personally identifiable information;
- Access credentials to corporate networks or applications;
- Vulnerabilities in specific systems or application;
- Compromised employee records and intellectual property;
- Insider threats; and
- Information demonstrating that a firm, its employees or agents have been compromised.
Much of this information is not publicly available, so trained experts and specialized tools are often required. Experts, many of whom received training in the most sophisticated intelligence agencies in the world, are often the leaders of threat intelligence programs or vendors.
Once armed with this threat intelligence, senior management can take appropriate and effective actions to protect the organization and its customers.
Using Cyber Threat Intelligence to Comply
The inverse relationship between a cyber criminal’s ability to threaten an organization’s network and a bank’s ability to defend itself and its customers, continues to widen. The NYDFS has set the expectation that banks need to do more to stay ahead of cyber criminals. As such, it’s important to understand the specific areas where cyber threat intelligence can assist banks in staying ahead of the curve.
Cybercriminals can threaten bank infrastructures in unprecedented ways that negatively impact an organization’s finances and reputation. Proactive cyber threat intelligence can substantially bolster the bank’s cybersecurity and fraud prevention programs. Cyber threat intelligence can play a key role in mitigating risks, addressing regulatory requirements, reducing fraud- and cyber-related losses, and maintaining customer trust. Banks should consider more widespread use of threat intelligence to meet these needs, and ultimately reduce costs, risks and damaged reputations.
1 New York State Department of Financial Services, 23 NYCCR 500, Cybersecurity Requirements for Financial Services Companies (“Part 500”). Covered Entities include banks operating under the New York State Banking Law, subject to limited exemptions under Section 500.19 of Part 500.