Historically, insurance firms have been security-challenged. Low budgets, low emphasis, and security largely managed by IT system administrators and database administrators (DBAs), not security professionals, are among the contributing factors that heighten the risk of a cyber attack.  However, the biggest problem for most insurance companies is that private information is everywhere and anywhere across their technology, making it impossible for most companies to control and protect; and expensive to contain, isolate, secure, and monitor. 

Brian Cummings (Tata Consultancy Services), a cybersecurity thought leader with more than 30 years of experience in this field, has drafted a white paper entitled The Inevitability of a Security Breach, which examines the increasing frequency, sophistication and stealth of cyber attacks in the global banking and financial services industry. While the focus of the article is on the challenges to cybersecurity in these two areas, the inevitability of breaches and recommended strategies for mitigating vulnerabilities are equally applicable to other business sectors, including the insurance industry.

The white paper has been reprinted with the permission of Tata Consultancy Services—a global leader in IT services, digital and business solutions working in partnership with its clients to simplify, strengthen and transform their businesses.

 

The Inevitability of a Security Breach

By Brian Cummings, Tata Consultancy Services

---

Brian Cummings is a Practice Lead for Enterprise Security & Risk Management at Tata Consultancy Services. As a cybersecurity thought-leader, he is a champion for Vigilance, Proactive Forensics, Insider Threat Management, and Red Team Testing. He has served as Practice Director and Practice Lead for enterprise risk and security services in TCS North America since September 2007.

His experience in the Information Risk and Security domain dates back to 1984. Cummings was a Director in the KPMG IRM Risk Advisory Services practice for nearly nine years in both the Dallas/Fort Worth and Silicon Valley markets. He has also served as Professional Services Manager, Security & Audit Products, in California for four years. Prior to starting his consulting career, Cummings gained front line information security experience at McDonald’s Corporation and MCorp/MBank in Dallas, Texas.

Introduction

The global banking and financial services industry functions in an environment characterized by a variety of challenges—evolving regulatory requirements, complex and diverse operations, technological advances, competitive pressures, and high customer expectations. In addition, the entry of non-traditional players into the ecosystem has threatened the market share of incumbents. While it is essential for banks to drive investments to maintain and secure their market position, it is equally imperative to address other critical risk factors. The rapid rise of cybercrime constitutes yet another risk for the financial services industry. The increasing frequency, sophistication and stealth of cyber attacks against financial services organizations have resulted in increased identity theft, financial losses, lost customers and business, and regulatory activity. As a result, cyber-risk management is assuming the importance of a core business requirement.

The evolving threat landscape—cyber attackers’ persistence in exploiting vulnerabilities—creates challenges to effective cyber-risk management. Financial institutions (FIs) further contribute to this by expanding the attack surface through technological innovations that introduce new vulnerabilities. Additionally, undue emphasis on availability, rather than confidentiality and integrity, leaves FIs open to cyber attack.

Cyber-attacks lead to reputational damage, erode customer confidence, and invite intense regulatory scrutiny. This underscores the need for banks and FIs to enhance cyber-resilience while considering the complexities of cyber-risk and addressing existing and emerging threats.

Cyber-events and Threats in Financial Services

According to a report released by Russian security firm Kaspersky Lab, over 100 banks spread across 30 countries have lost around $1 billion to hackers since the end of 2013(1). A leading US bank reported a security breach in which personal information of millions of customers was stolen. Investigations revealed strong possibilities of other banks having been infiltrated without their knowledge. As a result, the industry is rife with speculation that several FIs may have been compromised without their knowledge. Authorities have even warned of the likelihood of cyberattacks on large global banks triggering the next financial crisis and have called upon FIs to accord cybersecurity preparedness the same importance as they would capital and liquidity management.

Cybersecurity in the Spotlight

The proliferation of cyber attacks has turned the spotlight on enhancing cybersecurity and regulatory agencies, such as the Federal Financial Institutions Examination Council (FFIEC), that have called for action to combat cyber-threats. However, the regulatory guidance is based on legacy approaches, lacks priorities and reiterates mitigation activities that have proven unsuccessful in the past. TCS believes that while these guidelines will likely drive future regulatory audits, they will only serve to distract FIs from executing initiatives that are critical to enhancing cyber defense.

The spate of cybersecurity incidents in the recent past, which have resulted in compromised customer data, concerns about increased vulnerability and financial loss running into millions of dollars, has necessitated a thorough relook at banks’ cyber-resilience mechanisms. While there is widespread apprehension over recurring breaches and their consequences, banks and FIs lack direction in the absence of a prescription to fortify their cyber-defenses. Given this situation, several banks and FIs as well as industry experts now express the view that a security breach is inevitable.

While the likelihood of a cyber-attack is high, it is possible for FIs to counter such attacks by raising the bar on cybersecurity. This will require FIs to draw up an effective cyber-risk management framework that goes beyond compliance with regulatory standards and laws that become obsolete even as they are published.

(1) Chicago Tribune, “International hacking ring steal up to $1 billion from banks,” February 16, 2015, http://www.chicagotribune.com/business/chi-hackers-bank-heist-20150215-story.html.

Challenges to Building Effective Cyber Resilience

It is undeniable the cyber-threat quotient of banks and FIs is high. However, they are not mere passive victims, but have actively contributed to their increased vulnerability in the following ways:

Technology innovations. In their pursuit of business growth, banks have introduced digital innovations to cater to the tech-savvy customer. These innovations have brought a new set of vulnerabilities into the financial ecosystem thereby enhancing cyber risk.

Availability over confidentiality.  Fears of a backlash consequent to a service disruption have led to heightened focus on providing uninterrupted service. This has resulted in an emphasis on availability over confidentiality and integrity, and granting excessive access rights to inappropriate people and processes. FIs will remain highly vulnerable as long as their fear of a service interruption outweighs their concern over a security breach. Also, see Infrastructure deficiencies below, which are equally affected by lack of balance in security controls.

Human error and system glitches. Human error due to employee negligence and system glitches comprising IT and business process failures accounted for a significant percentage of data breaches in 2013 and 2014. This indicates that many data leaks can be attributed to the inadequacies of FIs, and is within their power to mitigate through enforcing greater control, adopting better practices, and putting in place stronger disciplinary measures in sensitive areas.

Infrastructure deficiencies. Despite rising regulatory concern and action, the emphasis on availability has created flaws in FIs’ infrastructure level security that malicious actors can exploit with impunity to undetectably compromise application and business process controls. By emphasizing availability, FIs have put security in jeopardy and endangered data confidentiality. Application and business process controls lack the capability to detect data breaches at this level, which is further compounded by the failure of post-event investigations to detect the actions.

Banks and FIs have traditionally managed security with a focus on end users and their access, and have implemented elaborate access control measures to prevent fraudsters from taking over the account. However, security strategies set stringent end user access controls while being more lenient with technically sophisticated users with advanced access rights at the infrastructure level. This creates loopholes that hackers target, and that insiders with privileged user access can exploit. Security breaches and insider abuse of privilege at the infrastructure level are invisible to application and business process controls.  Banks and FIs are hesitant to impose greater security restrictions, which underscores the need for a higher degree of vigilance and monitoring.

Is a Cybersecurity Breach Inevitable?

The recent increase in the number of cyber events is evidence of the failure of banks’ defensive capabilities. Such breaches also demonstrate the inadequacy of mandatory regulations and other controls to protect against a cyber event. Compliance with applicable laws, regulations and standards offers no guarantee against a cyber attack. A failure to raise the cybersecurity game will greatly increase the chances of a successful cyber attack.

Preventing a Cybersecurity Breach

The need of the hour is to stop treating cybersecurity as a mere preventive or regulatory compliance exercise and work on embedding cybersecurity awareness into the culture of the organization. Banks and FIs should raise the bar for cybersecurity by elevating cyber-risk management to a core business function led by a C-level executive, rather than being subservient to IT, and involve both business and IT stakeholders. The better practice model would include both a business-side, business savvy CISO and a technically savvy IT CSO fully collaborating to achieve common cybersecurity goals.

Every instance of a previously known and documented security breach represents a failure to identify and/or effectively respond to detectable anomalies. The answer lies in stepping up vigilance to identify unusual activity, and respond immediately by interdicting the transaction/activity, if necessary, for further detailed investigation. TSC recommends that banks and FIs begin by assessing their cyber resilience to serve as a foundation for the adoption of a cybersecurity strategy centered on “Aggressive Vigilance.” Once the assessment is complete, banks and FIs should invest in monitoring and detection tools, form a dedicated team to maintain continuous vigilance, and empower the team to “aggressively” stop suspicious activity for investigation before allowing it to continue.  This can prevent a malicious intrusion from advancing down the cyber-kill chain while you are taking the time to investigate an anomaly.

Approach to Assessing Cyber Resilience

Banks should revisit their cybersecurity priorities, strategy, investments, and solutions to draw up an organization wide cyber resilience strategy that focuses on taking cybersecurity to the next level.

Banks and FIs should undertake a thorough assessment of their current security capabilities based on the SANS Top 20 Critical Security Controls (CSCs) with a focus on completeness of definition, identification, restriction, and monitoring of privileged accounts. CSCs are based on a broad community model of well-known and frequently exploited vulnerabilities, and implementation leads to an effective cybersecurity program as it:

∙ Evaluates current maturity

∙ Fosters executive buy-in

∙ Maps to industry reports

∙ Highlights risk exposure

∙ Identifies vulnerable areas

∙ Comes with a validated ecosystem

A detailed assessment should help answer the following questions:

Is your security effective?

Evaluate effectiveness of security across network, server and storage through independent penetration testing and Red Team exercises supplemented by internal Red Team testing exercises.  

Have you already been compromised?

Conduct independent and cyclical computer forensic inspections to check if the organization has already been compromised.  

Are you confident of identifying suspicious activity?

Evaluate the security event monitoring solutions to check if they have the capability to detect anomalous activity and trigger alerts in a timely manner.

Do you have the power to stop suspicious activity?

Check if IT experts are empowered to stop anomalous activity detected in the system pending satisfactory investigation to determine if it is legitimate activity.  Without this empowerment, the cyber-kill chain can advance more rapidly than an investigation, and become increasingly damaging and costly.  

Is your data adequately protected?

Check if sensitive data is identified, compartmentalized, isolated, encrypted, and monitored to restrict proliferation. Uncontrolled dissemination (anywhere and everywhere) of such data hampers protection and compliance.

Can you match the determination of your adversaries?

Successful cybersecurity is ultimately a question of will.  Does your determination to secure your environment equal or exceed the determination of threat actors to compromise your systems?  If not, you are, and will remain vulnerable.

TCS believes that a security breach is inevitable unless such an evaluation is followed by corrective action to mitigate identified issues, as these issues represent significant vulnerabilities to the organization’s cybersecurity posture.

Creating a Cybersecurity Strategy

A successful strategy that can detect and prevent cyber incidents will require organizations to:

Establish Aggressive Vigilance

Establish “Aggressive Vigilance,” and increase vigilance where security control is known to be weak by dedicating and continuously training a specialized monitoring team to maintain 24×7 vigilance. Empower the team to stop anomalous activity for immediate investigation and validation. Banks and FIs should invest in defenses that match the offensive capabilities of malicious actors by adopting cutting edge event monitoring technologies and installing best of breed threat management tools to keep up with the increased sophistication, stealth and evasion of hackers.

Improve identity and privileged account management

While banks have traditionally emphasized availability, the underlying paradigm of an effective cyber-resilience strategy lies in shifting focus from availability to confidentiality and integrity. The need of the hour is to establish a governing policy that ensures confidentiality-integrity-availability (C-I-A) balance by aligning security controls and practices with the governing rules. Banks and FIs should put in place a governance policy to closely monitor those with privileged access rights and power users, review and report user activity, and regularly revalidate the need for the privileges.

Elevate security to a core business activity

Financial organizations should elevate security to a core business function led by a C-level executive and build an enterprise security technology architecture with automated and scalable processes to  address the security needs of cloud-based, mobile and social media applications.

Maintain continuous vigilance

Cybersecurity is a journey of continuous attention, improvement, and optimization. Match the motivation, determination, and persistence of adversaries to compromise your systems and network by continually hunting for signs of attacks, and respond proactively to prevent a breach.

Conclusion

Improving cyber-resilience is a key imperative to prevent a security breach.  If yours is a mature information and IT security program, it should include independent validation to answer the question: How do we know our security works?  If your security program is immature, then you need to focus on immediate imperatives to restrict/monitor privileged accounts, and to get aggressively vigilant.  With that safety net, you can then work to develop a more mature program consistent with your industry and enterprise risk, and your budgetary capabilities.

---

About Tata Consultancy Services’ Banking and Financial Services Business Unit

With over four decades of experience working with the world’s leading banks and FIs, Tata Consultancy Services (TCS) offers a comprehensive portfolio of domain-focused processes, frameworks, and solutions that empower organizations to respond to market changes quickly, manage customer relationships profitably, and stay ahead of competition. Our offerings combine customizable solution accelerators with expertise gained from engaging with global banks, regulatory and development institutions, and diversified and specialty FIs.

TCS ranked #2 in the 2013 FinTech 100 rankings of top global technology providers to the financial services industry and counts 12 of the top 20 global FIs among its clientele. From retail and corporate banking, capital markets, market infrastructure, and cards, to risk management and treasury, TCS helps organizations achieve key operational and strategic objectives.

Contact:  For more information about TCS’ Banking and Financial Services, please send email to [email protected].

---