Risk and regulation in the financial sector.
Dave Bittner: [00:00:04] Hello, everyone, and welcome to CyberWire-X, a series of specials designed to highlight important security topics affecting organizations around the world. This is part three of a four-part series called "Ground Truth or Consequences: The Challenges and Opportunities of Regulation in Cyberspace." Today we look at risk and regulation in the financial sector, specifically, how it intersects with cybersecurity. We'll examine how organizations operate in a heavily regulated global financial environment all while protecting their employees, their customers and the integrity of a system largely built on trust.
Dave Bittner: [00:00:42] A program note - each CyberWire-X special features two segments. In the first part of the show, we'll hear from industry experts on the topic at hand. And in the second part, we'll hear from our show's sponsor for their point of view. And speaking of show sponsors, a word from our sponsor, Gemalto.
Dave Bittner: [00:01:04] Your enterprise is rich with sensitive data at rest and in motion throughout the network. But what happens if that sensitive data isn't secure or if it's improperly accessed? We're guessing that regardless of what defenses you have currently implemented, the thought of your data being stolen or manipulated keeps you up at night. Gemalto tackles the two main causes of cyberattacks - identity theft and data breaches. They do this by providing next-generation digital security built from two technologies - secure digital identification and data encryption. Gemalto already operates these solutions for many well-known businesses and governments, protecting trillions of data exchanges. And as independent security experts, they guarantee digital privacy and compliance with data protection regulations. Gemalto puts you back in control of your own data. Visit Gemalto today to learn more about their access management and data-protection solutions. You can also check out the most recent findings from the Breach Level Index, which tracks the volume and sources of stolen data records. Go to gemalto.com/cyberwire to subscribe and learn more. That's gemalto.com/cyberwire. And we thank Gemalto for sponsoring our show.
Valerie Abend: [00:02:30] The financial services sector is a complex web of financial regulators all with different missions and different authorities, specifically to support those missions.
Dave Bittner: [00:02:43] That's Valerie Abend. She leads Accenture's Financial Services North America Security Practice. And she's also their global cyber regulatory lead.
Valerie Abend: [00:02:52] It's, perhaps, the most complex in the United States. Many of the other jurisdictions around the world have, you know, one central bank that also is their prudential regulator. It's their safety and soundness regulator. It regulates their markets, their banks, payment systems, you know, every kind of aspect of the financial system.
Josh Magri: [00:03:14] We have nine federal U.S. supervisory agencies.
Dave Bittner: [00:03:18] That's Josh Magri. He's senior vice president and counsel for BITS. They're the technology policy division of the Bank Policy Institute.
Josh Magri: [00:03:27] We have three self-regulatory organizations. And then at the state level, there tends to be a split between insurance, state supervisory agencies, securities and banking, all of which are appropriately concerned about cybersecurity and the regulation pertaining to cybersecurity. But it has created a very complex environment over the past three to four years.
Valerie Abend: [00:03:53] The cyber regulatory side is relatively new from the concept of truly around cyber oversight. For more than a decade - almost two decades now - particularly in the banking sector of financial services, there has been a longtime focus on, we'll say, IT, IT risk management, information security. And some aspects actually go into third-party oversight.
Valerie Abend: [00:04:24] But it's only been as of late that there's really been a focus on cyberattacks and what that means from a regulatory standpoint. The banking regulators try to address this through an organization called the Federal Financial Institutions and Examination Council. Short - the shorthand for that is the FFIEC. That is a statutory body that brings together all of the regulators that are in the banking segment, so the credit unions, the banking - federal banking regulators. And they come together to address a myriad of issues, which also include cybersecurity and how to kind of coordinate the examination of policy, the training of examiners on a range of issues but also in the cybersecurity space.
Josh Magri: [00:05:10] A few years back, the financial services sector was quite involved in the National Institute of Standards and Technology's development of the Cybersecurity Framework. And the Cybersecurity Framework, what it amounted to and what it was developed out as was not only a means to talk about cybersecurity and cyber risk management but also an organizational structure to do just that. And the financial services sector was very involved in its creation. And it came out in 2014.
Josh Magri: [00:05:45] Many of the financial services sector firms started to move toward organizing around the Cybersecurity Framework. Right around that time, we started to see some regulatory issuances from the supervisory agencies - the financial services supervisory agencies. And we started to see that the way that the issuances were written, they were written in such a way as to be different in terms of the taxonomy between the NIST Cybersecurity Framework and what was in the documents themselves.
Josh Magri: [00:06:26] So we put it to a survey, and we used the FS-ISAC as our distribution mechanism. And the results that we got back in 2016 were somewhat astounding. Chief information security officers were saying that about 40 percent of their time and their team's time was spent doing cybersecurity regulatory compliance and not security-related activities. So with this survey result, we realized that - as a sector that we needed to do something about it because the number of job openings for cyber was only increasing. The way that we decided that we needed to tackle this was at the organizational structure in the taxonomy level. So for the better part of two years, we've been developing out what we've called the cybersecurity profile for the financial services sector.
Valerie Abend: [00:07:21] It is true that financial services is often pointed to as the most mature or as mature as, say, the defense industrial base relative to what we would say are the critical infrastructures supporting, you know, the global economy and the systems that we all rely upon every day. It is true part of it's because it's where the money is. It's also true because they're so heavily dependent for their business on IT.
Valerie Abend: [00:07:48] At the end of the day, financial institutions, they don't really have a lot of assets outside of the money they actually manage, which is all digital now, the delivery channels, which is largely becoming, you know, incredibly digital. You know, many of them are even building branchless banks now where you have a financial institution that literally has no physical presence in terms of a branch. And, you know, they just depend on IT systems.
Valerie Abend: [00:08:15] And so maintaining trust - all they have is the ability to maintain trust and to manage your digital assets in terms of money really well and smart people. That's what they have. And so in order to maintain that trust, they are more mature in terms of their thinking about IT and digital services, and, of course, how to maintain not just security but resilience - right? - that ability to have a high availability to your customers, to provide, you know, a strong set of services to them.
Valerie Abend: [00:08:48] That said, you know, the - there is this incredibly complex area, and nothing is foolproof. And so while they do have a higher level of maturity, they're constantly challenged with addressing not just new areas of vulnerability but new areas of their business that could present additional vulnerability that might be very attractive to cyber attackers.
Josh Magri: [00:09:11] We fully anticipate that there will be additional regulations. But when there is, you know, we ask that they use the organizational structure and the taxonomy that's integrated within the profile and use that within the regulation itself - may not be in the legalese up front. But what we've asked for is, you know, essentially, after they get through all the legalese and what the regulation is and what it's about to put an appendix saying, all that stuff up front, what we're really saying is that we're going to ask you these three or four additional questions during the examination. And they fit within the profile here, here and here.
Valerie Abend: [00:09:56] It's also hard when we look at regulation in isolation - different ends of the spectrum or different parts of that pyramid, if you will, around how folks think about GDPR and GDPR compliance. So say if we're at the bottom of that pyramid - where, unfortunately, many people may be - they may think to themselves, I don't have a branch in the EU, so this doesn't apply to me. And unfortunately, that's not the case. And then maybe in the middle of that pyramid you have, you know, a fair amount of entities who understand it does apply. And they're looking at it as very compliance-driven activity. How do I make sure that I am checking all of the boxes?
Valerie Abend: [00:10:37] But at the top of the pyramid, I think where you're most strategic, is not only thinking about it, yes, I have to comply; yes, it applies to me; yes, I need to think about my overall data management strategy. But how do I actually think about the fact that the GDPRs of the world - not just this one regulation, but that the future regulation - is going to continue down this path and that I don't look at regulation in isolation, that I don't look at one specific regulation and think only how I comply with that, but I actually internalize all of this, understand that the future is going to become more complex around security, privacy and what I'll call data localization requirements that actually require you to think about your business model maybe a little bit more strategically than you have in terms of its use of data and perpetuity.
Valerie Abend: [00:11:28] I think we are at a time of increasing complexity from the standpoint of not only securing digital assets and for financial institutions to provide their services in a secure and sound way, but I think from a regulatory compliance standpoint, it's particularly complex. I like to call it demonstrable risk management. How do you not only comply with what's being asked - but you actually have to do in a demonstrable way.
Valerie Abend: [00:11:59] It's not enough just to say on paper that I have this set of controls, and I have this type of governance around the process to ensure that we're understanding where the risk is and we're consistently changing our risk management processes based on that risk and using threat intelligence. It's increasing complex (ph) to show how you're doing it, that that control is working up to X percentage level of the time, and I have confidence in it actually behaving the way we intended it to behave. And that is really hard. And it's also hard when we think about the fact that, you know, these are highly competitive environments.
Valerie Abend: [00:12:37] Customer experience is incredibly important to what financial institutions do. The pace with which they're operating at is very fast. We are moving, in the financial services world - we've always talked about what we call real-time gross settlement. This is how do we make sure that our wholesale payments and transactions happen, and they settle in real time? So once that payment is out there, it is immediately received, and that's it. That's the end of the payment. That has been what we call batch processing largely until now.
Valerie Abend: [00:13:11] And in places like Australia, Canada and other parts of the world, we are moving to, you know, real-time payments. And that is very hard to get back once you've - if you've issued that payment to the wrong place or if a cybercriminal has exploited that system. So the risk is actually increasing as we try to move to these - to these real-time systems. And that's a big challenge.
Josh Magri: [00:13:37] In terms of the regulatory community, you know, this is something where we have been able to collaborate. We do feel that there's certainly room for improvement in terms of the process for collaboration. We think that this NIST process of open, multi-stakeholder engagement is a good one that could be modeled, not only within our sector but across others. But that said, you know, the regulators, when we have gone to them, have provided feedback and direction. And that has been immensely helpful into the development of the overall profile.
Valerie Abend: [00:14:18] But we need to have a strategic conversation where we bring together and educate regulators about, you know, how do we leapfrog out of some of the difficult situations that we have with innovation so that we're not writing regulation for the past, but we're actually creating a regulatory environment that, yes, holds us to task and makes sure that we're doing the right things and operating in a safe and sound manner but that don't stifle what needs to be done because we're stuck in practices of the old?
Valerie Abend: [00:14:46] And so from that standpoint, I do think there's a robust dialogue that needs to happen. How do you get a handle of what those things are so that you're writing regulation in a way that - that allows for that room to - to outpace the bad guy?
Valerie Abend: [00:15:00] The thing that has always kept me up at night is a destructive attack in certain key sets of data where data could be changed. In the financial services industry, it is really the potential for the highest level of risk. And when you think about that from a potential insider threat perspective or even a third party, it could be incredibly important - that maybe isn't truly a chartered financial institution but supports the backbone of the financial system - that to me is where a lot of the regulation and time and effort and focus should be.
Valerie Abend: [00:15:41] But I do think we spend a lot of time focusing on maybe some of the things that while important and difficult for institutions to deal with, probably don't represent a potential for systemic risk across the entire financial sector. And so I think the one thing I would - I would want to stress is as we think about where oversight and focus needs to go, I would argue that better collaboration, better focus, stronger sets of eyes on those things that are truly supporting potential systemic risk.
Jason Hart: [00:16:20] So I think certainly what I've seen from the financial sector over the past five, six years is the maturity to information security, cyber risks, et cetera.
Dave Bittner: [00:16:30] That's Jason Hart. He's CTO for enterprise and cyber security from our show's sponsors, Gemalto.
Jason Hart: [00:16:36] However, I still think there is a view that because they are following a particular standard or particular regulation, that they - they are secure, when actually this isn't always the case.
Dave Bittner: [00:16:51] Now, they are heavily regulated. So they have to operate within those guardrails.
Jason Hart: [00:16:57] Without a doubt - but, you know, one of my bugbears is, you know, I see many financial organizations around the world of all different sizes and demographics. A lot of them still don't use multi-factor authentication. And I'm just like, really? You know, they - they have a form of step-up or step-up authentication. But from a bad guy's point of view, the ability to conduct social engineering attacks is still very simple and very easy. So I still think there's certain parts of the financial industry which are low-hanging fruit to the bad guys.
Dave Bittner: [00:17:30] And why do you suppose that is? I mean, obviously, you know, it would seem to me that no organization has a bigger bull's eye on their back than the financial sector because that's where the money is.
Jason Hart: [00:17:41] Great question. So often I get into conversations with these types of organizations. And, you know, I say, so multi-factor authentication, two-factor authentication or step-up authentication, surely this is - this is required. And their answer most of the time is, well, the users don't like it as the user experience. But my argument is, well, the user to one side, sure you have an obligation of protecting that - you know, that organization's data, their account or the financial information.
Jason Hart: [00:18:13] So surely you, as an organization, should make it simpler, easier to remove that barrier and provide a seamless user experience. The technology is out there. For me, the ultimate security control is the one where an individual doesn't actually know that they're going for a particular security control or going through a particular motion which is providing a higher level of security.
Dave Bittner: [00:18:38] And do you suppose, I mean, this is a result of this rapid evolution that we've seen, how more and more of the financial operations that we do day-to-day, both from a business and personal point of view, they've shifted online?
Jason Hart: [00:18:53] I think we're seeing a huge amount of disruptive technology coming into the financial sector. You know, it's a - it's a sector which, you know, is open for disruption. Ultimately, then, the new organizations coming into the market now think about the concept of what I talk about a lot as the user need. As a customer, as a user need, what is it actually I want? What is it I'm trying to achieve?
Jason Hart: [00:19:16] You know, open banking is a great example where, you know, suddenly, now I can sign up to a service. I can see all four or five of my bank accounts in one visual pane. I've got real-time cash flow. I get a report every month that I spent $200 on coffee, which was a shock.
Dave Bittner: [00:19:34] (Laughter).
Jason Hart: [00:19:34] So, you know, that's the user need. So now that's driving the consumption. But at the same time, it's creating more data, which can be used, you know, to further enhance those services. So for me, disruption in the financial industry is - it's fantastic as a user because I get a better user experience. But at the same time, more data's being created, multiple bank accounts are being brought together, which, suddenly, then increase the potential risk.
Dave Bittner: [00:20:02] And so how do organizations need to respect that gathering of data?
Jason Hart: [00:20:07] Again, as we've said on previous podcasts, there are some very well-known security controls - encryption key management, which categorically, you know, minimize risk. By default, these organizations, from a financial point of view, should be applying the appropriate cryptographic controls and key management to the critical sets of data.
Dave Bittner: [00:20:30] If I'm in the technical department at one of these organizations and I need to make that case to my board of directors, I'm going to them hat in hand asking for the money to make this happen. How do I make that case?
Jason Hart: [00:20:42] From the conversations I've had, a lot of organizations believe they're actually applying the appropriate security control. But then when I - I dig deeper to say, OK. That particular database - brilliant, you've encrypted it. Is it by column? Is it by row? - whatever. So where is the key stored to unlock that encryption? Oh, it's actually stored within the application. So what we have is a knowledge gap to say, you know, people think they are actually applying the appropriate security controls. They're doing 50 percent. But actually, the other 50 percent, they - there's a lack of knowledge on actually, you know, securing that key, as an example.
Dave Bittner: [00:21:23] Can you walk us through the process when you do engage with an organization? Can you take us through? I mean, what are the steps? From gathering information, where does it begin? And what's the process like for you?
Jason Hart: [00:21:36] Yeah. So for me - the process I'm going to outline now is for any particular industry. For me, it's the concept of situational awareness. So I tend to think like a - I try and think like a bad guy as much as I can. So the first of all is I start with - I create a bucket of data, OK? What types of data do you, as an organization, have? Then I create a bucket of people. Who has access to that data? - contractors, third parties, supply chain, employees, board members, etc. Then I create a bucket of locations to say, OK. Is it - do - you know, do you have systems internally in the cloud, third parties, GitHub repositories, etc.?
Jason Hart: [00:22:14] So now I have three buckets. So now I start drawing process flows between these three buckets. And I, essentially, follow the data. So then, you know, we'll see that, all right. There's a database with data in. There's a backup database. There's a repository in the cloud. There's a bit of AWS. So very quickly, I have a visualization. And from a bad guy's point of view, they call that footprinting amelioration. I have a footprint of that organization. Then what I do - we identify the critical sets of data at each phase to say, right. What are the potential attack vectors?
Jason Hart: [00:22:50] So within the database, could that database be cloned? Could it be copied? Could it be, you know, a rogue administrator? Could the traffic be sniffed? - point-to-point encryption. You know, OK, into a dev environment - so we basically start identifying the key sets of risks. And then once we've identified those, we can start applying the appropriate security controls. But we can only do that if we have a full visualization of people, data, process and location.
Dave Bittner: [00:23:18] Do you find that organizations are often too close to their own structure to be able to take that high-level view of it,
Jason Hart: [00:23:26] Totally, 100 percent. You know, they assume that because they've encrypted the database, that, actually, in the event of a breach, they're fine. But what they don't realize is that critical element of when, you know, they've encrypted the database, the key to unlock it is actually on the network or it's actually within the application. And, you know, they're shocked to see, you know, when they've seen that they've been compromised and that, actually, the key to unlock the data's been kind of taken with it as well.
Dave Bittner: [00:23:50] And - forgive me. The level of this question - but it's a fundamental one, I think. We're talking about the financial sector. In the modern economy, is there a difference between what you and I would refer to as money and data? Are they the same thing these days?
Jason Hart: [00:24:11] For me, data's the new oil, OK? Depending on the type of data, it can actually be more valuable than actual money itself. So again, let's think in the world of a bad guy. If I can compromise an organization and capture a lot of personal informational on that individual, I can take that data and create other downstream attacks. So ultimately, it's a multiplier effect. So data is money. I can sell. I can use that data or I can use it to conduct other attacks.
Jason Hart: [00:24:40] In addition, if I've got multiple data sets from multiple breaches, now I get a very good visualization of an individual and a profile of that individual. Suddenly, you have a data set on individuals, which then can allow some very sophisticated attacks - account takeover, you know, compromising someone's - you know, doing social engineering attacks against them, you know, conducting further financial fraud against them.
Dave Bittner: [00:25:04] Now, we've spoken about some of the technological approaches here, using things like encryption. But what about the social engineering side? We hear more and more that that is the way that folks are getting into systems. I mean, is this a matter of training or should the technology be protecting our users, our employees from this from the get-go?
Jason Hart: [00:25:25] Social engineering is nothing new. You know, I was doing it, you know, 20, 24 years ago. The only difference then - back then, it would take a lot longer to actually conduct the social engineering attack. The stuff - you know, the adverse or the increase in technology has allowed a social engineering attack to take place very, very quickly and also on multiple channels. You know, I could send you a text message now, you know, portraying to be one of your colleagues, actually masquerading to be one of your colleagues, you know? You know, there's multiple channels now.
Jason Hart: [00:25:54] So for me, social engineering is more about the people. It's the awareness. Technology can mitigate. So again, you know, the social engineering attack is ultimately about getting, you know - one of the key or kind of main attacks is capturing the username and password or getting information from that individual to kind of access. So normally, it's around the password.
Jason Hart: [00:26:16] If we can start removing some of the static passwords or eradicating static passwords and replacing it by a one-time password, we're vastly reducing, you know, that particular social engineering attack. Of course, there are ways of socially engineering multifactor - sorry - two-factor authentication passwords, but at least we're one step further. So social engineering - the best mitigations for social engineering attacks is training and awareness.
Dave Bittner: [00:26:42] Are there any specific challenges that the financial sector faces that other groups do not?
Jason Hart: [00:26:50] I think it's the level of risk. It's more - it's financial. It's real money, in most cases. I think what we - you know, we are starting to see it now where, you know, a bank's customers may inadvertently - you know, exposed his log-on credentials to the bank account. And suddenly, someone's come along and siphoned their money, their life savings.
Jason Hart: [00:27:11] We are starting to see now - the banks, initially, were accepting that risk and refunding the monies. But we're starting to see cases where now if the bank can actually prove - the financial institute can actually prove that the individual mistakenly gave their details away, that is the user's or the customer's problem. So I think there is a large financial - a risk exposure there.
Jason Hart: [00:27:33] I still think that there's further steps that the banks can take. For me, what the banks or financial institutes need to do is apply security controls transparently so the customer doesn't - isn't aware that those controls are there. It just happens. So obviously, machine learning, artificial intelligence are all going to bring advances in this. But ultimately, we need to start by ensuring that the basic security controls are in place and being used.
Dave Bittner: [00:28:05] That's Jason Hart, CTO for Enterprise and cybersecurity at Gemalto. Thanks to them for underwriting this edition of CyberWire-X.
Dave Bittner: [00:28:13] Be sure to visit gemalto.com/cyberwire to learn more about their access management and data-protection solutions and also find out about the Breach Level Index, which tracks the volume and sources of stolen data records. That's gemalto.com/cyberwire.
Dave Bittner: [00:28:31] And thanks to Valerie Abend from Accenture and Josh Magri from the Bank Policy Institute for their participation. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.