Security

Banks and Credit Unions Should Evaluate Their Cybersecurity Assessments

No industry is more in need of reliable testing than financial services, and testing is required by regulators. But how do you know what you need?

Dan Hansen

Dan joined the CDW Financial Services team in early 2016 and brings with him 14 years of experience in the banking industry. He previously served as the CIO of a high-technology adopter bank.

Every IT leader inside a bank, credit union or other financial service organization knows they are big targets for the bad guys. In fact, financial services companies are the victims of cybersecurity attacks an astonishing 300 times more frequently than most other industries: more than 1 billion times per year, compared to 4 million on average for other sectors.

In the industry, the average total cost of a data breach was $5.86 million, says the Ponemon Institute’s Cost of a Data Breach 2019 report.

When a financial institution is affected by a breach, it will confront high legal costs and regulatory fines in addition to the reputational costs and loss of business that any organization would face. Close to 30 percent of people left their banks and 12 percent left credit unions due to unauthorized activity on their accounts, one survey reported.

Almost 20 percent of financial services firms say they are increasing their investments in cyber-protection. Meeting regulatory and compliance requirements ranked as the top reason for greater investments.

Regulations and standards that financial services businesses must comply with include the Gramm-Leach-Bliley Act that requires safeguarding information such as account numbers, credit and income histories and Social Security numbers, and the Payment Card Industry Data Security Standard (PCI DSS) for protecting payment card data. It can be technically challenging and expensive for banks and credit unions that issue debit and credit cards to remain compliant.

How Third-Party Assessments Protect Banks Against Risks

The Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of Currency (OCC) and the National Credit Union Association (NCUA) all require banks and credit unions to conduct annual security testing designed to help in preventing cybersecurity episodes. The Federal Financial Institutions Examination Council (FFIEC) guidelines, as well as financial regulators’ information security assessment processes include logical and administrative controls such as access rights administration; transmission and storage encryption; malicious code defenses including anti-virus, firewalls and gateway rules; and heuristic or signature intrusion detection and response.

Institutions of all sizes could benefit from using third parties to conduct cybersecurity assessments to help them better understand their security posture and target where and how they can better prepare their infrastructure and controls to fend off threats. The 11th Global Risk Management report from Deloitte, which surveyed 94 financial institutions around the world, notes that “only 52 percent of respondents said their institutions are extremely or very effective at managing” cybersecurity risks.

On the plus side, the Cost of a Data breach 2019 study points out that organizations across industries that perform extensive testing of their response plans save over $1.2 million.

A Look Inside Cybersecurity Assessments

Mature cybersecurity assessments need to cover a lot of ground. Under the overall banner of compliance assessment are tests designed to meet data security shortfalls. Vulnerability testing for detecting and classifying security loopholes in the infrastructure is absolutely a baseline requirement. Ethical penetration testing that manually simulates a cyberattack to discover how an attacker can gain unauthorized access to systems matters a lot, too. Both are important to assessing compliance with PCI DSS.

Application assessment also is a form of ethical hacking, where security engineers try to break into off-the-shelf or in-house applications (such as through APIs) and make recommendations for security improvement, such as a centralized, simplified access policy. It’s key to marry application assessment with a configuration review to avoid the possibility of open ports on servers that could lead to breaches of sensitive information. And in today’s social media-saturated world, assessments should address phishing scam possibilities via those platforms.

Another big part of successful cybersecurity assessments comes when financial firms have strategic conversations with IT and security experts to help determine where to start making improvements to the security fabric.

Banks, credit unions and other financial businesses have no choice but to engage in security assessments on a yearly basis. Given what’s at stake, there’s no room for getting this wrong.