UPDATE – On June 6th the FFIEC formed the Cybersecurity and Critical Infrastructure Working Group, designed to enhance communications between and among the FFIEC members agencies as well as other key financial industry committees and councils. The goal of this group will undoubtedly be to increase the defense and resiliency of financial institutions to cyber attacks, but the question is “what effect will this have on new regulatory requirements and best practices”? Will annual testing of your incident response plan be a requirement, just as testing your BCP is now? I think you can count on it…
I’ve asked the following question at several recent speaking engagements: “Can you remember the last time you heard about a financial institution being hacked, and having its information stolen?” No responses. I then ask a second question: “Can anyone remember the last time a service provider was hacked, and financial institution data stolen?”. Heartland…TJX…FIS…almost every hand goes up.
As financial institutions have gotten pretty good at hardening and protecting data, cyber criminals are focusing more and more on the service providers as the weak link in the information security chain. And wherever there are incidents making the news, the regulators are sure to follow with new regulations and increased reinforcement of existing ones.
The regulators make no distinction between your responsibilities for data within your direct control, and data outside your direct control;
“Management is responsible for ensuring the protection of institution and customer data, even when that data is transmitted, processed, stored, or disposed of by a service provider.” (Emphasis added)
In other words, you have 100% of the responsibility, and zero control. All you have is oversight, which is at best predictive and reactive, and NOT preventive. So you use the vendor’s past history and third-party audit reports to try to predict their ability to prevent security incidents, but in the end you must have a robust incident response plan to effectively react to the inevitable vendor incident.
The FFIEC last issued guidance on incident response plans in 2005 (actually just an interpretation of GLBA 501b provisions), stating that…
“…every financial institution should develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.” (Emphasis added)
The guidance specified certain minimum components for an incident response plan, including:
- Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused;
- Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information;
- If required, filing a timely SAR, and in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing, promptly notifying appropriate law enforcement authorities;
- Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and
- Notifying customers when warranted in a manner designed to ensure that a customer can reasonably be expected to receive it.
The guidance goes on to state that even if the incident originated with a service provider the institution is still responsible for notifying their customers and regulator. Although they may contract that back to the service provider, I have personally not seen notification outsourcing to be commonplace, and in fact I would not recommend it. An incident could carry reputation risk, but mishandled regulator or customer notification could carry significant regulatory and financial risks. In other words, while the former could be embarrassing and costly, the latter could shut you down.
So to summarize the challenges:
- Financial institutions are outsourcing more and more critical products and services.
- Service providers must be held to the same data security standards as the institution, but…
- …the regulators are only slowly catching up, resulting in a mismatch between the FI’s security, and the service provider’s.
- Cyber criminals are exploiting that mismatch to increasingly, and successfully, target institutions via their service providers.
What can be done to address these challenges? Vendor selection due diligence and on-going oversight are still very important, but because of the lack of control, an effective incident response plan is the best, and perhaps only, defense. Yes, preventive controls are always best, but lacking those, being able to quickly react to a service provider incident is essential to minimizing the damage. When was the last time you reviewed your incident response plan? Does it contain all of the minimum elements listed above? Better yet, when was the last time you tested it?
Just as with disaster recovery, the only truly effective plan is one that is periodically updated and tested. But unlike DR plans, most institutions don’t even update their incident responses plans, let alone test them. And while there are no specific indications that regulators have increased scrutiny of incident response plans just yet, I would not be at all surprised if they do so in the near future. Get ahead of this issue now by updating your plan and testing it. Use a scenario from recent events, there are certainly plenty of real-world examples to choose from. Gather the members of your incident response team together and walk through your response, the entire test shouldn’t take more than an hour or so. Answer the following questions:
- What went wrong to cause the incident? Why (times 5…root cause)? If this is a vendor incident, full immediate disclosure of all of the facts to get to the root cause may be difficult, but request them anyway…in writing.
- Was our customer or other confidential data exposed? If so, can it be classified as “sensitive customer information“?
- Is this a reportable incident to our regulators? If so, do we notify them or does the vendor? (Check your contract)
- Is this a reportable incident to our customers? How do we decide if “misuse of the information has occurred or it is reasonably possible that misuse will occur“?
- Is this a reportable incident to law enforcement?
- What if the incident involved a denial of service attack, but no customer information was involved? A response may not be required, but should you?
- What can we do to prevent this from happening again (see #1), and if we can’t prevent it, are there steps we should take to reduce the possibility? Can the residual risk be transferred?
Make sure to document the test, and then test again the next time an incident makes the news. It may not prevent the next incident from involving you, but it could definitely minimize the impact!
NOTE: For more on this topic, Safe Systems will be hosting the webinar “How to Conduct an Incident Response Test” on 6/27. The presentation will be open to both customers and non-customers and is free of charge, but registration is required. Sign up here.