Cybersecurity Threats to the Financial Sector

Building customer trust is paramount to the success of any company, but perhaps nowhere more so than in the banking industry. Cyberattack strategies are increasingly innovative, putting pressure on banks to protect their data or make the headlines when the next big breach takes place. The Bangladesh cyber heist of 2016 is one infamous example of threat actors’ ingenuity: Hackers used malware to steal $101 million1 through the SWIFT international transactions network at the Federal Reserve Bank of New York.

This urgency to tighten cybersecurity doesn’t just come from internal stakeholders, either. Once banks reach $10 billion in assets, several complex regulatory demands take effect. How growing banks perform in this pivotal phase can make or break their long term success. Underprepared banks that fail stress tests requirements, for example, face fines and significant business setbacks.

According to BNY Mellon’s2 2017 Annual Report, “The failure to maintain an adequate technology infrastructure with effective cybersecurity controls relative to the type, size and complexity of operations... could impact operations and impede our productivity and growth, which could cause our earnings to decline or could impact our ability to comply with regulatory obligations leading to regulatory fines and sanctions.”

When the $10 billion threshold appears on the horizon, banks must begin preparations immediately with the help of industry experts like Tevora and Tripwire. Help your board of directors demonstrate active risk mitigation and meet expectations from regulatory bodies like the Federal Deposit Insurance Corporation (FDIC). It’s never too early to begin putting foundational cybersecurity controls in place.

What $10 Billion Means for Banks

It can take years for banks to adequately prepare for the security and compliance realities that set in when banks reach $10 billion in assets. Strategically planning and executing a strategy is essential to withstanding the demands of stress testing and meeting regulatory compliance. Other considerations that become more pressing as banks grow are the Volcker Rule of the Dodd Frank Wall Street Reform and Consumer Protection Act, Consumer Financial Protection Bureau fines, and fees from the Durbin Amendment.

Dodd Frank Act Stress Testing

The Dodd Frank Wall Street Reform and Consumer Protection Act requires that banks with $10–50 billion in assets conduct annual stress tests, known as DFAST (Dodd Frank Act Stress Testing). Stress testing involves risk assessment for baseline, adverse and severe conditions in the financial market—requiring substantial resource use and detailed data logging. Results must be shared with the FDIC and ultimately published. In addition to DFAST, the Dodd Frank Act instituted the Consumer Financial Protection Bureau to ensure fair and transparent practices at banks over the $10 billion mark. Yet another component of the Dodd Frank Act also kicks in at this milestone: the Volcker Rule, which prohibits certain types of proprietary trading.

Regulatory Compliance

As the banking industry is heavily regulated, continued growth depends upon compliance with standards like GLBA, SOX, FFIEC, SWIFT, COBIT, SEC, and state and federal audits. The regulatory bodies overseeing banks require stringent security policy compliance be met. Banks must prove they have an effective change management process in place.

The larger a bank becomes, the more important it is to deploy a solution robust enough to satisfy auditors. This means finding a security solution with baked in file integrity monitoring (FIM), security configuration management (SCM), vulnerability management and log management. When banks leverage a tool that automates alerts on unauthorized changes and misconfigurations, it’s much easier to prove compliance.

The FFIEC Maturity Model Baseline

The FFIEC (Federal Financial Institutions Examination Council) is an interagency body of federal banking regulators. Their baseline cybersecurity maturity requirement puts forth the foundational security practices banks must have in place. Beyond the baseline, they supply further recommendations for reaching evolving, intermediate, advanced and innovative cybersecurity maturity. A bank’s cybersecurity maturity level is determined by the FFIEC Cybersecurity Assessment Tool (CAT), which focuses on five specific domains:

• Cyber risk management and oversight
• Threat intelligence and collaboration
• Cybersecurity controls
• External dependency management
• Cyber incident management and resilience

Use Tripwire Solutions to Align with the FFIEC

Each domain contains several criteria banks can use to reach a baseline or above maturity level. Security professionals responsible for compliance and audit success need the appropriate tools to accomplish this. When we look at the baseline cybersecurity controls requirements domain 3, for example, we can see how Tripwire solutions achieve each specific objective.

Proven Success

Tripwire is no stranger to the security needs of large, multinational banking institutions, with a track record of helping banks improve their IT security posture and align with regulatory requirements in the process. Tripwire’s tightly integrated capability suite helps financial institutions deliver reliable and secure services while withstand the stress testing necessary to facilitate their continued growth in the global financial market.

Organizations often have a build sheet or gold image but see considerable drift from that over time —and no way to analyze systems in real time for compliance related to system changes. Tripwire solutions help banking institutions remediate security vulnerabilities and compliance misconfigurations across their on premise, hybrid and cloud environments.

The FIM and SCM capabilities of Tripwire Enterprise, for example, provide detailed reporting on unauthorized changes and misconfigurations. As soon as a change is detected, an automatic validation process kicks off to verify that this change did not take the system out of compliance or introduce new vulnerability risk. Tripwire solutions integrate with one another as well as with an extensive array of security products like Splunk.

Tevora Partnership

Tevora helps banks better understand and mitigate risks. They analyze banks’ cybersecurity postures and map existing needs to Tripwire solutions. This aids banks in implementing the change and vulnerability management best practices that enable them to withstand the demands placed on them upon surpassing $10 billion in assets. In addition, Tevora focuses on evaluating, recommending and implementing security controls that protect server, network and endpoint infrastructure from advanced threats using the NIST Cybersecurity Framework as a baseline for evaluating the effectiveness of a control. Tripwire Policy Manager establishes and tracks alignment with this and other controls.

Summary

If your organization struggles to support “checking the box” for regulatory purposes or is focused on strengthening security controls in preparation for hitting the $10 billion milestone, Tripwire can help. Tripwire supports FFIEC policy controls “out of the box” for a wide range of platform and device types.