Four worries bank cybersecurity experts face

April 28, 2022 9:00 PM

Few banks have a corporate leadership structure that puts cybersecurity executives close to the top of the organization, according to a recent survey of such executives at financial institutions.

The survey results, released by cloud computing and software company VMware, show that 80% of chief information security officers report to chief information officers rather than the CEO. Experts disagree over whether that is the appropriate reporting structure, with some saying it creates a major governance issue and others saying CISO promotions are unnecessary.

Technology

5 reasons banks are focusing on cybersecurity

Whether state-sponsored or masterminded by a 16-year-old, data breaches have become a major cause for concern across the banking world.

By Stewart Bowling

April 28

Electricity Infrastructure as Eskom Holdings SOC Ltd. Bailout Prospects Fade

The survey also highlights the types of threats outside their walls that bank cybersecurity officers are increasingly worried about. These include the targeting of nonpublic information, the security shortcomings of cryptocurrency exchanges and hacks that hit tech partners, all of which impact the security of banks in various ways.

VMware surveyed 130 chief information security officers and security leaders at financial institutions, 41% of which were headquartered in North America. The company conducted the survey in February 2022.

Here is a look at some of the tactics of highly sophisticated threat actors, third-party threats banks face and what cybersecurity experts believe their institutions ought to do about them.

Fear Of Unknown Leaves Traders Facing Bouts Of Volatility

Michael Nagle/Bloomberg

Hackers target market-moving information

According to the results of VMware’s survey, many financial institutions face efforts by hackers to gain access to corporate information that can affect the share price of companies, such as earnings estimates, public offerings and significant transactions. This information can be about the bank itself or about other companies.

Of the cybersecurity executives surveyed, 66% said their institution had experienced attacks that targeted market strategies and 25% said market data was the primary target for cybercriminal activities.

“Portfolio managers and heads of market strategies are being specifically targeted by persistent threat actors who are not stealing money, who are not destroying data, who are not moving laterally through a system, but merely trying to become telepathic as to the positions the institution takes,” said Tom Kellermann, head of cybersecurity strategy for VMware.

Attributing cyber incidents to particular threat actors can be difficult, particularly when they are sophisticated attackers. Proving that market manipulation occurred as a result of hackers obtaining nonpublic information would be an even more difficult task, according to Peter Marta, a partner at law firm Hogan Lovells specializing in cybersecurity.

“You'd have to see certain anomalous trading activity; you'd have to tie that to a specific group or individual; you would then have to prove the activity was insider trading associated with material nonpublic information, then that the information was obtained through some type of cyber-related compromise of a specific financial institution,” Marta said.

Bank tech partners also present security risks

Cybercriminals can exploit the dependencies financial institutions have on managed service providers — providers of IT services like network, application, infrastructure and security services — to gain access to the institution. VMware calls the strategy “island hopping.”

Rather than lateral movement within an organization, island hopping is lateral movement across organizations, according to Rick McElroy, principal cybersecurity strategist at VMware.

According to the company’s survey, 60% of financial institutions were victims of island hopping last year.

A major example of island hopping occurred during the 2020 cyberattack committed by Russian-backed hackers that penetrated thousands of organizations. The group injected malicious code into Solarwinds’ network management software updates, which the company unwittingly pushed down to U.S. government agencies, financial institutions, and many other clients.

Financial institutions concerned about the security of their managed service providers should review their relationships with those vendors to make sure they are making them fill out detailed security questionnaires, obtaining audit rights and gathering proof that they use recognized frameworks and best practices, according to attorney Marta.

“Ten years ago, the obligation to notify your customer of a cyber incident wasn't nearly as common in contracts as it is today,” Marta said. “It's the lawyer’s job to make sure that the contracts with vendors remain consistent with latest best practices, and it's on IT and third party oversight functions to ensure that they're conducting the right level of due diligence.”

Before banks concern themselves with their contracts, they need to concern themselves with their internal culture, according to Steve Tcherchian, chief information security officer at cybersecurity company XYPRO.

“Without a proper internal culture of security and privacy, managing security of managed providers can be a futile effort,” Tcherchian said. “Providers need to be treated as an extension of the company itself, because they are. Switching providers will just shift the problem from one bucket to another. Start at home.”

Banks worry about insecurity of crypto exchanges

In VMware’s survey, 83% of respondents expressed concern over the security of cryptocurrency exchanges — a concern by virtue of the growing ties between banks and cryptocurrencies. The company said the equivalent of $2.6 billion has been stolen from these exchanges, and attackers using ransomware often demand payment in cryptocurrency using these exchanges.

Tcherchian said cryptocurrencies have become part of many investment portfolios and pose a potential disruption to payments, both of which make crypto an important consideration for banks.

Crypto trading typically happens in a centralized fashion on popular exchanges like Coinbase, Crypto.com, and others. For the many users on those exchanges, that makes their funds only as secure as the exchange where they are trading.

“All the fundamental vulnerabilities that exist for financial institutions still exist for the people building crypto exchanges, except the exchanges don't have the same staff; they don't have the same amount of money; and they certainly haven't been around long enough to build a good risk management program,” McElroy said.

McElroy added that, while cryptocurrencies generally assure that funds remain locked away in wallets, that does not assure the keys to wallets are secure.

“I think the community has tried to rely on blockchain as the security mechanism,” McElroy said. That handles things like assessing the integrity of transactions, but “it doesn't account for a website vulnerability” or malware that penetrates a crypto exchange’s system.

As for which crypto exchanges banks could trust, McElroy advised that banks consider which are actively seeking oversight from regulators. Coinbase, one the largest exchanges by volume, is among those exchanges.

Most security chiefs don’t report to the CEO

Most large financial institutions and companies in other sectors have a person in their executive suite charged with overseeing cybersecurity, often called a chief information security officer, or CISO for short. In 80% of the financial institutions surveyed, that person does not report directly to the chief executive officer.

For some, merely giving CISOs a direct line of communication with the CEO and the company board of directors is sufficient. For VMware’s Kellermann and others, it’s not enough.

“Any institution out there that wants to pretend that they're actually being proactive about cybersecurity investment and the security posture of the organization should, literally immediately, promote their CISO to be reporting to their CEO,” Kellermann said.

He pointed out that the Securities and Exchange Commission recently proposed a rule that would privilege information about the cybersecurity posture of publicly traded companies as material that must be reported to the board of directors.

VMware’s report also points to Shields Up guidance from the U.S. Cybersecurity and Infrastructure Security Agency. In it, the agency’s top recommendation for corporate leaders and CEOs is to “empower CISOs by including them in the decision-making process for risk to the company.”

For Kellermann, having CISOs report to anyone other than the CEO creates a governance issue. Tcherchian, a CISO, agrees.

“Traditionally security has been viewed as an IT problem and reporting structure and concerns have been hidden under a CIO or CTO,” Tcherchian said. “This creates a governance issue due to competing priorities. The CISO roles need to be elevated and responsibilities viewed as business risk, not just IT risk.”

However, not everyone believes that means CEOs must promote their CISOs. “In my view, there's not a clear consensus regarding the optimal reporting structure to senior leadership and the board from CISOs,” Marta said.

Marta said he had seen CISOs reporting to the company’s chief information officer, chief risk officer, chief operating officer, and in some cases, to general counsel.

“I think the specific reporting structure is less important than the fact that the CEO, and I think the board, should have a direct line of communication with the CISO,” he said.