In the last 24 months, the mindset, the tools and the methodology to deal with a cyberattack have changed. Just the addition of how to deal with mobile attacks is often missing in many bank plans. If you have not updated your incident response plan (“IRP”) in the last year, it might be time – and, this will help.
Of all the risks facing banking, a cyberattack is one that is the most difficult to plan for and understand. Many bankers don’t have the necessary training to truly articulate the risk to the board nor know the appropriate amount of resources to devote to the effort. For example, while many banks have the proper defense around their digital perimeter, and some have data-loss prevention mitigation, few banks we have spoken with have an updated plan and tools in place to deal with a cyber-breach.
A New Mindset
For starters, most banks need to change their mindset. It is really not a question of if cybercriminals breach the bank; it is only a question of what type of damage is done when they do. This is 180 degrees different than how most bank managers think. The problem with believing your IT department has everything under control is that it gives you a false sense of security and blinds management from considering the true risk. If you doubt this, consider that many major corporations, law enforcement organizations and government agencies, including the FBI and Department of Defense, have spent billions of dollars in security and were breached in 2013. If criminals want to break through your defenses, know that they can almost at will. Once you have come to terms with this risk, then the next best defense is to create an infrastructure that doesn’t make it easy for crooks once inside your firewall.
Developing a Plan
First ask how you obtained your plan and when was the last time it was updated. If your bank used a generic plan, it likely does not deal with specific lines of business. Handling a breach of transaction data is vastly different than a breach of web traffic information. On the other side of the spectrum, larger banks tend to have their business lines develop separate plans, which slow a response when an attack happens across many business lines and responses are not coordinated.
A good plan will lay out not only how different levels of attack are escalated, but how the decision process works. The use case that should be in every bank’s plan is when malicious code is found in the core system. Does that automatically necessitate shutting down the network depriving the bank of critical applications like email? Who is going to make that decision? Laying out the definition and escalation of critical events and how decisions are made is the basis of a good bank IRP.
The plan should also treat a cyberattack and breach as a multi-functional event. Don’t make the mistake by resting everything on IT. Public relations, marketing, legal, compliance and operations all need to be coordinated. A bank should have a template of a press release, a website post and an email ready to go out to customers within hours, not days. While marketing is preparing their response, legal and compliance should be looking into their alternatives and liability. Meanwhile, technology teams and senior management should be investigating the extent of the breach.
After the basic infrastructure is covered in the plan, a list of law enforcement agencies, cyber-experts, forensic IT professionals and outside technical personnel should be detailed and on standby. A bank’s IT group should be constantly talking to your preferred providers and other providers to determine which firms are prepared to deal with the latest attack and breach. To the extent that emergency assistance service level agreements can be put in place with preferred firms, we highly recommend it if you are a bank over $1B. Without dedicated professionals on standby, it has taken some banks almost a week to engage third party help. Assistance is needed in 24 hours to limit liability.
Another key aspect of any bank response plan is when to devote resources to monitoring. A good bank plan should require increased monitoring after any merger announcement, since many hacking groups assume the involved banks are busy with consolidation and may have decreased vigilance and even defenses. In similar vein, any breach or found malware, no matter how benign should be monitored for a period of time post breach, as these days malware is often disguised in one form only to take on another type of attack on key customer data.
What a Good Bank Plan Looks Like
Banks typically follow regulatory guidelines and the incident topology defined by the National Institute of Standards and Technology. These protocols broadly define incidences as inappropriate usage, unauthorized access, denial of service and malicious code. It is important for everyone in the bank to have a basic working knowledge of the plan and definitions to aid in communication.
Banks then need to standardize threat levels based on the value of the data potentially compromised. Malware that compromises customer account numbers should have a different response and different escalation than malware that causes a loss of vendor intellectual property. The stakeholders are different in each case, and the resources a bank applies to the incident will vary. The more the plan can clearly define actions to be taken with each type of loss and each level of loss the more successful the response will be.
In the plans that we reviewed for this analysis, one key component that was missing was the assignment of someone to document, in real time, a bank’s response to an incident. This is critical for quality improvement as well as for liability protection. Documenting the response and the conditions faced, at the time of realization is extremely important to help all understand the mindset at the time of each decision. The other missing component in many bank’s plan is the escalation of when to establish and activate a “command center” or war room. For critical breaches for large banks, a center needs to be managed and staffed almost on a 24 hour basis. Management should have that contingency and centralized decision making infrastructure put in place ahead of time.
Guideline and Checklists: The backbone of any plan is a set of procedural guidelines and checklists that handle containment,eradication and recovery. For each data type and incident type, guidelines outline the objectives, personnel resource commitment and operating models. Checklists provide step-by-step instructions and assign roles and responsibilities to specific individuals.
ID the Assets: Before banks can create a plan they must understand the value of the risk. Identify critical areas and important information - employee data, customer info, M&A deal terms, intellectual property, IT topography documents, code warehouses, procedures and even your IRP are high value targets. List and rank the assets in an appendix so all employees understand what is important and the level of response to each in case an area is compromised.
Testing the Plan: Banks need to test their plan multiple times per year plus build “muscle memory” of how to use the plan. Testing is the perfect way to do it. To prevent designing tests that fit the Plan, third parties or non-stakeholders should be asked to come up with scenarios to test. Better yet, real world examples such as the latest Target breach can be utilized. Get key stakeholders in a room and then conduct a “table top” where everyone walks through the Plan and the various stages and responses. Once that is complete, to the extent possible, conduct real world tests like an immediate network shut down or database quarantine and backup.
Train and Communicate: An IRP is worthless if no one understands it or it becomes irrelevant. The IRP is a dynamic document that needs to be reviewed with every new product, branch or procedure change. Business line owners must be responsible for making sure the Plan reflects reality and the Chief Risk Officer must be sure to spot check the process.
While the odds are against it happening to your bank, a cyber threat is one of those low frequency, high risk events. A good IRP has heavy executive sponsorship, organizational buy-in and a tested operational plan. When a successful cyberattack occurs and the scale and impact of the breach comes to light, the first question customers, shareholders, and regulators will ask is, “What did this institution do to prepare?”
After talking to many industry experts and reviewing several well regarded plans, we have put together a basic template that will get banks started if they don’t have a plan and give banks new ideas if they do.
If you are a regulated financial institution, you can find the IRP Template here: https://services.csbcorrespondent.com/content/bank-cyberattack-incident-response-plan-template
Submitted by Chris Nichols on February 06, 2014