One of the big topics at Money 2020 will be the new cyber regulations announced by the Fed and FDIC.
They believe hacking could lead to a national financial crash.
Christopher Pierson, EVP, General Counsel & Chief Security Officer, of FinTech company Viewpost has analyzed the proposal and says this “really places a chair at the table of Board meetings for all cybersecurity business risks.”
In advance of Money 2020 he put together these top security topics that he could discuss with you at Money 2020 or on the phone – or online. They include his predictions on hacks and even the election.
Just for context, Chris is a perfect person to quote and interview since he is responsible for implementing a cybersecurity, compliance and legal program at Viewpost, which serves as a secure B2B network for electronic invoicing, payments and real-time cash management with partners like Bank of America. Prior to joining Viewpost, Chris was the Senior Vice President, Chief Privacy Officer for the Royal Bank of Scotland’s U.S. banking operations, leading its privacy and data protection program and reporting directly to the Board of Directors.
Money 2020 Security Topics
- Proposed Federal Banking Rules – Increasing Cybersecurity Stance on Financial Institutions
With the release of proposed federal guidance applicable to financial institutions (FIs), the prudential banking regulators (OCC, FRB, and FDIC) are signaling that the nation’s largest FIs (over $50B in assets) are facing a new realm of enhanced cybersecurity controls, audits, and governance. While FIs generally have more rigor around their cybersecurity risks and control frameworks, the continued hacks and breaches against the likes of DNC, Anthem, Target, OMB have shaken the foundational core of cyber controls and their effectiveness. The proposed guidance emphasizes: increased controls and measured effectiveness, cyber resiliency that presupposes hacks and interruptions of service will occur and focus on remediation and getting services restored, and governance that starts and stops at the Board’s front doorstep. This proposed guidance in combination with the proposed guidance from the New York Division of Financial Services really places a chair at the table of Board meetings for all cybersecurity business risks.
This is the most significant enhancement and perhaps the change that has potential to be most impactful. Similar to the requirements under Sarbanes Oxley (SoX) that require Boards to have persons of financial expertise on the Board or Audit committee, this change will ensure that there is proper governance over risk, cybersecurity, and privacy from an outside director perspective. Nothing these days is more important than having effective, knowledgeable experts who can understand business objectives and goals and provide some balance to cybersecurity business advantages and risks.”
- Authentication of Customers (Good Old Username/Password)
Despite the Multifactor Authentication Guidance issued by the FFIEC in 2011, the rate of customer bank account takeovers continue to rise. Despite scanning controls in the background of some bank websites, if only a username and password are what is standing between your account being depleted and the cybercriminal then we will continue to be one step behind the criminals. Dual factor authentication has been a best in class control for a long time and with the saturation of smart phones and token or SMS options one that is difficult to continue to pass up.
- Big Hacks Keep Coming – Yahoo
- Topic: Problems with Authentication (i.e. User Name and Password)
Same as above – just copy and paste it here.
Also, though: When we look at the username/password paradigm that has been compromised at Yahoo, LinkedIn, Living Social, and other large targets we see the same weaknesses on the business and customer side. The businesses have a chance to increase education, change the types of passwords that can be used (i.e. not pa$$word or 123456), but it will come at a little more friction. The customer has the chance to not re-use the same password multiple times, choose one that is stronger, turn on dual factor authentication, and use a password safe as opposed to the sticky note on their desk. Undercutting the Financial Ecosystem is the fact that these emails are often times what controls access to the financial accounts and systems our customers use each day and serve as a weak spot in the vector of infection and in the weak-spot for account controls.
- Topic: Thoughts on Cybersecurity being a “material” risk item affecting the price of the Deal w Verizon
Cybersecurity is not just a risk, but is more importantly: (1) a business enabler and (2) part of the “oxygen” that allows all of our companies to exist. This is a board issue, C-Suite issue, and way to push business ahead and gain customer trust. The Verizon comments on the breach at Yahoo potentially triggering a “material” event that might require a substantive discount brings this topic home.
- Customer Perceived Friction – Still Not signing up for Dual Factor Authentication (2FA)
(Off-Shoot of Story #1)
Protection of an account is a two-party job. Both the customer and the financial institution of tech partner must be in this together. Being that smart phone adoption is at an all-time high, texts are predominantly free to the end user, and free applications like Google Authenticator exist, there are very few arguments that exist as to why this is a control that is hard to implement or filled with friction. In fact, the opposite is most certainly true – by placing these options of multifactor authentication in front of customers, educating them on use, demonstrating how to set it up, we can all enjoy a more secure ecosystem.
- Business Email Compromise (BEC) Fraud or CEO Fraud
Despite all the controls that exists in companies these days, we are just sending our money out the back door in response to an “urgent email” from someone purporting to the CEO. From Oct. 2013-Feb. 2016, Business Email Compromise fraud cost approximately $2.3B in losses from what was reported. Internal finance and HR teams are duped into responding to the requests of the purported CEO and they rush a wire or other payment out the door to an account which is quickly siphoned away. Losses are not being covered by insurance carriers as this is seen as a participatory crime that is not involving a financial instrument. But there are controls we can implement to solve this.
SWIFT Hacks
Over the summer we heard a lot about the SWIFT bank hacks. The trust that is implicit within the network is based on the controls of the weakest link. In many cases the large FIs have the right controls, but the authentication and identity controls of the smaller member institutions can put the rest of the network at risk. There has been a considerable about of pressure placed on the member banks in the past few months to improve this security. In fact, the guidance from the FRB, FDIC, and OCC released this week is a potential way to mitigate some of these risks. The inter-bank banking system relies heavily on trust in identity. That identity can be weakened when the proper authentication parameters and protocols do not exist or are weak. Much of the recent emphasis has been on customer controls as opposed to inter-bank and regulator based controls. This needs to be reexamined.
- DNC/Election
Cybersecurity is top of mind, but the controls to protect our systems are imperfect, our cybersecurity work force facing an estimated 1.5 M person shortage by 2020, funding at less than adequate levels for information security, and an understanding of how the individual is the weakest link not very well understood. The continued hacking of the DNC, Clinton, Powell, and all those in high profile government positions underscores how weak our security around e-mail truly is. When we layer on top of this the fact that e-mail is the main form of communication between FinTechs and FIs and the end customer it increases the risks to the payment systems we have.
Photo credit: Mattia Notari via Visual hunt / CC BY-NC-SA
Leave a Reply