New concentrations in service providers, including financial market infrastructure firms, and the changing nature of cyber threats call for new and creative thinking about operational resiliency, said Beth Dugan, deputy comptroller for market risk.
“We used to call it `business continuity’ or `contingency planning,’ said Dugan. “And we used to think of it as restoring and resuming operations after a fire or natural disaster or technology disruption. However, the levels of connectivity and dependence, both internally and externally, have changed.”
“As a result, our approach to business resiliency needs to change as well,” Dugan told listeners at a colloquium sponsored by The Clearing House in Washington, D.C.
How risks differ today
Dugan cited two examples of how today’s risks differ from the past:
One difference resides in intent.
“Natural disasters, fires, and utility failures don’t have motivations and aren’t persistent,” Dugan said. “That’s not true for cyber attackers. They do have motives. Sometimes motives involve money. Sometimes attacks are state sponsored or political in nature. Whatever the motivation, these attackers are persistent in their intent to bring systems down or cause harm.”
The other difference lies in geography, or, today, the lack thereof. Resilience means much more today than maintain a backup site in case your primary data center gets clobbered by a tornado or hurricane.
“Cyber threats are scalable, evolving, and global in nature,” Dugan said. “Historically, having physically separate but fully redundant primary and secondary sites that mirror data in near real-time has been the approach to continuity of operations. But cyber threats potential have the capacity to compromise both sites simultaneously, which could result in a complete loss of operational capability.”
Bad guys getting good at being bad
Recently, the Comptroller’s Office has seen ever more sophisticated means of cyber attacks, said Dugan. Examples:
• Social engineering. Attackers grow more proficient in compromising credentials and systems through social engineering using targeted emails and by corrupting legitimate web sites. Cyber criminals are using these techniques to install malware that harvests bank employee, third party, and customer online credentials including usernames, passwords, and other information.
• Data held hostage. Attackers are becoming more adept at encrypting data or mobile devices, including those of banking customers. Once the data or device is encrypted, the criminals extort the users or the organization by demanding a payment to retrieve data or release access to the device.
• Finding the weakest link. Infrastructure vulnerabilities are being identified on an almost daily basis, and these vulnerabilities are being quickly exploited. Some attacks have exploited gaps in systems and business processes at foreign financial institutions and other organizations to install malware that erases, corrupts, or encrypts data on a large scale.
“Recovery and restoration plans need to be re-evaluated for technology environments that present different or new risks,” Dugan said. “In certain technology architectural approaches, such as those that use real-time, mirrored-data replication, and cloud-based services and data storage, there are no longer a physical or logical separation of production and backup systems and data,” said Dugan.
Dugan also advised that planners contemplate threats from knowledgeable insiders; cyber-attacks that simultaneously target production and backup data for corruption or destruction; disruption of communications and core infrastructure; and simultaneous attacks on the bank and critical services providers.
Improvement begins at the top
As a start to renewing and rebuilding business resiliency plans, Dugan called on bank boards of directors and senior management to take direct action and responsibility.
Said Dugan: “The board and management should have sound processes to ensure that the risks of business model change, new products or services, and new utilization of third-party relationships, individually and collectively, are assessed and clearly understood; that internal control and mitigation strategies are identified, implemented, and sustainable; and that the resulting risk level is consistent with the organization’s risk appetite.”