DFS Cyber Regulation: Part II - An Interview with Bay Dynamics’ Steven Grossman
This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company. Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom. For the first installment of our interview with Steven, click here.
Q: The weakest link in cybersecurity is often a third-party vendor. In fact, several of the headline-grabbing retail breaches involved gaining access to a company’s network through third parties. The DFS regulation requires that banks and insurance companies impose data security obligations on vendors with access to sensitive information or their network. Would you share your view with us on the importance of ensuring that vendors be properly vetted?
From my perspective, security always needs to be put in the context of risk. That is the potential intersection of threats and vulnerabilities to cause a loss to the business. When considering your exposure to malicious insiders, careless users and compromised accounts, third party vendors with access to a client’s systems and information are a greater risk on all accounts. As an outsider to your company, they are less committed, less familiar with your policies and procedures, and more likely to be accessing your assets from outside your four walls. We’ve all seen it in the news regarding breaches that came from an air conditioning vendor’s compromised access, or consultants working for the government stealing top secret information.
The typical practice of third party vendor vetting, attestations and background checks have proven ineffective since they are mostly one time paper exercises that do not always reflect reality. Third party risk is essentially an insider threat/compromised account problem. In the same way that insider threats and compromised accounts can only be identified by detecting unusual behavior, behavior of third party vendor users needs to be monitored and escalated. To ensure a comprehensive view, it is important to not only monitor the behavior and escalate issues internally, but to also partner with the vendor’s management. They understand the behavior of their employees outside the context of their activities on your network and can provide the other half of the picture. Additionally, it is in the vendor’s best interest to ensure their employees are doing the right thing and are not putting their clients at risk.
Finally, information around risky third party vendor users can be used by your vendor risk management organization to prioritize their activities, enabling them to apply higher levels of scrutiny to vendors behaving badly vs those that are not.
Q: From a lawyer’s perspective, this regulation places cybersecurity squarely in the laps of corporate boards and in an organization’s chief information security officer. In your experience, what are the challenges facing boards in exercising their oversight responsibilities to ensure that their organization practices good cyber hygiene?
There is a communication gap between boards and IT and security practitioners. They speak different languages. Boards speak risk; security practitioners too often only speak technology. In 2016, Bay Dynamics launched a series of board reports that shed light on this issue. One of the reports revealed that more than half of board members felt they were at a disadvantage as security reporting is too technical. Only one in six board members claimed substantial expertise in understanding the nuances and implications of cyber security issues and that knowledge deficiency is driving a 60 percent belief that one or more board members should be a CISO or some other type of cyber security expert. Another report revealed only two in five IT and security executives feel the information they provide to the board of directors is actionable and even fewer believe they are getting the help they need from the board to address cyber security threats.
Boards and IT and security practitioners must speak the same language so that boards can make the best-informed decisions to reduce cyber risk. Having a CISO on the board would help tremendously in this effort, but in the meantime, security practitioners must change how they approach communicating about their cyber security programs. Instead of taking a technology-centric approach, tacking on point solutions to solve each problem that arises, they must shift to a risk-based approach. That means identifying where their most valuable assets live and the threats and vulnerabilities that elevate the risk of those assets being compromised. They can then focus on mitigating those threats and vulnerabilities first so that the company’s most valued assets are protected. IT and security practitioners should also automate data collection and reporting so that board-ready data, that’s in the board’s language, is readily available at any time. By communicating in a risk and business driven manner, boards will be able to make more informed decisions that drive better measurable outcomes.
Q: What about the cyber threat landscape for the financial sector, generally. What are you seeing?
Insider threats and/or credential-based threats are prominent in the financial sector. Once hackers get inside an entity’s firewall and compromise credentials, they’re free to roam around inside that entity’s network, compromise other networks and, potentially, commit fraud using that entity’s access to shared platforms, such as SWIFT. In the case of the Bangladesh Bank cyber heist, the bank’s security was woefully lacking, especially its connection between internal networks and the overall institutional networks to which they connect globally. As a result, hackers broke into the Bangladesh Bank’s network and were then able to commit fraud, stealing $81 million from its account in New York. They went undetected within the bank because they posed as the bank’s own legitimate users. They used sophisticated tactics, even going as far as modifying the printouts of the transaction confirmations so that they lined up with the fraudulent transactions. That’s a pretty specific, detailed, hack and I think we’re going to see increased sophistication in the future. As blockchain and other technologies mature, it will mitigate many forms of fraud, but that will take time. Another example that’s a sign of things to come is the recent botnet attack on Dyn, which leveraged thousands of Internet-of-Things devices. While predictable, it was not taken seriously until it actually happened. We need to get ahead of the curve instead of playing catch up.
Q: Finally, Steven, any last words of wisdom for organizations, corporate boards or senior executives in dealing with this regulation, or more generally, in dealing with the inevitability of cyber-attacks?
As is the case in the physical world, we will never be able to prevent losses from cyber threats. It is recognized that it is not practical to build fireproof buildings, so we build with fire resistant materials, install sprinklers and fire alarms, and buy insurance in case the unexpected happens. It’s critical that financial organizations take a risk-based approach to security, which as I explained above, revolves around identifying and protecting their most valued systems and applications. As we get better at identifying and measuring threats, vulnerabilities and their potential business impact, we will get better at preventing the most important ones and mitigating those from the rest. To make all of that happen with limited resources, automation is key. Automated orchestration between security teams, line-of-business application owners, compliance auditors and boards of directors will simplify all of these steps so that managing and reducing risk is as achievable as it is in the physical world. Finally, cooperation as an industry is critical. Criminals are not usually going to one bank and stopping. We need to change the culture from one of secrecy to a more collaborative mode of operation where everyone works together and shares attack information in a transparent yet confidential way. There are great initiatives in play to make this happen, but the industry needs to shift their mindset to make it successful.
 Please note that the text of Mr. Grossman’s response has been modified from its original posting.