Cybersecurity Response to Recent Wholesale Payment Systems Breaches
In February 2016, hackers stole $81 million from the Bangladesh central bank by sending fraudulent messages through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system.
Three months later, hackers attempted to steal over $1 million from a commercial bank in Vietnam using a similar method. Since then, almost a dozen banks have reportedly launched investigations into possible hacks involving SWIFT. Coming on the heels of these investigations, last month financial regulators in the United States and abroad independently issued guidance regarding measures that can be taken by financial institutions and financial market infrastructures (FMIs) can take to protect against cybersecurity threats to the payments ecosystem.FFIEC Joint Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks
On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement advising financial institutions to actively manage cybersecurity risks associated with interbank messaging and wholesale payment networks. The joint statement does not impose new regulatory requirements on financial institutions and is intended merely “to alert financial institutions to specific risk mitigation techniques related to cyber-attacks exploiting vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks.”
In the joint statement, the FFIEC warns that recent cyberattacks have illustrated hackers’ sophisticated abilities to initiate and complete unauthorized transactions using interbank networks and wholesale payment systems. Recent cyberattacks have involved attackers:
- Bypassing a financial institution’s security controls and compromising the institution’s wholesale payment origination environment;
- Obtaining and utilizing valid operator credentials;
- Deploying highly customized malware; and
- Transferring stolen funds across multiple jurisdictions.
- Conduct ongoing information security risk assessments to identify, prioritize, and assess risks to the financial institution’s critical systems and to address emerging threat intelligence regarding online accounts. Financial institutions should also consider requiring their third party service providers to conduct similar assessments.
- Maintain up-to-date protection and detection systems to perform security monitoring, prevention, and risk mitigation. Firewall rules should also be configured properly and reviewed periodically.
- Protect against unauthorized access to financial institution’s systems by limiting the number of access credentials distributed across the institution and regularly review access rights to confirm individuals have appropriate access. Other access control procedures include, among other things, credential expiration dates, authentication rules, and multifactor authentication protocols.
- Establish controls around critical systems and test the controls regularly. Appropriate controls include, but are not limited to, access controls, segregation of duties, audits, and fraud detection, and should be implemented according to associated risks.
- Confirm business continuity planning enables the institution to quickly recover and maintain payment processing operations.
- Provide regular mandatory information security awareness training programs.
- Engage in industry information-sharing.
CPMI and IOSCO Guidance on Cyberresilience for Financial Market Infrastructures
On June 29, 2016, the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) issued guidance on cyberresilience for FMIs[1] (Cyber Guidance). The Cyber Guidance is the final version of draft guidance the organizations published for comment in November 2015. The Cyber Guidance provides supplemental information for FMIs to comply with the CPMI-IOSCO Principles for Financial Market Infrastructures issued in 2012. The Cyber Guidance does not impose additional standards on FMIs.
Five of the CPMI-IOSCO Principles for FMIs inform the Cyber Guidance: (i) governance, (ii) framework for the comprehensive management of risks, (iii) settlement finality, (iv) operational risk, and (v) FMI links. According to the Cyber Guidance, the two most pertinent principles are the FMI’s ability to (i) ensure settlements of obligations when due and the finality of those transactions and (ii) resume operations within two hours after a disruption. Grounded in these principles, the Cyber Guidance identifies five primary risk management categories for an FMI’s cyberresilience framework: (i) governance, (ii) identification, (iii) protection, (iv) detection, and (v) resumption of services within two hours. The Cyber Guidance also identifies three overarching components of a cyberresilience framework: (i) testing, (ii) situational awareness, and (iii) learning and evolving.
According to the Cyber Guidance, “the safe and efficient operation of [FMIs] is essential to maintaining and promoting financial stability and economic growth.” The CPMI and IOSCO explain that while cyberrisks should be managed as part of an FMI’s broader risk management strategy, cyberrisks present unique challenges for an FMI’s traditional operational risk management procedures. Because cyberthreats are constantly evolving, the CPMI and IOSCO explain, the organizations elected to establish principles to govern FMIs’ cyberresilience framework instead of prescribing specific technologies.
Primary Risk Management Categories
The Cyber Guidance identifies five primary risk management categories that comprise a strong cyberresilience framework.
Cybergovernance
The Cyber Guidance describes cybergovernance as the structures an FMI implements to establish, execute, and review its management of cyberrisks. Proper cybergovernance involves a cyberresilience framework and an engaged board and senior management. An FMI’s cyberresilience framework must clearly articulate how the FMI will determine its cyberresilience framework objectives and tolerance, taking into account the FMI’s enterprise as a whole and the ecosystem within which the FMI operates. According to the Cyber Guidance, the FMI’s board is ultimately responsible for establishing and overseeing the FMI’s cyberresilience framework. The board and senior management should work together to achieve a culture of awareness and commitment to cyberresilience.
Identification
According to the Cyber Guidance, “it is crucial that FMIs identify which of their critical operations and supporting information assets should, in order of priority, be protected against compromise.” The Cyber Guidance recommends that an FMI identify the appropriate business functions and related processes and then conduct a risk assessment to determine the importance of each function and process and their interrelatedness.Protection
The Cyber Guidance explains that cyberresilience requires an FMI to implement protective controls that align with industry best practices. The CPMI and IOSCO recommend that an FMI achieve this objective by developing protective controls from the “ground up.” Proper protection requires a layered approach that facilitates rapid response to risks and rapid recovery after a cyberattack. The FMI’s protection methods should factor in risks that may come from the FMI’s interconnections with other FMIs and threats that may come from within the FMI.
Detection
Finally, a strong cyberresilience framework requires appropriate detection methods to recognize potential cyberincidents. The Cyber Guidance outlines the following elements that comprise a successful detection program: (i) continuous monitoring, (ii) comprehensive scope of monitoring, (iii) layered detection, (iv) rapid incident response, and (v) security analytics.
Overarching Components
The Cyber Guidance also identifies three overarching components of a cyberresilience framework.
Response and Recovery
According to the Cyber Guidance, an FMI’s ability to settle obligations when due can determine its financial stability. As such, an FMI’s ability to respond to and recover from cyberattacks is critical. The Cyber Guidance provides that an FMI should be able to resume operations within two hours after a disruption. The ability to recover quickly requires contingency planning and preparation. Additionally, FMIs must recognize the interconnections in the operations of the FMI, including data-sharing agreements with third party service providers as well as the FMI’s ecosystem. A compromised FMI’s response and recovery should include communication with third party service providers, connected FMIs, authorities, and any other third party that could be affected by the compromise.Testing
The CPMI and IOSCO advise that testing is an “integral component” of an FMI’s cyberresilience framework and all elements of an FMI’s cyberresilience framework should be “rigorously tested.”Situational Awareness
The Cyber Guidance explains that situational awareness relates to an FMI’s comprehension of its cyberthreat environment, including the implications for its ecosystem. Situational awareness depends, in part, on appropriate information-sharing between FMIs and other members of the FMI’s ecosystem. The Cyber Guidance advises that information-sharing groups and collectives should be established.
Learning and Evolving
Finally, the Cyber Guidance explains that a strong cyberresilience framework requires that FMIs learn from cyberevents that occur within the FMI as well as those occurring at other FMIs. According to the Cyber Guidance, FMIs must also continue to evolve by implementing cyberresilience benchmarking.
[1] FMIs are defined in the Cyber Guidance as “systemically important payment systems, central securities depositories (CSDs), securities settlement systems (SSSs), central counterparties (CCPs) and trade repositories (TRs).” The Cyber Guidance notes that some authorities may apply the Cyber Guidance to types of infrastructures not formally covered by the Cyber Guidance.