WASHINGTON Cyber threats are increasing at a rapid rate and banks are going to have to work quickly and spend significant resources to keep pace, according to two top banking regulators dealing with the issue.
Ahead of a panel discussion at American Banker's Regulatory Symposium, the two officials outlined what they see as the top challenges facing the industry.
Scope of the Threat
Arguably the largest issue remains the rate at which cyber attacks continue to evolve and diversify.
"We've really seen the concept of the potential threat landscape expand over the past year, moving from a focus on fraud to include espionage, disruption of operations, and destruction of information," said Adrienne Haden, an assistant director of banking supervision and regulation at the Federal Reserve Board.
For example, she pointed to the wave of distributed denial-of-service attacks on major banks over the past year, noting that they appear to be politically motivated in some cases, rather than prompted by the desire for direct financial gain, which has been the standard focus for the industry. A group called the Izz ad-Din al-Qassam Cyber Fighters has taken responsibility for some of the attacks, which caused temporary disruptions online at several major banks.
"One impact of the DDoS attacks against U.S. financial institutions has been to increase awareness of the potential for well-organized or coordinated attacks with the intent of disruption of operations, possibly through destruction of access to business information," said Haden.
She cited four key areas that banks need to address to defend against the growing scope of attacks: insider threat, infrastructure management, service provider management and coordination with external parties, including bankers at competing institutions and law enforcement.
Confronting those issues will require a host of efforts, such as conducting background screenings for new hires and requiring substantial employee training; encouraging banks to make sure IT infrastructure, both hardware and software, is sound and patching vulnerabilities as needed; and actively engaging and overseeing vendors and service providers contracted with a bank.
The interconnection of banks and others in the industry is crucial to the financial system's functioning, but it's also an area of vulnerability when it comes to cybersecurity.
This is particularly true as many banks, especially community institutions, contract with third-party vendors and service providers to expand their offerings and improve efficiency.
"Over time, these third parties have connected their networks to banks, subcontractors, and other third parties," said Valerie Abend, the senior critical infrastructure officer at the OCC. "The interconnected nature of networks has resulted in extensive interdependencies that potentially expose banks and their third parties to each other's weaknesses."
Abend added that such interconnection also increases the possibility that multiple organizations will be affected by a single attack, "creating a risk of contagion."
The creation of new technologies like mobile banking and cloud computing can also spur a related risk, she said.
"Banks may introduce new vulnerabilities faster than our ability to identify and mitigate the vulnerabilities during the product design phase, thereby providing new exploit opportunities for cyber attackers," Abend noted.
Costs Are Rising
Banks are paying more to beef up their cybersecurity protections as the risks to their institutions grow -even while it's getting cheaper to launch an attack on the industry.
"Hackers have easy access to the necessary tools and infrastructure. [It is] cheap, in some cases even free, to get the necessary tools and knowledge," said Abend. "While the cost of attacking bank systems is going down, the resources needed to identify, monitor, and mitigate against vulnerabilities and potential attacks is rising."
Banks must also weigh the increased costs of being prepared for a cyber-attack against other expenses, as they work to implement sometimes costly Dodd-Frank Act rules and invest in other priorities.