The Hacking Team breach offers a cautionary tale for U.S. banks about vendor risk, even though only foreign financial institutions were revealed to be clients of the firm.
The Italian software company, which specializes in things like surveillance software, was hacked earlier this month. The infiltrators dumped massive amounts of data from the company online, including contracts and communications with a slew of governments, among them repressive regimes that are the subject of Security Council sanctions like Sudan.
The hack also revealed a slide presentation where the company listed several foreign banks as customers, including Deutsche Bank, Barclays and ING Direct. No U.S. banks were on the list. Had they been, they probably would have spent the last few weeks trying to peg their exposure, deciding what fixes to make to their systems, talking with regulators and perhaps distancing themselves from the hacking outfit.
"Banks really need to be very careful in looking at all the other products and services a firm offers because they could find themselves in a situation where like Hacking Team, some of the products and services are likely problematic, and some of their clients are problematic, too" said Mercedes Tunstall, a partner at Pillsbury Winthrop Shaw Pittman.
Had any U.S. banks been identified as Hacking Team clients, "It would likely be deemed as a failure in due diligence and depending on what they learned it could be a very expensive lesson," Tunstall said.
The hack comes at a time when cybersecurity and vendor risk are top of mind for banks and regulators as the news is peppered with regular reports of data breaches. Banks still need to improve their approach to managing their risk from vendors, according to a recent study from consulting firm Protiviti and Shared Assessments Program.
Leaked materials revealed that foreign banks used Hacking Team for defensive purposes essentially hiring the firm to help identify holes and other vulnerabilities in their systems. So-called ethical hacking is a common measure for banks to do and can be an important part of an effective cybersecurity program, Tunstall said.
Additionally, some surveillance software can be pertinent to banks, says Rocco Grillo, managing director and global leader of incident response and forensics investigations at Protiviti. It can serve as an important check on the power of those who have administrative access to a bank's systems. Essentially, it watches the watchers. Surveillance software can be beneficial from a compliance standpoint, too, since it checks those with administrative access.
"Users with administrative rights have access to pretty much everything, but they can't run free with the keys to the kingdom," Grillo said. "And these are software tools that provide a level of access control."
Hacking Team did not respond to an inquiry from American Banker. Neither did ING Direct nor Barclays. Deutsche Bank said only that it is "aware that information belonging to the company Hacking Team has been disclosed on the Internet," but said it doesn't publicly discuss vendors or former vendors.
Although the types of tools that companies like Hacking Team provide are useful, they come with an added layer of risk because these firms access sensitive data. If such a firm were breached, a bank that had hired it to do ethical hacking would have to worry about what type of information the outfit retained about its vulnerabilities, especially if the bank had not yet acted on the findings.
"A bank might have to completely change the way their systems works if those files had been breached," Tunstall said.
Overall, banks that engage ethical hacking tend to act quickly on the significant findings, said Chris Wilkinson, a senior manager in the risk consulting group at Crowe Horwath. The firm performs tests on about 300 clients a year. Most of them are banks.
"I'd say banks are on the leading edge of closing the gaps, compared to other industries," Wilkinson said. "Because they are highly regulated and cyber security has been such a huge focus, they've made more significant progress."
Additionally, a bank could have its cyber liability insurance voided, depending on clauses related to ethical hacking, Tunstall said. Also, a bank could find itself subject to regulatory scrutiny under the safeguard clauses in the Gramm-Leach-Bliley Act that call for financial institutions to identify reasonably foreseeable risks to consumer information.
All of this comes down to due diligence.
"Any time you work with a company that has provided software to your company that involves sensitive data, you need to know what kind of controls the company uses," Grillo said. "You need to know what types of controls they have to protect that data."
Tunstall said the "tried-and-true" methods are pretty straightforward. First, banks should look to work with companies that have a deep bench of known cybersecurity experts and former government agents. Secondly, she suggested assessing a vendor's reputation with simple searches of social media, the dark web and news outlets. Lastly, she said banks should talk to potential vendors about the issues they have and seek assurances.
If nothing else, doing so gets "representations on the record so it is documented that you directly addressed these issues."
The findings of the Hacking Team breach also suggest that it is not enough to merely vet a vendor its other clients might matter, too.
"In vendor management, you have to understand the client base and who they are because you don't want to risk the bank," said Paul Schaus, chief executive of CCG Catalyst, a banking management consulting firm. "Based on who they are, the fact that they got hit shows you that nothing is 100% safe."