Throughout 2013, financial institutions continued to face serious threats from cybercriminals targeting the personal information of banking customers and their financial assets through the use of malicious software and denial of service attacks (DDoS). In fact, according to the Verizon 2013 Data Breach Investigation Report, which is available here, thirty-seven percent of breaches this year affected financial institutions, placing them along the most vulnerable and at risk of all entities subject to privacy law and regulation.
While there are numerous examples of cybercriminal activity attributable to malware and DDoS attacks on financial institutions, one incident receiving heightened press attention this year included a series of DDoS attacks by an Islamic group known as Cyber Fighters of Izz ad-Din al-Qassam on major U.S. financial institutions. The initial targets of this attack included Wells Fargo, US Bank, Bank of America, JP Morgan Chase & Co., and PNC Bank; however, the hacktivist group later expanded the scope of its attacks to mid-tier banks, credit unions, financial brokerages, and credit card companies, proving that not just the “too big to fail” are at risk.
More Detailed Reporting of Cyber-Security Threats in Public Filings
While the precise monetary cost of this attack (and others like it) is difficult to measure, publicly-traded financial institutions are beginning to inform investors and acknowledge these threats as legal risks in filings with the SEC. For example, Citigroup’s March 1, 2013 Form 10-K specifies that:
Citi and other financial institutions experienced distributed denial of service attacks which were intended to disrupt consumer online banking services. While Citi’s monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber incidents.
(See page 69 of Citigroup Inc. Form 10-K). HSBC North America and U.S. Bank likewise acknowledged the threat of these disruptions in their respective 10-Ks, demonstrating the evolving landscape of cybercriminal activity and the need for financial institutions to adapt and proactively respond.
Sophisticated New Forms of Malware
Cybercriminals are not only using malware to disrupt banking services but also to acquire personal information of customers. Given that successful attacks are generally profitable to those perpetrating them, the frequency of these attacks is unfortunately rising. One particularly malicious piece of malware this year included Shylock (also known as Caphaw), which cybercriminals used to target 24 banks in Europe and the United States. Unlike its peers, which siphon a customer’s banking credentials and then relay them to the attackers for later use, Shylock is among the few pieces of malware that can steal money automatically from a user at the time he or she accesses his or her bank account.
These attacks and the escalation in their frequency over the past year demonstrate that financial institutions have no other choice but to be especially cautious when protecting sensitive assets. With the beginning of a new year, members of the banking industry should consider revisiting existing privacy and security policies, performing risk analyses, and pinpointing areas of infrastructure vulnerable to external (and even internal) attacks.
NIST Security Frameworks
2013 also saw the release of the NIST Cybersecurity Framework. NIST issued this framework in response to President Obama’s February 19th Executive Order 13636 entitled Improving Critical Infrastructure Cybersecurity. This order directed NIST to develop a framework aimed at reducing cyber risks to “critical infrastructure” and providing certain critical infrastructure organizations (including members of the financial services industry) with “a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help . . . identify, assess, and manage cyber risk.”
The approach NIST has proposed involves a three-step process consisting of (i) the Framework Core, (ii) the Framework Profile, and (iii) the Framework Implementation Tiers, more information about which can be accessed here. The Framework is currently voluntary, and NIST has explained that these processes complement, rather than replace, an organization’s existing cybersecurity risk management processes and programs. Comments to the proposed Framework were due December 13, 2013, with NIST anticipating the final version of the Framework to be released in February of 2014. We have already worked with affected clients to provide feedback on this Framework, and we anticipate collaborating with clients in the coming year to help them implement these policies. Baker Hostetler has also separately summarized the implications of the Framework in an article
by Partner Jerry Ferguson of the New York office, which may be accessed here.
Proposed Reduction in Gramm-Leach-Bliley Privacy Notification Expenses
In one positive development for financial institutions, the Consumer Financial Protection Bureau, which assumed regulatory responsibility for Gramm-Leach-Bliley privacy notice regulations under Dodd-Frank, has been exploring reducing the burden of notice obligations. The CFPB’s Fall 2013 Regulatory Agenda indicates that the CFPB expects to issue a proposal eliminating annual privacy notices for financial institutions that have not changed their information sharing practices. The Bureau undertook this regulatory review after receiving many public comments requesting this change as a part of a broader program for reducing regulatory burdens.
With the arrival of 2014, we anticipate financial institutions continuing to face increased threats to assets both internally and externally, but we remain poised and ready to assist our clients with their privacy law needs.