Phil Masquelette, Chief Risk Officer, Ulster Savings Bank shares his insight ahead of Non-Financial & Operational Risk USA

Managing disruptive cyber attacks and defence strategies

Phil Masquelette, Chief Risk Officer, Ulster Savings Bank

Below is an insight into what can be expected from Phil’s session at Non-Financial & Operational Risk USA 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

How can financial institutions stay on top of the continuing evolving and highly disruptive cyber-attacks?

There are 3 key activities that institutions can leverage to stay on top of evolving cyber-attacks:

  1. Assurance reviews, audits, and tests should take place regularly. The covered entity may want to purchase a vendor product to provide personnel with enhanced capability to conduct effective internal and external vulnerability tests efficiently. Penetration tests are recommended to take place at least quarterly. Also, if not done already, institutions should implement multi-factor authentication (MFA) and change and expand password difficulty. There is nothing simple about any of this, and the larger the organization, the entire defense apparatus becomes increasingly complicated.
  2. The possibility for intense damage exists across all critical infrastructure. So, have a cyber risk incident response plan in place. The plan should describe who, what, when, and how communication will take place by express guidelines. The processes of responses to customer inquiries, law enforcement notification, and press/media interaction should be delineated, so that these requirements may be addressed immediately. A common task list for reference by team members, who are named, should be in the covered entity’s business continuity plan software, and handy three-ringed binders.
  3. Business continuity plans typically include ways to defend against those risks, protect critical applications and data, and recover from breach or failure in a controlled, measurable way. Specific types of incidents such as cyberattacks, denial of service or disruption, malicious code, unauthorized access, and inappropriate usage will set in motion what to do, how to do it, and what are the roles and responsibilities of designated incident response team members. Moreover, assess areas requiring improvement and watch for clues in the technology aisle where innovation adds value.
Can you outline the complex nature of the ecosystem to manage threat vectors? How advanced are defense strategies becoming?

A roadmap involves keeping our digital ecosystem safe, accessible, private, reliable, and secure. As to cyber risks, identification, protection from, mitigation of, insurance against, responding to, recovering from, and in compliance with regulatory requirements, comprise pieces of the process. Program needs include preparation for, analyzing, and collecting audit trails and evidence. Defenders appear to use artificial intelligence more than attackers, although that treatment may no doubt change rapidly. One linguistic advantage incorporates translation by machines where language impairment or insufficient cognitive skills present themselves for the so-called weaponization by threat actors.

Change, compliance, cost, continuity, and coverage cyber security elements compose priority protection of the confidentiality of non-public digital information and information systems. Ransomware infections derive substantially from various phishing episodes. Accordingly, employee training by cautioning employees is the key to reducing ransomware incidents. Periodic phishing quizzes are a must. Follow-up by management regarding repeated phishing test failures is a necessity to hold ‘habitual clickers’ accountable; roundtable discussions are also not just highly recommended, but warranted.

Mitigants, such as data backups, mitigating controls, anti-malware, disaster recovery planning, training to increase awareness, incident response planning, risk assessments, audits, exams, and retention of third-party vendors to provide tabletop exercises and other practice drills, are all in play. As to risk mitigation, avoidance, reduction, transference, and acceptance are different pieces of the same puzzle. Internal and external resources can be implemented to perform whatever is necessary when (not if) a cyberattack has occurred within the company. There, of course, will be pressure to return to normal operations as quickly and efficiently as possible, yet not before complete forensics with appropriate patching has occurred.

What impact is macroeconomics having on cyber security?

Russia’s invasion of Ukraine could impact organizations both within and beyond the region, including malicious cyber activity against the U.S. homeland as a response to the unprecedented economic costs imposed on Russia by the U.S., our allies, and partners. Keep in mind, that it is not just about Russia. China, Iran, North Korea, and other autocratic states with revisionist intent are also potential threat actors in digital technologies. Every U.S.-based organization (large and small), and those of our allies and partners must be prepared to respond to disruptive cyber incidents.[1]

Are there any benefits to incentivizing security teams? How can institutions balance incentive models with criminals working around the clock?

While information technology continues to accelerate and demands for computer fluency in cyberlinguistics add to the learning curves for all risk professionals, the ability to read, digest, understand, communicate, and make meaningful, ever-changing regulatory implementations will be of much value to key personnel in their demanding career roles.

Urge caution in unintended consequences in promotional attempts, as persons in this space tend to view their work in the professional vein in which it resides. Emotional intelligence can play a crucial role in interactions with such highly analytical colleagues. Kudos for phishing results, and other light-hearted gestures for an ongoing, never-ending effort to preserve and protect data and IT-related systems can have unintended consequences. On the other hand, an occasional thanks either verbal or as a nominal gesture of good will can go a long way.

Costs of defense, and well-trained and experienced personnel impact financial services budgets. Replacing talented personnel strains even the most seasoned staff in human relations departments. Thus, ongoing training both in-house and offsite, extra paid time off, early afternoon excused absences, gift cards, raffles, and books (for those who enjoy a good read), depending upon the recipient(s) may have the potential to elevate departmental personnel morale, and even reduce individual burnout.

In your opinion, where is the next big cybersecurity threat on the horizon that financial institutions should be preparing for?

Be cognizant of the latest technology in machine learning or artificial intelligence and how ChatGPT or other discoveries and developments can provide an advantage to bringing in new clients/customers and retaining existing ones; ChatGPT has such enormous potential, for instance, even likened to the initial discovery of electricity. However, pay attention to the risks involved in an overdependence on computer systems that can be both likable and, simultaneously, totally and absolutely, unfortunately, unworthy of our trust.

Furthermore, vulnerabilities abound in our critical infrastructure. It is fair to anticipate destructive cyberattacks from hostile nation-states. The financial services sector makes up one exposure to such intrusions, yet there are many more and our enemies know what they are. Energy comes to mind, telecommunications another. Published lists can be found and contain numerous sectors calling for protection from cyberwarfare.  And with access to cloud environments, attacks can cost upwards of millions of US dollars to remediate.

Mightily attempt not to minimize the potential for extreme harm of incidents. They may be in the form of cyber-attacks, denial of service disruptions, malicious code, unauthorized access, inappropriate usage, or ransomware. When such an incident occurs, identify, detect, contain, notify, collect, and analyze, eradicate, recover, and follow up. As technologies become more sophisticated, the threat hackers become more aggressive in their intent to inflict geopolitical and/or economic injury and pressure. Be mindful of possible disruptions in network infrastructure, identity access, authentication, and usurpation of data.

[1] Source: cisa.gov