TOPICS

Thursday, July 8, 2021

Large Bank Cybersecurity Challenges

QUESTION
We purchased your new Ransomware Policy and Procedures. It is very comprehensive. We alread
y have a policy for Ransomware; however, we are going to incorporate your policy into ours. 

I am the Chief Compliance Officer and an attorney. In our case, we are a large bank with multiple business units, hundreds of branches, thousands of loan officers, a substantial online presence, and several affiliated entities. 

We have an Information Security Office, an Information Technology Operations Center, and an Information Privacy Office. Our CISO and CPO oversee cybersecurity issues involving the network architecture, operating system architecture, business applications, online sales, and internal auditing. 

As a large company, we have unique compliance needs. I would like your answers to several questions that we constantly ask one another. We would appreciate your feedback on these questions. 

Who are the stakeholders of an incident response team? 

What are the responsibilities of the incident response team? 

What are the suggested notification levels of escalation involving a cyberattack? 

ANSWER
Your mentio
ning of the offices under the CISO’s oversight in itself tells me that you have a challenging and highly articulated risk profile. You provided supporting information to your questions, which I have not included herewith. For the sake of the readership, some of your terminology may be new to them, so I will define certain nomenclature in the course of responding to your questions. 

Let’s begin with the definition of a security breach. For the sake of brevity, I define a security breach as an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information. Ransomware endeavors to monetize that breach, where a hacker stealthily gets into a system and puts encryption controls in place that lock users out. Once that succeeds, the hacker demands money to "unlock" the data. 

In a large company, protection from a security breach is guarded by various stakeholders. These individuals constitute a matrix of responsibilities, often through a “chain of command” configuration. Critical to countering a triggering event such as a ransomware demand is developing and maintaining an Incident Response Plan (“Plan”). 

I define a Plan as a documented, clearly outlined, organized approach for handling any potential threat to computers and data, even, where necessary, taking appropriate action when the source of the intrusion or incident at a third party is traced back to the organization. 

The Plan should identify and describe the roles and responsibilities of the Incident Response Team (“Team”). And the Team is responsible for putting the Plan into action. 

The Team is established to provide a quick, effective and orderly response to computer-related incidents, such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, ransomware attacks, breach of personal information, and other events with serious information security implications. In short, the Team’s mission is to prevent a severe loss of profits, public confidence, or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks, or databases. 

The kinds of security breaches that trigger the Plan include a breach of personal information, Denial of Service and Distributed Denial of Service, excessive port scans, ransomware attacks, firewall breaches, and virus outbreaks. 

The Plan arrangement that you describe is consistent with large companies. It is the case that many large companies have a Plan that contains the personnel of the following offices, departments, and functions (“Stakeholders”): 

- Information Security Office (“ISO”) (“Chief Information Security Officer” or “CISO”)

- Information Technology Operations Center (“ITOC”)

- Information Privacy Office (“IPO”) (“Chief Privacy Officer” of “CPO”)

- Network Architecture

- Operating System Architecture (“Operations Center”)

- Business Applications

- Online Sales

- Internal Auditing 

So, based somewhat on your description, your Plan seems consistent with similar arrangements by large companies. 

The Board or executive management must give the Team the requisite authority to take appropriate steps deemed necessary to identify, contain, mitigate, and resolve an adverse cybersecurity incident. Also, the Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting its findings to management and the appropriate authorities as necessary. The CISO coordinates the Team. 

The Information Technology Operations Center is the central point of contact for reporting computer incidents or intrusions. The Operations Center notifies the CISO. 

All computer security incidents must be reported to the CISO. A preliminary analysis of the incident takes place by the CISO, determining whether the Incident Response Team activation is appropriate. 

With respect to the rules and responsibilities of the Team, I offer the following list based on the forgoing matrix of Stakeholders. It is certainly not meant to be comprehensive but suggestive. 

Information Security Office

- Determines the nature and scope of the incident

- Contacts qualified information security specialists for advice as needed

- Contacts members of the Incident Response Team

- Determines which Incident Response Team members play an active role in the investigation

- Provides proper training on incident handling

- Escalates to executive management as appropriate

- Contacts auxiliary departments as appropriate

- Monitors progress of the investigation

- Ensures evidence gathering, the chain of custody, and preservation is appropriate

- Prepares a written summary of the incident and corrective action taken 

Information Technology Operations Center 

- Central point of contact for all computer incidents

- Notifies Chief Information Security Office to activate computer incident response team 

Information Privacy Office 

- Coordinates activities with the Information Security Office

- Documents the types of personal information that may have been breached

- Provides guidance throughout the investigation on issues relating to the privacy of customer and employee personal information

- Assists in developing appropriate communication to impacted parties

- Assesses the need to change privacy policies, procedures, and practices as a result of the breach 

Network Architecture 

- Analyzes network traffic for signs of denial of service, distributed denial of service, or other external attacks

- Runs tracing tools such as “sniffers,”[i] Transmission Control Protocol (TCP)[ii] port monitors, and event loggers

- Looks for signs of a firewall breach

- Contacts external Internet service provider for assistance in handling the incident

- Takes action necessary to block traffic from a suspected intruder 

Operating Systems Architecture 

- Ensures all service packs and patches are current on mission-critical computers

- Ensures backups are in place for all critical systems

- Examines system logs of critical systems for unusual activity 

Business Applications 

- Monitors business applications and services for signs of attack

- Reviews audit logs of mission-critical servers for signs of suspicious activity

- Contacts the Information Technology Operations Center with any information relating to a suspected breach

- Collects pertinent information regarding the incident at the request of the Chief Information Security Office 

Online Sales 

- Monitors business applications and services for signs of attack

- Reviews audit logs of mission-critical servers for signs of suspicious activity

- Contacts the Information Technology Operations Center with any information relating to a suspected breach

- Collects pertinent information regarding the incident at the request of the Chief Information Security Office 

Internal Auditing 

- Reviews systems to ensure compliance with information security policy and controls

- Performs appropriate audit test work to ensure mission-critical systems are current with service packs and patches

- Reports any system control gaps to management for corrective action 

I found your question intriguing about escalating notification of a cybersecurity attack. Sometimes the path to the final decision maker is circuitous and time-consuming. During that interstitial period, the company may be unable to respond to the security threat effectively. 

Using the outline I have set forth hereinabove, I think the “chain of command” escalation for notification should consist of following layers. 

Escalation Notification 

Escalation - First Level 

- Chief Information Security Officer (CISO)

- Data Processing Operations

- IT Audit Director

- Network Architecture Manager

- Online Sales Director 

Escalation - Second Level 

- Chief Information Officer (CIO)

- Chief Privacy Officer (CPO)

- Chief Audit Executive 

Adjunct Members (as needed) 

- Business Client Systems Manager

- Management of Client Department Affected by Incident

- Risk Management

- Legal

- Loss Prevention

- Public Relations 

External Contacts (as needed) 

- Internet Service Provider (if applicable)

- Internet Service Provider of Intruder (if applicable)

- Communications Carriers (local and long distance)

- Business Partners

- Insurance Carrier

- External Response Teams (as applicable)

- Law Enforcement

  - Local Police Force (jurisdiction determined by crime)

  - Federal Bureau of Investigation (FBI) (especially if a federal interest computer or a federal crime is involved)

  - Secret Service

Given the size, complexity, and risk profile of your organization, I suggest the following departments and functions should be part of the Notification Need to Know:

Notification Need to Know

- Information Technology Operations Center (viz., the central point of contact)

- Information Security Office

- Information Privacy Office

- Appropriate Client Systems Manager

- System Administrator(s) of the area affected by an incident

- Manager of the area affected by an incident

- Customer Database Manager

- Payment Systems Manager

- Legal Counsel

- Insurance Department (i.e., Cyber Insurance)

- Public Relations

- Online Sales Manager

- Employee Systems Manager (where appropriate)

- Network Architectures Manager

- Internal Auditing

- Risk Management (where appropriate)

- Loss Prevention (where appropriate)

- Executive VP and CIO (When nature and impact of the incident has been determined)

- Chief Audit Executive

- Business Partners (if data has been compromised, and to avoid affiliate and downstream liability)


- Human Resources

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group


[i] A “sniffer” is a software or hardware tool that allows the user to “sniff” or monitor internet traffic in real time, capturing all the data flowing to and from a computer.

[ii] Transmission Control Protocol (TCP) is a communications standard that enables application programs and computing devices to exchange messages over a network. It is designed to send packets across the internet and ensure the successful delivery of data and messages over networks.