How financial institutions can turn the tables on cybercrime.

SEI Sphere® recently hosted a panel discussion with a diverse set of voices to help SEI’s banking clients face the stark realities of the evolving cyberthreat landscape and identify strategic approaches to enhance security posture and mitigate risks. Read on for essential best practices that can empower you to take decisive action against cybercrime.

Panelists: 

• Jim Trainor – Senior Vice President of Cyber Solutions, Aon
• Corey Moscoe – Chief Information Security Officer, SEI
• Amber Rinehold – Compliance Officer, Counsel Trust
• Jennifer Galloway – Chief Fiduciary Officer, Counsel Trust

What is the current threat landscape? 

Jim: It’s pretty bad, I would say. Right now, the name of the game is ransomware, and it’s simply because of the ability to achieve a greater ROI in return on investment. The government has thousands of ongoing computer insurgent cases, of which 65% are likely perpetrated by criminal actors and the other 35% perpetrated by nation-state actors. 

I am more of an advocate of, “This will get better over time.” And I think the CISO’s job won’t necessarily get easier, but their ability to really protect their organization and their clients will be enhanced probably because of the tools. Integration is getting better. AI is here. The ability for that industry to stay ahead of these things will, at the end of the day, win the fight. But it’s just going to be a battle until we change the tide. So, I don’t have great news, but I am optimistic long term.

Corey: As technology evolves, threats evolve. We started out in technology with a very centralized model (mainframe and early terminals) to the evolution of decentralized and interconnected networks. This led to a constantly changing threat evolution. First, we had to focus controls on mainframe access permissions and encryption. Then, we had to worry about networks, so everyone invested in firewalls. Then, we had to monitor for abnormal activity, so everyone invested in intrusion detection systems. Then came web applications, so we had to focus on secure coding and web application firewalls. Then came clouds, and everyone had to invest in cloud access security brokers. Now, the focus is on “zero-trust” networks, generative AI, and the future in quantum computing. Let’s just say this is not a very dull industry.

From a threat perspective, we have certainly seen a change in threat actors where it used to be as simple as a script kiddie, but then it got more complex with hacktivists and organized crime. Now, we worry about nation-state-sponsored actors with more funds backing them than we have ourselves.

How can policies and procedures safeguard transactions, employees, and clients? 

Amber: From an operational standpoint, I think the number one thing is to know your client. Know trends; understand the frequencies or volumes of their requests. Typically, if there was a higher-than-normal request, they’re working with their advisor to raise that cash to make that distribution request. 

We have certain forms that we require. We require copies of checks so that we can verify ABA and account numbers, and make sure the registration of those checks tie back to the documentation that we have. If there are client requests that come through an email, typically, we’re working with the account officer, and they must do a callback. While the clients may think this is annoying, this is another way that we protect our clients.

Jennifer: What it comes down to is identifying the issues. What’s the problem we’re trying to combat? Well, that's the cyberthreat. What steps can we put in place to combat that? It’s setting the groundwork with operational procedures that hopefully catch these things before they catch you. I have to remind myself every day: sometimes it makes more sense to slow down, look at the situation, and make a decision. 

There’s all these requirements that we have to meet, but the “why” behind that and understanding what it’s doing is just as helpful as checking the boxes. Even drilling down to your fiduciary duty to your clients, or your duty to the board reminds you to be aware of these things and to take steps to have the right checks and balances.

Where you aren’t able to keep up internally, you partner. We work with other IT companies such as SEI to cover our needs as a small company of 17 employees, seven of which are our advisors. Cybersecurity is not our specialty. So, we recognize the areas where partnering with other organizations to cover those risks enables us to focus on what we do well. 

What questions are SEC regulations looking to answer? 

Jim: How are your security controls ensuring that your data is protected, and that you’re not misrepresenting what you’re doing to the customers they’re doing business with? That is the principle behind these SEC and FTC regulations around cybersecurity.

In July of last year, the SEC issued regulatory guidance to companies that, in the event of a breach, this is what you should be disclosing. And that’s what we call [Form] 8-K, which is the material event. And the definition, in terms of the regulation, is the substantial likelihood that a reasonable shareholder would consider it important in making an investment decision or would’ve significantly altered the total mix of information made available.

You certainly have to talk to your lawyers, but you have to be transparent with investors. In my view, it’s always better to disclose sooner rather than later once you have the real story. Because at the end of the day, it’s your brand, it’s your company. Everybody suffers a breach. It’s how quickly you respond, how you can tell your story, and how quickly you can remediate it and move on. 

What can prior breaches teach us about preparation? 

Jim: Everyone should go through the financial loss scenario, the analysis of, “OK, what would a cyber event look like for my organization? And if so, what would be the cost to transfer that risk and afford insurance products?” 

Following a breach, who is going to be your outside counsel is incredibly important. It’s key to know your local FBI office so that you can call if you have a problem. And your insider, third-party firms that you retain, that’s your response work. 

A lot of companies have a lot of different tools in that space, but with a lot of different tools comes complexity. The mindset of less complex is better. So the more integration, the easier your life is. 

I also say leadership really matters. Often, you don’t see an organization’s leadership embrace cyber until they go through pain. And pain means a data breach. You don’t want to go through pain to take cybersecurity seriously. 

Corey: From our perspective, threat intelligence sharing is critically important. Therefore, we are very active in not just receiving intelligence from various sources, but spending valuable resources enriching such intelligence—using it for our own detection capabilities and also sharing enriched intelligence back out. I used to use the analogy that everyone would want to know the description of a particular individual walking down streets that have all had burglaries so that they can trigger alarms if someone of that same description is walking on their street. However, we like to take it a step further to enrich that intelligence. What tools were used for these burglaries? Were windows broken or was a lock picked? What times of day were the burglaries? Were any particular vehicles spotted? Were there any commonalities in the house such as fingerprints, footprints, targeted rooms, etc.? Do any descriptions of the suspicious person match up with other intelligence reporting such as gang activity or other organized crimes? These are all pieces of information that can enrich the intelligence to better identify the bad actor even if they were not spotted walking down the street.

We take this same approach from a cyber perspective so that we can perform enhanced threat hunting and improve our detection rule writing. We want to write detection rules to detect bad actors at an infrastructure and tools/techniques level so that we can identify them even if they change an indicator of compromise such as source IP address.

Watch the full panel discussion here.