OBSERVATIONS FROM THE FINTECH SNARK TANK
On Aug. 5, the Office of the Comptroller of the Currency (OCC) handed down a cease and desist order to Capital One for its “failure to establish effective risk assessment and management processes before migrating its information technology operations to a cloud operating environment.”
While we hear about data breaches on a nearly weekly basis, the Capital One incident is noteworthy because it involved the bank’s migration to cloud computing—something that many banks are either in the process of doing, or will be doing in the near future.
Get started on your cybersecurity degree at American Military University.
Capital One’s Cybersecurity Headaches
The $80 million fine Capital One must pay to the US Treasury is pocket change for the bank.
The compliance actions the bank will be required to take will likely prove to be the bigger headache. The OCC’s consent order requires Capital One to:
- Appoint an independent (non-employee, non-officer) compliance committee.
- Develop a plan detailing the remedial actions necessary to achieve compliance with the order.
- Improve oversight of the bank’s cloud operating environment information security program.
- Improve risk assessment for the bank’s cloud and legacy technology operating environments.
- Improve the bank’s cloud operations risk management by implementing corrective actions required as a result of the 2019 OCC examination.
- Improve independent risk management of the cloud operating environment.
- Improve internal controls testing in the cloud environment.
- Enhance the bank’s internal audit program, including reassessing the cyber and technology risk assessment methodology and scoring system that ranks and evaluates business and control risks.
A False Sense of Cybersecurity
It’s hard to believe, but bank executives’ concerns regarding cybersecurity are declining (that isn’t a typo).
According to Cornerstone Advisors’ What’s Going On in Banking studies, nearly half of bank executives put cybersecurity on their list of top three concerns for 2018. That percentage declined to 36% in 2019 and dropped even further to 21% in 2020.
What’s going on here?
Operational integration is lulling banks into a false sense of (cyber) security.
Cybersecurity policy is becoming business as usual for banks. As a result, bank execs are more confident today than they were three years ago that cybersecurity policies are well-designed and being well-executed.
It’s a false sense of security, however, because banks have yet to feel the cybersecurity impact of cloud computing.
The Growth of Cloud Computing in Banking
Three data points highlight the growth of cloud computing in banking:
- Consulting firm McKinsey estimates that 40% to 90% of banks‘ workloads will be hosted on public cloud in a decade.
- According to Accenture, the percentage of banks’ IT budgets dedicated to cloud services will jump has increased by a third from 9% to 12% between 2018 and 2020.
- Bloomberg reports that 22% of fintech applications run in the cloud, and that figure is expected to grow to over 80% by 2025. This impacts traditional banks as many look to partner with fintech startups.
The Impact of the Cloud on Cybersecurity
As cloud computing within banking grows, the prevalence of cyber breaches for cloud services is growing significantly as well. According to a Verizon study:
“Cloud assets were involved in about 24% of breaches this year. Cloud breaches involved an email or web application server 73% of the time, and 77% involved breached credentials.”
A new report from Cornerstone Advisors, commissioned by DefenseStorm, Cloud on the Horizon, identifies emerging cloud-related cybersecurity challenges facing banks including:
1) Over-reliance on providers. There is an over-reliance on providers to complete cybersecurity checklists from banks during due diligence. “It would be pretty easy for them to dupe us,” said one Chief Information Security Officer (CISO) interviewed for the report.
There is also over-reliance on just a few providers.
Richard Harmon, Managing Director at Cloudera, calls this cloud concentration risk and writes, “the consolidation of multiple organizations within one cloud service provider (CSP) presents a more attractive target for cybercriminals.”
2) Reporting problems. Bank CISOs have discovered incorrect completion of due diligence cybersecurity requests for third party risk management from the providers.
Transparency has become an issue, as well. CISOs stated a lack of willingness to show any of the provider’s security policies or audits.
One CISO mentioned that when his bank asked a provider for a SOC-2, the vendor produced Amazon Web Services’ SOC 2. When the CISO questioned the vendor as to whether it had its own SOC 2, the provider was unaware it even needed to do its own.
3) Technical limitations. Many cloud vendors have cybersecurity limitations. For example, they cannot IP-restrict or require multi-factor authentication for third parties. Configuration is a challenge, as well.
It’s not just the vendors’ fault. According to Bill Glasby, Chief Technology Officer of Heritage Bank, “one issue around cloud security is operators’ inability to configure the tools. The problem is that it’s all home-brew today.”
Overcoming the Cloud Challenges
Banks’ migration to the cloud will necessitate changes to how they govern IT from three perspectives:
1) Contractual. Migrating to the cloud requires switching from traditional security testing to a contractual-based model for security testing. Banks can’t move to the cloud without caring about and dealing with the contractual clauses with their service providers. In particular, banks should negotiate the reversibility clause with their cloud providers.
One problem, however, according to a CIO interviewed by Cornerstone, is that “many cloud providers don’t even know what should be written in a reversibility clause.”
2) Organizational. Business departments and lines of business end-running IT and buying cloud solutions directly from cloud providers will become more prevalent with a migration to the cloud. IT will have to reinforce its IT governance policies and procedures in order to minimize the risks caused by the solutions implemented by the different business departments.
3) Strategic. Business departments want flexibility and innovation. However, migrating to cloud services typically involves a shift from highly customized to mostly-standardized services. This can cause friction between IT and the business—friction that must be resolved with strategic clarity and direction.
To handle the coming wave of cloud-related cybersecurity issues, Cornerstone and DefenseStorm recommend that banks:
- Establish a cybersecurity committee. The committee should meet at least quarterly to discuss new products, services and service providers. CISOs should identify the controls the committee should monitor and the metrics that will be leveraged to monitor those controls.
- Develop a realistic cybersecurity review policy. One CISO we interviewed said he knew that the 200+ item vendor cybersecurity questionnaire he received from a larger institution would be rejected by his team as too draconian and overbearing. Make policy checklists that are simple to follow and easy to execute.
- Monitor the entire network infrastructure, including on-premise and cloud-based systems. Even the largest banks find it daunting to monitor both their on-premise systems and their cloud-based providers. For many smaller and mid-sized institutions, partnering with a trusted cybersecurity firm can add the talent and expertise required to sufficiently monitor network assets.