Shifting Focus from Fraud to CybersecurityCompromise of PII, Corporate Data Becoming More Grave Worry
It's been a busy year for financial cybersecurity. Not surprising, given the number of changes we see in payments, cybersecurity regulation and emerging mobile technologies.
See Also: Buyer's Guide to Securing Privileged Access
But some of the most notable topics and trends we focused on during the first half of the year, such as the migration to EMV chip payments, security vulnerabilities in Apple Pay, persistent malware attacks against retailers and the remote-access vulnerabilities point-of-sale devices continue to face, as well as regulatory concerns surrounding third-party service providers, will soon be overshadowed in the second half of the year by more grave concerns surrounding risks aimed at the compromise of personally identifiable information, trade secrets, intellectual property and disruptive cyberattacks aimed at our critical infrastructure.
It's not just about protecting cardholder data or limiting the risk of fraud; it's about protecting critical information that could be used to wage more calculated attacks.
Fraud used to be our biggest worry. Not anymore.
Here is a rundown of the top stories that have impacted the global financial-services sector so far in 2015, and a preview of what we can expect next.
The shift to EMV
As the U.S. fraud liability shift date for magnetic-card transactions looms - it takes effect in October - card issuers and merchants are working frantically to push forward with their EMV migration plans. In October, merchants that have not yet deployed EMV-compliant POS terminals, and are unable to accept consumers' EMV chip cards, will be liable for fraud that results from the use of default magnetic-stripe, which must be retained on all payment cards until the world is fully EMV compliant (see EMV Push in U.S. Moving Forward).
It's clear that the EMV liability shift date is not moving, even if the card brands know it's impossible for all U.S. merchants and issuers to be EMV compliant by October (see EMV: Should Liability Shift Be Delayed?).
Flaws with Apple Pay
Apple Pay, which launched in the U.S. in October, was expected to be the mobile, EMV-compliant payments carrot we were all waiting for. But we soon learned that rushing to the market with a new solution that did not fully consider all of the security risks left the door open for fraud (see How Apple Pay Is Exploited for Fraud and Apple Pay: Fraudsters Exploit Authentication).
Mobile security is a concern for banking regulators (see Mobile Fraud: A Focus for Fed Reserve). And that concern will continue into the foreseeable future.
But mobile worries won't trump cybersecurity concerns related to PII and corporate data. Still, banking institutions learned some valuable lessons from their hasty adoption of Apple Pay (see Did Obama's Cyber Summit Miss the Mark?).
In the future, mobile payments will be scrutinized much more closely before they are deployed (see Mobile Payments: Apple Pay vs. Rivals).
Retail Malware and Remote Access
I'd be remiss if I didn't acknowledge that malware attacks against U.S. merchants, which have increasingly been linked to the compromise of poor remote-access authentication, continue to worry the industry (see PCI: Retailer Security Failures).
But we've all become almost immune to these types of breaches. Sure, merchants and POS vendors need to shore up their remote-access security, as well as their compliance with the PCI Data Security Standard; but most experts agree that once EMV is in place, these types of attacks will no longer be so attractive for cybercriminals.
In the wake of the late 2013 Target breach, which was ultimately traced to a vendor vulnerability, we've seen a slew of new regulatory and industry guidance about why third-party risks are a worry (see OCC: More Third-Party Risk Guidance, OCC Expands on Third-Party Cyber-Risks and ABA on Cyber, Third-Party Risks).
Concerns surrounding third-party risks aren't going away; rather, they have become part of the overall cybersecurity and risk perspective banking regulators and the private sector now share.
We saw this perspective emerge when the Federal Financial Institutions Examination Council in February issued new guidance surrounding so-called cyber-resilience - which relates to an organization's ability to withstand a cyber-attack by minimizing the disruption or impact that the attack has on its ability to conduct business.
The need for cross-industry information sharing ties into that cyber-resilience initiative, as the types of attacks we've seen waged against the retail sector have become increasingly similar to the attacks we've historically seen waged against banking institutions.
But the industry's recognition that information sharing goes beyond fraud prevention is a trend we've seen emerging, and one that will have a significant impact on the remainder of 2015.
Here are just a few pieces that highlight why information sharing is a key focus for government and the banking industry:
- Why Info Sharing Is 2015's Hot Topic
- Lessons from Intelligence Info Sharing
- Info-Sharing Bills: What Happens Next?
- Information Sharing: A Matter of Trust.
Beyond Fraud Prevention
We're evolving in how we view and address security. Focusing on fraud is critical. But it's somewhat shortsighted, and the industry sees that.
The FFIEC's deployment of its new Cybersecurity Assessment Tool, reveals why banking institutions, banking regulators and the financial-services industry overall have to broaden their cyber perspectives.
Tim Segerson, deputy director of the office of examination and insurance at the National Credit Union Administration, says it best in this interview I conducted with him last week, when release of the tool was announced (see FFIEC Issues Cyber Assessment Tool).
"While fraud is ever-present on our minds, there are additional considerations that we have to take into account that are broader," Segerson says. "We also have to look at disruption and destruction, of systems, the critical backbone systems that are shared among financial-services providers, as well as broad-scale disruptions that could create either instability or a loss of consumer and public confidence in the financial services sector."
As we move forward into the second half of 2015, those types of discussions will become more prominent. It's not just about protecting cardholder data or limiting the risk of fraud; it's about protecting critical information that could be used to wage more calculated attacks, as well as compromise PII and corporate secrets that could be used for months and years down the road for fraud and other nefarious purposes.