New EU cybersecurity directive to bolster bank cyber defenses
Thursday, July 21, 2016
Posted by: Brian Monroe
The European Union this week published finalized rules on a cybersecurity directive that would create the first ever national system requiring member states to better identify, respond to and report cyberattack incidents, give authorities the power to audit programs and levy penalties and give investigators more avenues to collect and share information on broader attack patterns.
The European Parliament and Council of the European Union Tuesday published the final Security of Network and Information Systems (NIS) Directive, an expansive, ambitious initiative that would create minimum, auditable standards and expectations to thwart criminal hackers and hacktivists groups, but could raise compliance costs and open critical infrastructure institutions, such as banks, power companies, trading firms, and others to the specter of financial penalties.
The new directive gives firms and the government greater sharing powers to identify cyber attack patterns, puts new requirements on companies to report breaches and creates cyber security incident response teams to more swiftly and effectively respond to attacks in multiple member states.
The directive, proposed in 2013 and finalized this month, is clearly informed by brazen, high-profile attacks by hacking groups in recent years that have hit some of the world’s largest retailers, banking groups and even government agencies, including Target, Home Depot, JPMorgan Chase and, in the United States, the Office of Personnel Management.
The directive in some ways mirrors, but also departs, from current efforts in the United States. The US government has created standards for cyber defense, recovery and resilience, and created forums to bolster the sharing of information among private sector companies and between the government to the private sector, but many of those are more guidelines and best practices, rather than firm regulations.
The initiatives in the directive, focusing on cyber attack preparation, identification, response and resilience, could go far in making companies and regions more secure, said Nicole Bocra, managing member of Arlington, Va.-based Infinity Investigative Solutions, a boutique investigative firm specializing in white-collar, financial, and corporate investigations and due diligence.
“It’s vital countries tackle cybersecurity in a broad, holistic way,” said Bocra, a former investigator for the National Association of Securities Dealers, now the Financial Industry Regulatory Authority.
Operations at all levels, whether public or private, small or large, are “all dealing with the same problems” when it comes to cyber attacks, whether through virtual vulnerabilities, unpatched systems or the biggest cyber attack vector, human error, she said. “The more information we can share on these incidents, the better we will be.”
The directive has several major objectives: Improved cybersecurity capabilities at national level, Increased EU-level cooperation and Risk management and incident reporting obligations for operators of essential services and digital service providers. Member states must transpose the directive into national law by May 2018.
In short, the directive:
||lays down obligations for all MemberStates to adopt a national strategy on the security of network and information systems;
||creates a Cooperation Group in order to support and facilitate strategic cooperation and the exchange of information among MemberStates and to develop trust and confidence amongst them;
||creates a computer security incident response teams network (CSIRTs network) in order to contribute to the development of trust and confidence between MemberStates and to promote swift and effective operational cooperation;
||establishes security and notification requirements for operators of essential services and for digital service providers;
||lays down obligations for MemberStates to designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems.
With organized crime groups and hackers making inroads into systems once beloved stout and study, the EU had to create a plan that touched every country, said Dee Millard, an anti-fraud consultant for EasySolutions, which offers electronic fraud identification and training products across all platforms.
“Hackers are not just a national problem, they are a global problem, a cross border problem, and European states communicating and sharing information could provide some valuable insight to deter hackers,” she said.
Moreover, hackers will victimize any gaps in geography or communication to further their ends, hoping different countries can’t put all the pieces together or even individual firms didn’t institute even basic standards.
Hacking groups “utilize tools and technologies that are cross-border,” Millard said. “What’s important regardless of location is for organizations to be able to have an effective methodology to protect and detect against cybersecurity threats. Globally, we all need to be working together to find common points of attacks to make it harder and more expensive for them but technology and updating of systems by organizations also needs to play as much an important role.”
So what sectors does the directive cover, what is a significant reportable incident and what must be reported?
The Directive is somewhat nebulous on what is the threshold of what is a significant incident requiring notification to the relevant national authority. It does, however, detail three parameters which should be taken into consideration and consequently must be reported:
- Number of users affected
- Duration of incident
- Geographic spread
The directive will cover sectors and operations in the following sectors:
- Energy: electricity, oil and gas
- Transport: air, rail, water and road
- Banking: credit institutions
- Financial market infrastructures: trading venues, central counterparties
- Health: healthcare settings
- Water: drinking water supply and distribution
- Digital infrastructure: internet exchange points, domain name system service providers, top level domain name registries
CSIRTs to bring the hurt
As part of the directive, member states will designate one or more Computer Security Incident Response Teams (CSIRTs), groups that will play a vital role in early identification and intervention of attacks, a boon to both government agencies investigating groups and, potentially, to private sector entities that could be targets or currently under attack.
The CSIRTs will be responsible for several crucial prongs of the directive, including:
- monitoring incidents at a national level
- providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents
- responding to incidents
- providing dynamic risk and incident analysis and situational awareness
- participating in the network of the national CSIRTs (CSIRTs network)
Going down to the country and organization-wide levels, public and private firms must also boost a bevy of areas around cybersecurity, but also must do something many may have never done before on the cyber side: engage in a thorough, and honest, cyber risk assessment, and upgrade systems, resources and staff expertise accordingly.
But in order to get a sense of how strong the current frameworks are, the EU needed to capture more data on what operations are currently doing, and how cyber incidents have occurred, a challenge across so many jurisdictions with individual laws and restrictions.
In terms of cybersecurity, the EU has had jurisdiction hurdles, which plays a “big role in the information gathering to deter and shut down attacks,” Millard said.
There are many cybersecurity guidelines, regulations and laws and it is important to note that addressing cybersecurity threats and risks “is not a one size fits all approach, each organization/business sector is different.”
That is why it’s so “important that all sectors work together for the common good to prevent, deter and stop the criminals from succeeding this is where I can see the Directive putting more accountability to member states and response teams,” Millard said.
How companies must react
The security measures that operations must adopt, whether you are a brick and mortar operation or a solely digitally-based business, include:
- Technical and organizational measures that are appropriate and proportionate to the risk.
- The measures should ensure a level of security of network and information systems appropriate to the risks.
- The measures should prevent and minimize the impact of incidents on the IT systems used to provide the services.
- security of systems and facilities
- incident handling
- business continuity management
- monitoring, auditing and testing
- compliance with international standards
One of the major differences between what the EU is doing, compared to, say, the United States, which has also suffered major data breaches, from healthcare to the financial sector, is making sure many of the initiatives are written in stone.
“Here in the U.S. we promote and encourage the private sector and the US government to quickly and responsibly exchange cyber threat information,” Millard said.
The U.S. also has the National Institution of Standard and Technology (NIST) division that has established a Cybersecurity Framework which is “constantly evolving,” she said, adding that the group held workshops in April to get feedback from those that have started to use and implement the framework.
The NIST itself was borne from the Cybersecurity Act of 2015 that created this framework for the voluntary sharing of cyber threat information between private entities and the federal government, as well as within agencies of the federal government, Millard said.
“What appears to be different from the US. Vs Europe is we appear to be more voluntary vs their new Directive to be more of a requirement,” she said. “However, they both promote Awareness, Best Practices, Training, and most importantly use lessons learned (use cases) to be more effective in the overall strategy to mitigate and combat [cybercrime].”
The directive is also likely to prod more companies to raise the cyber standards, engaging in more “penetration testing” to determine weak points before they are under attack, Bocra said.
As well, more operations, including banks, will likely upgrade systems and create more secure backups of critical data. The directive is also likely to nudge companies to bolster training for staff at all levels to better sensitize individuals to persistent and emerging trends, such as phishing, spear phishing, business email compromise and ransomware attacks, she said.
Data breaches, for profit or for bragging rights, “are not just a problem for large corporations, everyone is at risk,” Bocra said, adding that the aggressiveness and creativity of hackers has turned this issue from being a minor nuisance, to a top-of-mind issue, on par with the compliance focus commanded by AML and corruption compliance programs.
The EU, though, will likely have to be both flexible, prescriptive and supportive as countries transpose the tenets of the directive into national law because “though there are minimum requirements, everyone perceives risk differently, even among companies that are the same size,” she said.
“What is my perception of risk and how can it be measured” to create a cyber security program tuned to those particular vulnerabilities could be a relatively new exercise for some countries and a doubly difficult exercise to examine for because the answer of what is an “adequate” program will be so subjective.