S&P rolls out Big Stick for Cyber Security

Last week we had saw David Jones, Kmart in Australia both hacked and in the USA - Scottrade with 4.6 million customer records stolen. If organisations were waiting for an incentive to care about Cyber Security, then this is about to all change.

S&P one of the leading credit risk organisations have decided that enough is enough and they have signalled that as Banks are key to the economy of any country that their banks will have a ratings cut should they not be able to defend themselves from a cyber attack, let alone actually have a breach.

Standard & Poor’s along with organisations such as Fitch’s and Moody’s are the Big 3 of rating agencies and have significant power when they flex their discretion to lower the credit rating of a bank from AAA to AA.

Any such changes have large impact on Bank’s cost of capital – the lifeblood of a financial institution.

Will this encourage being held to Ransom?

It is interesting to consider that would this measure, which is designed to hit the bottom line of banks – also opens the incentive for hackers to engage in large scale ransom-ware? It would go along this line of “we have found this vulnerability and if you don’t pay us $X, then we will embarrass you and this will cost you $Y for your enterprise.

Ransomware is normally about paying for Malware to be removed from your enterprise, thus you can recover your records that have fallen into wrong hands. However this may open a dual payment for this first ‘service’ and secondly for not ‘telling’ anybody that you have been affected.

That is a frightening prospect to consider and it will strengthen the resolve of banks to increase their investment in Cyber security. This is especially the case that when rogue sovereign states are potentially involved in such incidents then there is a cold war reality that is really possible.

It’s a tough scenario

Even S&P recognise that “no cyber defense is ever foolproof”, which makes this measure really tough medicine to swallow. It doesn’t end there and it starts to be effectively an ‘auditor’ to check that you are compliant.

All the rating agencies have Cyber Security on their radar, but S&P are the first to explicitly publish their checklist. For each individual company they will be looking to see evidence of an effective response plan.

How would your Bank Answer these Questions?

  1. How do you measure the exposure and report on cyber-risk?
  2. Do you have a robust, well-documented program to monitor cyber-risks?
  3. How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?
  4. What areas does the bank feel are still vulnerable to attack?
  5. Does the bank have any third-party vendor oversight? If so, what kind and how much?
  6. What is the bank's readiness with respect to the NIST framework?
  7. How does the bank ward off phishing and diminish the likelihood of having data compromised from an internal breach?
  8. What's the internal phishing success rate?
  9. How long has it typically taken to detect a cyberattack?
  10. What containment procedures are in place if the bank is breached?
  11. Are emergency scenarios test-run?
  12. What software or other techniques are used to monitor attacks?
  13. What kind of expertise about cyberattacks exists on the board of directors?
  14. How much does the bank spend on cybersecurity, and what resources does it devote? What is the total tech budget this year versus last?
  15. What are the bank's capabilities versus peers, and how are they assessed? Is there information shared with peers?
  16. Does the bank have any insurance to compensate for a cyberattack?

The Tough Questions

Let’s remember that your credit rating can be downgraded if your Cyber Security plans and counter measures do not meet the standard of the agency. You may not have even had a Major Incident. For me there are a number of questions that would make me lose sleep, wanting to answer, here goes:

Question 4 - What areas does the bank feel are still vulnerable to attack?

Read more: ​Android phones patched once a year, 87 percent exposed. Which brand is the most secure?

Hmmm this question gets to the heart of the matter. Where is the weak spot for your Bank and please share this with me. This is such a sensitive question and you just have to be transparent but it is still not an answer that you really want to have shared externally with anyone.

Question 5 - Does the bank have any third-party vendor oversight? If so, what kind and how much?

Always tricky when you have to disclose what degree of compliance do your key partners and vendors have. No degree of Attestation, really provides you with sufficient certainty. This certainly will be hard to ever answer with 100% confidence.

Question 9 - How long has it typically taken to detect a cyberattack?

Read more: Victorian public-service executives ignoring warnings on IT security processes, end-of-life software: auditor

Unfortunately, there are know knows and the reality is that a cyber security issue can be undetected for long periods of time, moreover we can never have absolutely certainty of when an attack started.

Question 13 - What kind of expertise about cyberattacks exists on the board of directors?

Whoa, there is barely expertise in Management ranks, let alone the Board. This will certainly accelerate the promotion of Risk Management Executives and or Big 4 Accounting Partners to become ‘instant’ Cyber Security experts.

Question 15 – What are the bank's capabilities versus peers, and how are they assessed? Is there information shared with peers?

Read more: Ascendant CSOs becoming “guardians of big changes” as IT security shapes digital business: Gartner

Well, all Banks use their informal networks to compare notes with others. There is also some formal forums that are in place to encourage information sharing. The difficult part of the question is to answer how your capabilities compare to your peers. We would expect that the capability and maturity etc would be sensitive and not widely shared. However at best, you should be able to answer that your enterprise is “on par” with your competitors.

Boards will pay more attention

This will not effect just Banks, as Boards for all enterprises and government will pay more attention. Given the high profile of breaches such as Ashley Madison and the Australian examples we would expect a dramatic increase in the attention that boards and executives are paying to cybersecurity risk management. A recent global study has highlighted that more governance by Boards will be underway given recent breaches. [1]

There is both a ‘Carrot and Stick, the carrot is that you keep you job. The stick is going to come from high up in the organisation and perhaps also from an external regulator.

I suggest you review the sixteen (16) questions and figure out what is your answer for your organisation.

[1]Governance of Cybersecurity: 2015 Report, developed by the Georgia Tech Information Security Center (GTISC)

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Join the CSO newsletter!

Error: Please check your email address.

Tags financial institutionkmartDavid Jonescyber attackthird-party vendorransomwaremalwareCSO Australiacyber securityS&P

More about CSODavid Jones

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts