How to respond to a vulnerability and potential access of customer information at your bank.
Last summer, we received the news from Krebs on Security about a vulnerability, that has since been fixed and patched. This article positions that a vulnerability potentially allowed for unauthorized access to accounts that were leveraging notifications electronically. It is important to remember that articles like this are designed to get website hits and to sell advertisements!
After several discussions with the team at Finosec and our customers, I wanted to share a process for you to follow at your bank. First and foremost, this is why you have an incident response plan, make sure to walk through your plan as you go through this process.
Before we get started on the steps of response, I would recommend that your ISO or Virtual ISO notify your executive team, IT Steering Committee, and the board. It is going to give the bank comfort that you and your team are aware and responding to the event. Remember that the article referenced was designed to get website hits, and your team may be getting questions.
Step 1: Verify your Bank’s Exposure - Determine if your bank’s customer information was vulnerable. If you haven’t been notified yet, reach out to your account manager to determine if your bank was impacted. We don’t have details of how widespread this was, so starting with verifying if your bank was exposed is the first step.
Step 2: Quantify the Exposure - If your bank’s customer data was vulnerable, we need to quantify the exposure. Here are some details to verify:
Data Classification – Is this data Confidential Customer Information with Private Information (Account Numbers) or is it Confidential or even Sensitive based on your data classification policy. Based on our preliminary research it appears that the account numbers were masked (only the last 4 digits if the accounts were compromised). This is an important item to note as it changes the exposure for the institution.
How many customers are impacted? How long was the vulnerability active? How many notifications were sent out to your customer base in total during the timeframe?
Step 3: Anomaly review of your accounts impacted
These links allowed for potential changes. Did any customers change email addresses? Change phone numbers? Change or turn off notifications? It is possible that these changes could have happened by someone other than your customer. The anomaly review will allow for changes that occured to be flagged and verified for each customer impacted.
Step 4: What is the communication plan internally?
How the bank responds to customer concerns is critical for me as a customer of the bank. Ultimately, your customers want to know if this impacted them personally and or their business. How do you want your customer service and front-line team to respond to this event when asked by a customer? Does the bank want to be proactive in communication with customers? As a side note, paying for experts in communication may be covered by your current cyber insurance coverage.
Step 5: Notification
Based on the items above and your incident response plan, does the bank need to notify customers, regulators, and insurance providers.
Step 6: Review the company response
Is the bank comfortable with the response? Was this solution part of your due diligence review the last time you performed your vendor management process? (SOC 2 Reporting)
Step 7: Document the process
There is a silver lining, as you go through the incident response process make sure to document the entire process. This documentation should flow through your Cybersecurity / Information Security Committee, your IT Steering Committee, and lastly the Board.
Step 8: Lessons learned
Lessons that are learned is perhaps the most beneficial part of the process. Knowing what we know now, what would we change, enhance, or even remove as part of our incident response process? What other services that we are delivering to our customers should we be thinking about having risks that are similar?
If you have questions as you go through the process, we are available to assist your bank. Our team at Finosec is here to help community banks navigate the challenges and complexities of managing information security and cybersecurity.
Finosec is dedicated to helping our customers better manage and navigate cybersecurity, by assisting with Information Security Officer (ISO) support and Virtual ISO solutions. To learn more about Finosec, you can follow our company or reach out to us at firstname.lastname@example.org.