Monday, November 2, 2015

Credit Downgrade for Lack of Cyber Security?

Hey everyone.  I am a big proponent of consequences for those that shirk their responsibility to protect data that they collect.  It looks like S&P wants to hold banks accountable for loose information security practices.  Let's talk about it.

I stumbled across this article about S&P's plan to downgrade the credit rating for a bank either "before a cyberattack if a bank looked ill-prepared, or following a breach that causes significant damage to a bank's reputation or which leads to substantial monetary losses or legal damages."  This is an interesting idea, because so far it seems that companies involved in data breaches pay a few million dollars for credit monitoring for those affected and move on.  Before we get too far, let's take a look at what this might mean for a bank.

S&P (Standard and Poor's) is a company that does research into public and private financial companies and entities and issues ratings based on their credit worthiness.  You may have heard of them in 2011 when they downgraded the U.S. Government's credit rating.  The ratings issued by S&P and companies like it can affect a financial institution's ability to extend credit to people and businesses as well as affect their ability to secure funding in some cases.  So, on its face, this sounds like it could hold bank's feet to the fire when it comes to cybersecurity.  Here are some of the questions that S&P may ask of banks when doing their research:
  • How long has it typically taken to detect a cyberattack?
  • What containment procedures are in place if the bank is breached?
  • How many times was the business the target of a high-level attack during the past year, and how far did it reach in the system?
  • What's the internal phishing success rate?
  • What kind of expertise about cyberattacks exists on the board of directors?
  • How much does the bank spend on cybersecurity, what resources does it devote, and what is the total tech budget this year versus last?
The problem I have with some of these questions is that they rely on the bank being self aware of its own strengths and weaknesses regarding information security.  Taking a look at the third and fourth questions in particular, I would imagine those are tough questions for some banks to answer because you do not know what you do not know.  When it comes to particularly sophisticated and patient attackers, you might not ever detect their movements in your network.

At the end of the day, S&P relies on publicly available data in its research.  That means that if a bank does not self-report or it does not come out in the news, S&P will likely never know about a breach or other information security incident.  So this begs an interesting question.  With the increased awareness of cyber security and potential harm to their reputation, will banks or other companies be willing to self report breaches or will they sweep them under the rug?  I can see both sides of the argument: the company obviously does not want to leave itself open to liability, but if it does come out, they will be in bigger trouble than if they were upfront about it.  Also, companies that people trust (like banks) have an incentive to tout their information security prowess: if they can reassure people that their data will be safe, people will feel more comfortable about doing business with that company.  However, if the company is the victim of a breach, people may be less likely to do business with them.  Though perhaps this is not true.  JPMorgan had a large breach in 2014 with roughly 70 million people's information at risk.  It may have hurt their earnings after it happened, but that is not clear.  It seems like their earnings were roughly $100 million below expectations, but that does not sound like a lot when JPMorgan's revenues are typically in the tens of billions of dollars.

I believe that as information security becomes a hotter and hotter topic, there will be pressure from shareholders and regulators for companies to maintain higher information security standards. 
Or, at least, I hope that will be the case.  Realistically, until people start going to jail or face real consequences for neglecting their duty to provide the best security they can for the data under their care, nothing will happen.  Breaches will become just another news story.  I hope that never happens, but if the attitude is ever going to change, there must be a fundamental shift in how companies view information security.  Instead of thinking of it as a check box, information security awareness must be ingrained within the culture of the company and investments in information security must reflect an organization's understanding of its vulnerabilities, risks, and necessary mitigations.  I realize that this is easier said than done, but it does not need to happen over night.  It needs to be done carefully and with a great amount of thought and care, because that is what the information that these companies hold deserves.

What are your thoughts?  Please let me know.  Have a good one!

No comments:

Post a Comment