Canada: Cyber Security: OSFI Issues Self-Assessment Questionnaire

For financial and sometimes political reasons financial institutions are appealing targets for cyber attackers. Earlier this year TD Canada Trust was hit by a cyber attack¹ whereby one or more hackers used a brute force "denial of service" attack to disable the bank's website and mobile application. This attack was reminiscent of the September 2012 attack in the U.S.² in which the websites of Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank were all subject to similar attacks that slowed down website operations and caused many bank sites to be inoperative for a significant portion of their customers. Mindful of this very real threat and the need to manage risk, on October 28, 2013, the Office of the Superintendent of Financial Institutions ("OSFI") released a memorandum to federally regulated financial institutions ("FRFIs") discussing the measures that FRFIs should be taking to prevent, manage and remediate cyber attacks. The memorandum states that cyber security is growing in importance because: (i) FRFIs increasingly rely on technology; (ii) the financial sector is interconnected; and (iii) FRFIs play a critical role in our economy.

While OSFI does not plan to issue any official guidance for controlling or managing cyber security risks at present, OSFI is aware that this is an issue with which many FRFIs are grappling and is offering a self-assessment template in the memorandum that FRFIs can follow in order to control and manage their cyber security risks.

The template is divided into the following six major areas covering 89 recommendations:

• Organization and Resources
• Cyber Risk and Control Assessment
• Situational Awareness
• Threat and Vulnerability Risk Management
• Cyber Security Incident Management
• Cyber Security Governance

The OSFI memorandum lists prudent best practices for how to prevent, manage and remediate cyber attacks. However, its application will pose challenges for FRFIs. For example, the memorandum suggests that the threats of cyber attacks should be managed on an enterprise-wide basis. While a laudable goal, as a practical matter, implementation of all of the recommendations for all systems in a large FRFI may pose a costly challenge, especially for an enterprise that relies on legacy systems.

Cost issues of enterprise-wide compliance aside, the memorandum encourages FRFIs to look at the current state of their cyber security policies and practices to ensure that they remain appropriate and effective in light of changing circumstances and risks. Taken at face value this could mean that FRFIs must ensure that its cyber security programs are always on the leading edge of technology, which is expensive, not always effective and is sometimes merely reactive to attacks. To use an example from the payment card industry, in 2008 Hannaford Grocery in the U.S. suffered a data breach in which 4.2 million credit and debit card numbers were stolen over three months, even though Hannaford was apparently in compliance with the industry-standard Payment Card Industry Data Security Standard³. Notwithstanding this compliance, the hackers were able to gain access to the valuable credit card data. Therefore, following best practices is not always a guarantee that attacks can be prevented.

While threats from cyber criminals might be headline grabbers, the reality is that most data breaches are not actually due to external hacks. In a recent study⁴ on the cost of data breaches by the Ponemon Institute, 64% of data breach incidents surveyed were caused either by human error or system glitches. Although the OSFI memorandum refers to automatic deployment of security patches and updates and cyber security training for employees, it does seem to be focused on external threats rather than problems that emanate from within the organization due to ignorance or sloppy procedures. Therefore, one wonders how effective the recommended measures will be in safeguarding customer data.

OSFI's memorandum will also have a ripple effect on other operational areas of FRFIs beyond strictly information technology. For example:

• Enhanced background and security checks are recommended for "cyber security specialists", which will have ramifications from a human resources perspective in respect of those employees who are resistant to permit enhanced screening; 

• FRFIs are encouraged to implement tools to prevent unauthorized data from leaving the enterprise. This will have implications for employee surveillance and privacy rights in the workplace; 

• FRFIs will need to re-examine material outsourcing arrangements within the scope of OSFI Guideline B-10 to ensure that the outsourced services provider(s) are taking the appropriate steps to mitigate cyber risk. Material outsourced service providers may be primarily providing technology solutions or technology may be incidental to the service offered. In either case, the new OSFI memorandum may require that the parties renegotiate the terms of the outsourcing deal;  

• FRFIs will also have to look beyond their material outsourcing agreements to manage cyber risk. Even contracts with critical IT service providers are to be assessed to determine what measures are necessary to mitigate the risks arising from the products and services purchased from those service providers. In "Software as a Service" contracts (which OSFI has pointed out in previous correspondence could constitute material outsourcings)⁵, FRFIs will need to revisit those contracts to determine whether or not the promised measures against cyber attacks are sufficient; and 

• Cyber security awareness and information are to be provided to customers and clients, presumably as part of a larger communication strategy to stakeholders, which is also recommended. These requirements will need to be addressed by the public relations and marketing specialists at FRFIs.

These are just a few of the issues that FRFIs will need to consider when implementing the 89 points in OSFI's memorandum. While the memorandum does not constitute official "guidance", we may well expect guidance at some point in the future as FRFIs deal with these recommendations and respond to them when undergoing OSFI audits. We will continue to monitor this situation and advise as new developments arise.

^Footnote

1"TD hit by DDoS attack", IT World Canada (21 March 2013) online: IT World Canada http://www.itworldcanada.com/article/td-hit-by-ddos-attack/47563>.

2 Nicole Perlroth, "Attacks on 6 banks frustrate customers", The New York Times (30 September 2012) online: The New York Times http://www.nytimes.com/2012/10/01/business/cyberattacks-on-6-american-banks-frustrate-customers.html?_r=0>.

3 Linda Tucci, "PCI Compliance a Good Start, but Not Enough" in PCI DSS Compliance Overview and Best Practices, online: SearchCIO.com
< www.maxxuminc.com/pdf/E-guide_PCI-DSS_9-29-08.pdf‎>.

4 Ponemon Institute LLC, 2013 Cost of Data Breach Study: Global Analysis (Traverse City, MI: Ponemon Institute LLC, May 2013) online: Symantec https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf>.

5 Memorandum from Mark Zelmer, Assistant Superintendent, Regulation Sector, Office of the Superintendent of Financial Institutions Canada, to Federally Regulated Financial Institutions re: "New Technology-based Outsourcing Arrangements" (29 February 2012) , online: Office of the Superintendent of Financial Institutions Canada < http://www.osfi-bsif.gc.ca/app/DocRepository/1/eng/notices/osfi/cldcmp_e.pdf>.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.