An interview with William B. Nelson, FS-ISAC President and CEO
NEACH recently sat down with Bill Nelson, President and CEO of the FS-ISAC, a non-profit association dedicated to protecting financial services firms from physical and cyber attacks, to talk about cybersecurity.
The FS-ISAC fulfills its mission through the dissemination of trusted and timely information regarding physical and cybersecurity risks to its membership. In 2013, FS-ISAC received the prestigious RSA Award for Excellence in Information Security. Also in that year, Mr. Nelson was named the fifth most influential person in the field of Financial Information Security by the publication Bank Info Security.
Before joining the FS-ISAC, Bill was the Executive Vice President of NACHA—The Electronic Payments Association from 1988 to 2006. Prior to joining NACHA, Bill held several treasury management and lending positions within the banking industry
Here’s what Bill had to say about cybersecurity and what banks and credit unions can do to protect themselves and their customers and members.
NEACH: Would you define FS-ISAC and the role it plays in the industry?
FS-ISAC stands for the Financial Services—Information Sharing and Analysis Center. It was formed in 1999 as a nonprofit company. Our purpose is to share cyber and physical threat information, vulnerabilities, and incident information to protect the financial services sector from attacks. In many respects, we act as a hub, much like a clearinghouse might, to link our 7,000 member companies in over 45 countries on a 24/7 basis. We provide them with the latest information about cyber and physical risks to their enterprises, their companies, and their customers. It’s also about member-to-member sharing; I think that’s where 95 percent of the benefit is for our members.
NEACH: Cybersecurity is a concern for most financial institutions. What’s shifted in the payments landscape that has brought this issue front and center as never before?
Attacks against financial institutions, their customers, the government, regulators, and central banks have been on the increase with regards to the sheer volume and sophistication of the attacks. I joined the FS-ISAC in 2006, and at the time, some cyber attacks were occurring. But if I start to look at it chronologically, I think cybersecurity really started to become a hot issue in 2009 when we first saw what we now call account takeover attacks. These really took off and resulted in hundreds of millions of dollars in successful fraud attempts and losses for financial institutions and their customers.
Then, we saw a rise in distributed denial of service attacks (DDoS). These were used to hide successful account takeover attacks; nobody could get into their online banking accounts to see that the attacks had been successful. In 2012 and 2013, we saw massive DDoS attacks initiated by Iran. They attacked over 50 financial institutions, mostly in the U.S.
That was a huge wake-up call, and it really caused a massive disruption of online banking systems and, therefore, payment systems.
Since then, it hasn’t let up. We’ve seen business email compromise attacks using emails that look like they’re coming from your CEO or someone else within the organization saying, “Hey, send this money right away.” Or maybe a bank gets an email from what looks like a supplier, and they send money. We’ve seen ransomware attacks where you send money, usually through some sort of cryptocurrency like bitcoin. The bad guys are supposed to release the keys to you to allow you to de-encrypt your files but they don’t always do that.
Then there’s the pièce de résistance—malware attacks. We saw that against Sony Pictures. A number of South Korean banks were attacked. I know in Sony Picture’s case, thousands of their computers and servers were wiped clean, so they couldn't even produce financials for six months. They had no idea who they owed money to or who owed money to them.
That was another big wake-up call. We cannot have that happening in the banking industry.
NEACH: What specific red flags should financial institutions watch for in the war against cybercrime?
I think the one thing for anybody, whether you work at a credit union or a bank, is to remember that phishing is still the number one way that cybercriminals get their malware on the systems that they’re targeting. In fact, it’s estimated that between 85 and 90 percent of successful attacks occur through phishing.
But there are a lot of good defenses. You start with educating and training your employees and your customers not to click on links and to report suspicious emails to your IT security department. Once you report it, then the IT department can block that email from hitting others in the organization. There're also a lot of good vendors out there that will sell you their systems to do that.
Cybercriminals are also infecting websites and online ads. So, when you're just surfing the Web, and you click on a website or an online ad that has malware, the malware is downloaded onto your machine. Obviously, don’t go on high-risk sites.
Make sure you have anti-virus software. Another tool is intrusion-detection software. If something does get into your system, it can detect it. There’s also intrusion prevention. There are even systems out there that can detect when your customers’ computers or mobile devices are compromised.
We recommend, and regulators have recommended for years, a layered defense—multi-factor authentication, hardware/software tokens, one-time pins via SMS text…Of course, in the ACH world, calling back the customer, or text alerts, email alerts, and knowledge-based authentication are important, too.
Some companies do anomaly detection. So, if it’s not typical for your customer to have 20 wires going out a day at $9,900 each, a bell or whistle goes off. ACH debit blocks and positive pay systems are good, too.
There are a lot of useful tools out there.
NEACH: What should community banks and/or credit union CEOs be considering as part of their cybersecurity strategies?
It’s important to have a cyber risk program in place, regular cyber risk assessments, and a plan to remediate shortcomings. Banks are in the risk business and so are credit unions, but make sure you have a risk plan, a risk assessment, and a layered defense strategy established.
Another important thing—third-party vendor risk. Your third-party supply chain should be implemented with controls in place so your critical supply chain vendors’ core system operators can’t cause you to have a problem. Look at Target a few years back. An HVAC vendor in Pittsburgh was compromised, and they had access to the Target systems. That’s how the bad guys were able to move around the network and get into the payments system.
So, you have to know your third-party vendors, and make sure you have a good risk assessment of them, too.
NEACH: What makes information sharing such a critical component of educating and strengthening the financial services industry against threats? Would you provide an example of how information sharing helps?
It is important, but it’s not the cure-all. It’s one component of an effective, layered defense. I think information sharing is especially important for financial institutions to participate in. Through FS-ISAC, financial institutions can get real-time updates and have operational information at their fingertips about the latest threats and incidents that other financial institutions are seeing and what some of the vulnerabilities are. There are a lot of vulnerabilities out there. Make sure to patch critical vulnerabilities.
I was at a member’s bank just two years ago, and I was meeting with the head of the information security department. He got called out of the meeting because the bank was under attack. I went back to his office to wait and checked my email. That bank had already reported the threat indicators associated with this, which immediately helped others, because the other members of FS-ISAC could block the IP address and avoided becoming victims of the attack.
That, to me, showed the system is working. There’s real strength in information sharing for all participants.
NEACH: What efforts exist or are currently underway to increase cyber-readiness, combat cyber-attacks and strengthen the industry from cyber threats?
There are a number of key initiatives that banks and credit unions should be aware of. First, there are the Cyber-attack Against Payment Systems (CAPS) exercises, which are very important. We have been conducting CAPS exercises since 2010, and they provide an excellent way for financial institutions to practice how they should prepare and respond to cyberattacks. Sheltered Harbor—that’s an important program that all banks and credit unions should consider, too. It provides a standard to enable financial institutions to recover account information in case of a major, catastrophic, or disruptive cyber attack that might wipe out your primary and backup systems. If you have online backup that's great, but if it's online and there's an attack against your core systems, your backup could be infected, too. So you need to have an out-of-band recovery capability.
We’ve also done a number of takedown actions against criminal botnet infrastructures. Citadel is a good example of where working with a partner makes a difference. Microsoft was one of the declarants in the case along with us. We pooled our resources to provide evidence against the evildoers. It turned out that there were about 2,500 command and control centers that had been taken over by this botnet.
So the takedown action, which was a civil litigation action, was that we went to court with Microsoft and sued the botnet infrastructure that was operating illegally. We wanted to take them down and redirect all their command and control to Microsoft in Washington. We did that, and about 90 percent of the botnet was disrupted.
About a year and a half later after months and months of work, Microsoft had identified about five million computers that were infected from this botnet. They went in and cleaned up every one of those computers. Microsoft did a super job by installing new antivirus software that had been turned off by the malware, cleaned the computer, and then got rid of the malware. That was a big win.
I’d like to see more of this happen in the future.
NEACH: Could you unpack the Cyber-Attack Against Payment Systems (CAPS) exercises? What makes this a valuable training exercise?
It is a two-day, virtual tabletop exercise that simulates a cyber attack against your payments operations. It is not a real attack, just a scenario where you listen to recorded messages from various “actors” who are actually staff from member institutions and law enforcement to obtain updates on the attack. Then you answer questions about how your institution would respond. It’s completely anonymous, but you can check your data after the exercise and compare yourself against other financial institutions similarly sized to your institution—unattributed, of course.
We’ve been conducting these exercises since 2010, and every year a couple of thousand financial institutes participate. It’s been a huge help to financial institutions of all sizes, improving their incident response to major cyberattacks, and, in some places, identifying weaknesses in their cybersecurity or the risk controls they have in place.
NEACH: Shifting gears a bit, would you share a little background about the Global Resilience Federation, the role it plays, and how it complements the work of FS-ISAC?
We began helping other industries with their information sharing in 2014—commercial facilities, retailers, and then law firms. Our Board and I discussed it and said, let’s help, but let’s make sure they’re self-funded.
Last year, we started looking at spinning off a separate company to support these other industries. At the beginning of 2018, we moved FS-ISAC’s Sector Services Division and spun it off into a company called the Global Resilience Federation (GRF). Now, they’ve expanded. FS-ISAC is a member of GRF, as well as ISACs for healthcare, law firms, state and local governments, oil and gas companies, electricity companies, and there are two retailer groups involved.
So FS-ISAC leverages GRF for physical and geopolitical information. But the primary benefit we get from our membership is cross-sector sharing. So, if an attack is occurring in let’s say oil and gas or health care or law firms and their analysts see it, they share it with us, and then we can share it with our members. That has helped keep these attacks from being successful.
Cross-sector, government and member-to-member information sharing have collectively made the FS-ISAC so valuable to its members.
NEACH: What specific tips can FIs give to their members/customers to protect themselves from cyber attacks?
Phishing tips are always good. We push out some really good information every month called cybersecurity tips, which we get from the multi-state ISAC. We send it to all of our members, and they can put their name on it and send it to their customers. I think education about the ways cybercriminals are tricking you is important; it is critical that everyone be educated and have that information.
NEACH: Is there anything else our readers should know?
I think the big message we've had for a while now is there's really strength in information sharing. It’s like having a neighborhood watch—a really active one—where everyone’s looking out for each other. We’re all united in this one mission, helping each other. It’s not a competitive issue. It’s not the bank versus credit union. Information sharing is all about financial institutions helping each other, and one day, others will help you.
NEACH: Where can readers learn more about cybersecurity?
If you haven’t joined FS-ISAC, you probably need to join. Regional Payments Associations like NEACH offer some pretty good cybersecurity and risk sessions at their conferences explicitly geared toward payments, which is important if you’re a payments professional.