Nine seconds.
That’s all the time it took to hack the Department of Defense’s weapons system. Whether a government entity, a captive financier, a midsized bank, or a small credit union — every company has become dependent on a vast and expanding digital infrastructure.
That infrastructure, in turn, has made businesses vulnerable to cybercriminals and foreign adversaries, United States Attorney General William Barr said July 23. “The danger cannot be overstated, and enhancing cybersecurity is a national imperative,” he said.
For auto lenders, storing and processing unprecedented amounts of data and personal information is the norm, but as businesses and consumers become more digitally savvy, cybersecurity measures are more vital than ever. Advancements in technology have led to increased vulnerability among financial institutions, said Jim McCabe, senior vice president of identity theft at Vero, a CU Direct company that specializes in data breach solutions. “We are all at risk,” he said. “If you don’t think the criminals already have our information, you’ve already lost. With all of the data breaches, they have our information 10 times over.”
Hackers have a lot to gain. One consumer’s personal information can sell on the dark web, an online marketplace for illegal goods, for as much as $5,000.
“What are you doing about this concern? Are you hoping for the best and hoping it stays low on the radar?” asked Hyundai Capital America’s Vice President of Information Protection and Chief Information Security Officer Eddie Younker. “It’s a business problem, not an IT problem.”
Some lenders are taking action. Earlier this year, JPMorgan Chase Chief Executive Jamie Dimon told shareholders the bank spends nearly $600 million a year — and deploys more than 3,000 employees — on cybersecurity. “The threat of cybersecurity may very well be the biggest threat to the U.S. financial system,” Dimon said.
On a smaller stage, Pentagon Federal Credit Union’s Chief Information Security Officer Anthony LaManna urged companies to allocate 10% of their IT budget to cybersecurity, noting that spending will differ by lender. “Rather than buying tools or products, invest in solutions based on the attributes of your enterprise,” LaManna said.
Security National Automotive Acceptance Co. (SNAAC), for one, tests its cybersecurity threshold by focusing on the “human element,” said Bill DeLong, SVP and chief information officer. “It’s the human element that’s going to be the more likely way to be exposed, hacked or compromised,” he said. Cybersecurity attacks can disable computing resources, cripple the government and breach financial institutions within minutes, HCA’s Younker said, posing the question: “Is your company prepared for this environment?”
A triple threat
Understanding the threat landscape is one of the first steps for lenders battling cyber risk, Younker advised. “Work with your chief information security officer to figure out how you measure up next to [other cyber risk] concerns,” Younker said. “What is your risk exposure?”
The CISO needs to maintain transparency with the board, CEO and senior executives to ensure they can provide appropriate direction and oversight. “We aren’t taking [cybersecurity] seriously to appropriately protect consumer data,” Younker warned. “You’ve got to know where [your data] goes and how it flows to protect it.”
To that end, financial institutions should establish a reporting structure, Younker said. “Get your cybersecurity leader out of IT,” Younker said. “An IT executive focuses primarily on delivering services and company projects. Your security executives don’t care about that, they care about risk management.”
“If you take a risk management group and put them under an operational group, there is going to be a natural conflict of interest,” Younker added.
Cybersecurity concerns should be raised with the CEO or board — not with the IT department — for effective change. “Your CISO, CEO and chief risk officer need to be collaborative,” Younker said. “All three are stakeholders in cybersecurity and play equal roles.”
To assess cybersecurity readiness, a financial institution’s senior management should test each department, said SNAAC’s DeLong. As such, SNAAC has an information security committee comprised of a cross-section of employees. “It’s not just the IT group or security group,” he said. “We review system access from key systems to people.”
For example, the committee will look into whether former employees still have access to systems, or if employees have the appropriate type of access. “People switch jobs and departments, maybe they don’t need access to a certain area or need less access in their new role,” DeLong said. “We catch a lot of that. We call it good hygiene.”
Guarding against a pervasive threat
Cybersecurity is a moving target, not a fixed goal, DeLong said. “The world is ever-evolving, so security and how you approach it needs to evolve on a regular basis,” he said. Too often, financial institutions define information security as simply systems, databases and networks. “If you are relying on just operating systems and technology for [cybersecurity], you are really missing the boat,” DeLong said.
To that end, for the past 18 months, SNAAC has implemented programs to ensure that personnel are aware of cybersecurity threats. The lender tests employees on phishing, or the cybercrime that tricks people into clicking a malicious link in a seemingly legitimate email. SNAAC sends emails to employees that appear genuine, such as a social media campaign from Facebook, a news alert from CNN or an email from an employee’s supervisor.
The Cincinnati, Ohio-based lender will even go so far as to drop USB drives in the parking lot and see who picks them up and plugs them in, DeLong said. “We get notified on anything that looks suspicious,” he said. “Sometimes it’s a part of our tests, sometimes it’s not. But it keeps our employees alert.”
Since SNAAC started testing employees to ramp up cybersecurity, the lender has seen improvement month over month. “The system allows me to see which employees opened the email, clicked the links, replied to the email,” DeLong said. “I’ve got great tracking capability to measure failure rates.”
SNAAC runs incentive campaigns and tracks success rates by department. Employees who fail the tests are automatically enrolled in more cybersecurity training. “If a cyberattack is going to happen, it’s going to happen through the human element,” DeLong said.
For threat detection, SNAAC uses third-party partners. “Even for a company our size, we still see [suspicious] activity from Russia and China coming at us,” DeLong said.
“It’s like, no pun intended, Russian roulette in terms of when they’re going to access and come after you,” Vero’s McCabe said. “When they target you, there’s very little you’ll be able to do to stop them. They will find a way to get you.”
Most credit unions, though, have fewer resources than large and mid-sized banks, said McCabe, who works with hundreds of credit unions with assets ranging from $50 million to $200 million. Most of Vero’s credit union clients lack a designated cybersecurity executive or CISO, let alone the wherewithal to establish robust cybersecurity safeguards. This makes small to-midsize credit unions a common target among criminals.
However, sometimes size can work to a lender’s advantage, PenFed’s LaManna noted. “Credit unions have a smaller footprint, and thus the attack surface is significantly reduced, since there is less to protect,” he pointed out.
Larger lenders may have trouble pinpointing the source of a data breach, which is often to blame for the lag between perpetration and detection, said Santander Consumer USA CISO Harold Gonzalez at a conference earlier this year. “It’s not like we have a dashboard and one big red light goes off and we all chase after it,” Gonzales said. “The best analogy is a red light in a sea of red. It’s constant noise.”
SCUSA, for one, uses machine learning and artificial intelligence to identify abnormal user behavior. Rather than relying on traditional antivirus software, “the model is shifting toward, ‘I know what looks bad, I know processes that do strange things, and that’s probably an indicator of undetected malware,’” Gonzalez said.
‘It’s not a matter of if, but when’
McCabe has witnessed the cybersecurity landscape evolve in the past decade. While the No. 1 deterrent for data breaches is awareness and education, the best way to mitigate the impact of data breaches is to establish a safety net, he said, echoing a retired cybersecurity colleague with the Federal Bureau of Investigation: “It’s not a matter of if, but when it’s going to happen to you.”
Once an organization understands the concern, it must develop a crisis management plan, HCA’s Younker said. Lenders need to determine their strategy, then come to their CISO with a roadmap. “And I, [as the] ‘board’ and ‘CEO’ want to oversee what you’re doing — get on your CEO’s calendar monthly or quarterly, not once a year,” he said.
Global organizations, like the Center for Internet Security, reflect the combined knowledge of actual attacks and effective defenses of experts across various organizations, Younker said. “They have exclusive and deep knowledge about the current threats — that’s your intel community,” he said, noting that banks should leverage the resources of the Department of Defense, the Department of Energy and the Department of Homeland Security.
Moody’s Corp., for one, is establishing a standard to quantify the cyber risk lenders face. The venture aims to provide financial institutions with an objective assessment of cyber risk exposure and how it benchmarks against others and over time.
“The financial sector has significant cyber risk exposure,” according to a Moody’s Investors Service report published in February. “Banks are at high risk because they hold the data and funds of private clients, and they provide access to their services through multiple online and digital channels,” the report noted.
For auto lenders, in particular, the main challenges involve connectivity, both between companies — like captives and OEMs — and between products, as demand for mobility increases, said Alain Laurin, associate managing director at Moody’s Financial Institutions Group.
Cyber risk gets factored into Moody’s credit analysis across sectors, including the auto finance sector, to quantify the cyber risks that organizations face that will impact creditworthiness, said Leroy Terrelonge, Moody’s assistant vice president and lead cyber risk analyst. For vulnerability, Moody’s assesses business size, profile and sensitivity of collected data. When looking at impact, brand and reputational impact, legal regulations, crisis management and financial impact are important factors to consider, he added.
Vero’s McCabe urged lenders to watch out for emails, noting that phishing attempts or emails seeking to gain access to senior-level permissions are the leading causes of data breaches. If there’s an email with poor spelling or grammar, it’s likely a phishing email, McCabe said.
Meanwhile, PenFed’s LaManna advised smaller lenders and credit unions to zero in on two critical questions: “First, is risk being reduced? And second, are you investing in the right areas? With limited resources, funding and staff, you must always know the answers to these two questions,” he said. Those questions can be addressed by focusing on role-based access, white-listing, and multi-factor authentication, LaManna said. Role-based access, for example, assigns permissions by an employee’s role rather than allowing permissions to accumulate and overlap; white-listing gives admin-approved programs, IP and email addresses access to internal systems.
Regularly monitoring system access is another low-hanging fruit that is highly effective. “Shadow IT and monitor who has access to your systems,” LaManna said. “You can’t monitor or defend what you don’t know about.” Likewise, it’s important to have the latest software updates — patches, as they’re called in tech — installed throughout the entire enterprise, he added.
With an influx of digitization in the financial sector, computers that once could only be accessed in person can now be accessed over the internet, said Terrelonge from Moody’s. “Malicious actors can take advantage of poor security practices or computer vulnerabilities to access, destroy or alter the computers and the data they contain,” he said.
As if that weren’t bad enough, attacker sophistication is accelerating, spurred by close collaboration in online criminal communities and leaks of advanced, nation-state developed cyber tools, Terrelonge added. Meanwhile, the number of workers skilled enough to fend off malicious attacks is declining. “We expect the future to bring even more digitization and interconnectedness, greater attacker sophistication and a deepening cybersecurity skills shortage,” he warned.
With that in mind, HCA’s Younker urged lenders to keep an eye on the horizon. “The industry sector moves fast; the whole IT arena moves fast; the whole security piece of that — my goodness, it’s changing so rapidly you have to stay relevant,” he said. “If you don’t use it, you lose it.”
Editor’s note: This story was originally featured in the August issue.