Federal Reserve Watchdog Probes Banks' CybersecurityScrutiny Follows SWIFT-Focused Hack Attacks
The Office of the Inspector General has begun auditing the Federal Reserve's effectiveness when it comes to ensuring that U.S. banks have robust information security policies, procedures and practices in place, including the ability to quickly detect and respond to data breaches.
The "Audit of the Board's Oversight of Cybersecurity Threats to Financial Institutions" was announced June 20 as part of the latest OIG work plan.
"The growing sophistication and volume of cybersecurity threats presents a serious risk to all financial institutions," the OIG's work plan says. "We are focusing our review on how the Federal Reserve System's examination process has evolved and whether it is providing adequate oversight of financial institutions' information security controls and cybersecurity threats."
The Fed has already developed guidance for banks "to define expectations for information security and data breach management," the OIG reports. Now the watchdog agency will review how - and if - banks are complying with that guidance.
The audit is due to be completed in the fourth quarter of this year. The upcoming OIG report may be the first-ever public assessment of the Federal Reserve's effectiveness at ensuring that U.S. banks have sufficient cybersecurity controls in place, Reuters reports. Previous audits were limited to the cybersecurity practices of the Federal Reserve system itself.
Fed Breach Report
The OIG notes that part of its mission is to "focus on those programs and operations in which potential deficiencies pose the highest risk to the [Fed Reserve] Board and the CFPB."
On a related note, the OIG's information security questions follow a recent report from Reuters, noting that from 2011 to 2015, the Fed detected more than 50 data breaches involving its networks. That information was based on a Freedom of Information Act request filed by the news agency, which relates only to the Washington-based Board of Governors, which is a federal agency that is subject to public records laws, unlike the Fed's 12 privately owned regional branches.
When it comes to that breach report, "I'm not at all surprised," Avivah Litan, an analyst with Gartner Research, tells Information Security Media Group. "The Feds have all kinds of breach attempts on a daily basis. The question is, did any [successfully] exfiltrate sensitive information or money? My guess is that some were indeed successful but that's just an educated guess, based on what I have seen elsewhere."
Audit Follows SWIFT-Enabled Fraud
The OIG's probe also follows the February theft of $81 million from the central bank of Bangladesh's New York Federal Reserve account via the messaging service provided by Brussels-based SWIFT. Formally known as the Society for Worldwide Interbank Financial Telecommunication, SWIFT is a cooperative owned by 3,000 banks that bills itself as "the world's leading provider of secure financial messaging services." Today, 11,000 banks globally use SWIFT daily to process 25 million communications that collectively account for billions of dollars' worth of transfers.
The security of SWIFT's messaging system has been called into question after investigators reported discovering coordinated malware attacks against multiple banks. Based on a technical analysis of the malware used in those attacks, some security experts say they have a high degree of confidence that a group sponsored by the government of North Korea was behind the hacks.
While the attack campaign might have begun as early as 2013, the campaign only came to light after Bangladesh Bank disclosed its hack attack and related losses in March. At the time, it blamed the New York Fed and SWIFT for processing and routing the fraudulent transactions, although the Fed and SWIFT dismissed those accusations.
Last month, in a joint statement, the three organizations stopped their respective finger-pointing and pledged to work together. Subsequently, SWIFT also began issuing increasingly strong warnings to users, and urging them to ensure that all systems that touch the SWIFT network have strong security controls (see Banks With Bad Cybersecurity Could Face SWIFT Justice).
Congress Queries Fed
In the wake of the Bangladesh Bank hack, multiple nations began probing the security of SWIFT, as well as their own banking systems (see Banks, Regulators React to SWIFT Hack). In April, the U.K. central bank - the Bank of England - reportedly ordered all of the country's banks to detail how they were reacting to the SWIFT hack.
U.S. legislators have been asking the Fed if it plans to follow the Bank of England's lead, and whether U.S. banks could survive a similar attack. Last month, the House Committee on Science, Space and Technology launched a probe of the attacks, and asked the Fed specifically what it was doing to oversee banks' cybersecurity practices as well as SWIFT itself (see Fraudulent SWIFT Transfers: Congress Queries New York Fed).
Oversight of SWIFT is the responsibility of the 11 countries that are in the G10 - Belgium, Canada, France, Germany, Italy, Japan, the Netherlands, Sweden, Switzerland, the United Kingdom and the United States, with the National Bank of Belgium taking the lead role.
Other members of Congress have also been questioning the Fed's cybersecurity oversight, as well as the preparedness of U.S. banks to defend against related attacks. In March, for example, Rep. Carolyn B. Maloney, D-N.Y., requested further details on the Bangladesh Bank heist from the Fed, and the Fed responded in April.
Last month, Sen. Tom Carper, D-Del., the ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, likewise asked the New York Fed how it was responding to the bank heists.
Executive Editor Tracy Kitten also contributed to this story.