Hoteliers, U.S. military brass and bankers are in very different lines of work, but they share at least one common concern—cybersecurity.
Banks could learn a lot from a high-profile gaffe in the hospitality industry, and some recent precautions taken recently by the Defense Department, that both involve the need to keep an eye on how well third parties protect data and network access.
In the hotel-related matter, a federal appeals court last week gave the Federal Trade Commission the authority to sue the Wyndham hotel chain over a breach of customers’ credit card data from seven years ago. The security lapses cited in the suit were egregious, including credit card data stored in the open and easily guessed passwords.
Wyndham is a conglomerate of 90 independent hotels, so keeping its affiliates in line on security matters resembles banks' challenges in policing software vendors, suppliers and contractors across their broad, multifaceted enterprises.
Making the example even more relevant to banks is the fact that the FTC, which did not respond to interview requests, has jurisdiction over financial services companies and could seek to punish them in cases of mishandled data.
“It’s not a matter of ‘might’—they will,” said Stu Sjouwerman, the chief executive of the security consulting firm KnowBe4. “They take their role as a watchdog very seriously, and banks that are protecting consumer data and sensitive financial data are definitely going to hear from the FTC when there’s a data breach.”
In a separate event, also last week, the Pentagon issued revised rules for vendor security meant to cover a wider range of third parties.
Banks, many other companies and government agencies like the Defense Department share flawed approaches in vetting and monitoring of vendors’ and subcontractors’ security practices before and after contracts are signed.
“Where banks get into trouble is with partners,” Sjouwerman said. “You might source components out of China, so your supply chain is your weak link. Who knows but that some corrupt government official in China hasn’t been able to subvert a Chinese supplier and the components you’re sourcing have a backdoor built in. You just don’t know. So you need to audit those things within an inch of your lives to ensure you’re still protected.”
These examples come at a time when most banks are working hard to improve vendor management practices and increasing their security budgets. But more work needs to be done.
In 2008 and 2009, Wyndham suffered three breaches of its network, ultimately losing payment card information for more than 619,000 customers and causing $10.6 million in loss due to fraud.
The FTC sued Wyndham in 2012 for failing to protect its customers from hackers, and Wyndham countered by saying that it was a victim of the hack itself and should not be penalized by the commission for the breach.
Last week the 3rd U.S. Circuit Court of Appeals in Philadelphia allowed the FTC's case against Wyndham to go forward in federal district court in New Jersey, and it noted that the FTC could use its authority to pursue cybersecurity cases under a federal law that directs the FTC to prohibit “unfair or deceptive acts or practices in or affecting commerce.”
All the things Wyndham was found to have done wrong in the days leading up to its data breach – such as failing to implement two-factor authentication and allowing weak passwords – are violations of basic security principles and payment card industry (PCI) rules.
“You're looking at incredibly basic issues like easy passwords and other basic data hygiene, like credit card data in clear text,” Sjouwerman said. “It doesn’t get worse than that.”
But if the 90 independent hotels in a chain can be likened to subsidiaries for which the chain bears responsibility, then banks face a similar exposure in software vendors, third-party contractors and others with whom they work but do not directly control.
Wyndham did set specifications for the security systems of the hotels that use its name, according to court documents, but the company allowed the hotels to store payment information in clear, readable text and to use easily guessed passwords. For instance, at one hotel, which used a booking system called Micros, the user name and password were both "micros." The FTC accused Wyndham of failing to adequately restrict third-party vendors’ access to its network and the servers of Wyndham-branded hotels. It said the hotel company failed to use reasonable measures to detect and prevent unauthorized access to its computer network and that it failed to follow proper incident-response procedures.
These are all sins a bank could be found guilty of.
In fact, the New York State Department of Financial Services found that 21% of New York banks do not require third-party vendors to prove they are meeting information security-requirements, and only 36% of surveyed financial institutions extend those requirements to subcontractors.
And this issue of monitoring the security of not just primary vendors and suppliers, but their suppliers as well, prompted the Defense Department to expand its vendor security rules to the entire supply chain.
Government agencies are no longer the role models for security best practices they once were, especially since June, when the Office of Personnel Management acknowledged a data breach that exposed the records of more than 20 million people. Even the Joint Chiefs of Staff's email system was hit by Russian hackers. Yet when the Defense Department issues new rules for monitoring vendor and contractor security, many experts will pay attention.
The Defense Department's revised rules require all contractors and suppliers (not just prime contractors) to comply with security controls and reporting controls.
“The idea from the Department of Defense—and it’s one that government agencies nationwide are coming around to—is that the supply chain doesn’t just start at your highest-profile target," said Michael McGuinn, a senior managing associate in the Colorado office of the law firm Dentons US LLP. "It needs to start from the bottoms up, to make sure you’re addressing the path of least resistance.”
The security controls include multifactor authentication and the application of the principle of least privilege throughout the organization. In other words, each process, user, or program must be able to access only the information and resources necessary for its legitimate purpose).
“It’s your basic cybersecurity,” said McGuinn.
The Defense Department rules also require contractors and suppliers to report any cybersecurity incidents and unauthorized access to their networks. Here again, banks can sometimes fall short. In New York, regulators found that 30% of banks don’t require third-party vendors to notify them in the event of a data breach or other security incident.
How can banks keep close enough tabs on their vendors?
Much of this is done by requiring suppliers to provide representations and certifications of the bank’s security policies, McGuinn said.
“Some companies are more hands-on with their suppliers, but that’s costly and there’s risk associated with that,” he said. “In many cases, suppliers don’t want others mucking around in their sensitive systems.”
Making vendors report cyber incidents is very helpful, McGuinn said. “That’s a simple way, and it has the additional benefit of providing for a common repository of shared information about cyberthreats.”
Use of the National Institute of Standards and Technology’s cybersecurity framework can also help.
“The framework has this concept of profiles,” McGuinn said. "It says, here’s your target profile, here’s your current profile -- where you stand in your company’s current cybersecurity. It provides a way for companies to talk to each other in a common language.”
Banks have been stepping up their vetting of vendors, according to Loras Even, a principal at McGladrey.
“Most are doing a refresh or rework of their vendor management program, reviewing documentation provided, asking for insurance coverage, validating where information sits, [and asking: is any of it on servers overseas?” he said. The toughest part for banks is knowing which vendors their vendors are using – especially cloud vendors, he noted.
“If they’re looking at adding or considering a cloud vendor, they need to run that vendor through a due-diligence-audit program up front,” he said.
All that said, employees are still weakest link in security chain, Sjouwerman and Even said. “There’s a tendency to trust vendors they’ve been working with for 10 years,” Even said. “Just because that trusted vendor has been resilient, it needs to be held to the same standard as a brand-new cloud provider.”