The only constant is change – and no industry understands this better than the financial services industry as it navigates risk in today’s cyber environment. Rapid expansion of new technologies and evolving business models result in dynamic risks in the cybersecurity threat landscape. As attackers explore new opportunities to gain unauthorized access, it is essential that financial institutions protect their organizations by effectively authenticating the users of their systems and data.
According to the Federal Financial Institutions Examination Council (FFIEC), “Certain authentication controls, previously shown effective, no longer provide sufficient defense against evolving and increasingly sophisticated methods of attack.” The FFIEC acknowledges the rapidly shifting attack environment that financial institutions are facing from new cloud, API, mobile technologies and broadly used remote access points and that new or additional tools and procedures are needed to effectively authenticate “users and customers to protect information systems, accounts, and data.” In recent guidance titled Authentication and Access to Financial Institution Services and Systems (the Guidance), the FFIEC shares updated risk mitigation principles and practices with the depository institutions its members supervise. The customers and users referenced in the Guidance include:
- Business and consumer customers
- Third parties, including system-to-system communicators
The Guidance reiterates key points from FFIEC’s prior guidance issued in 2005 and supplemented in 2011. The latest update reinforces the notion of sound risk management practices and adds several new points of emphasis, discussed below.
Reiteration of the need for sound practices
Risk assessment – The Guidance emphasizes that “Periodic risk assessments inform financial institution management’s decisions about authentication solutions and other controls that are deployed to mitigate identified risks.” Risk assessments are key to identifying reasonably foreseeable risks – and should include an inventory of all information systems, services and users. Mitigating practices include using an Identity Governance & Administration (IGA) solution to categorize, connect and synchronize disparate user systems, using privileged access management (PAM) software to identify privileged users, and evaluating current assessment practices to ensure alignment to specific authentication mechanisms.
Layered security – The Guidance recommends mitigating weakness in any one control by incorporating multiple preventative, detective and corrective controls. The FFIEC recommends measures including layered security, multi-factor authentication (MFA), user time-outs, the principle of least privilege provisioning, transaction amount limits, and monitoring, logging and reporting.
User and customer awareness – The Guidance advises maintaining awareness programs to educate users and customers about a range of authentication risks and other security considerations while using digital banking services.
New areas of emphasis
The Guidance highlights several areas to which financial institutions should pay increased attention. While some of these have been mentioned in previous guidance, the emphasis placed on them by the FFIEC in its latest recommendation is new, and financial institutions must ensure they examine their practices in each of these areas thoroughly to mitigate risks.
Multi-factor authentication (MFA) – The Guidance emphasizes that single-factor authentication (even when bolstered with other layered security) is inadequate to secure high-risk transactions and users. The FFIEC underscores the need for broad use of MFA, including step-up authentication through MFA when suspicious behavior is detected.
High-risk users – The Guidance emphasizes mitigating risks associated with high-risk users and high-risk applications. Regarding high-risk user identification, the FFIEC advises financial institutions to identify users with access to critical systems and data as well as privileged users. A best practice is to use a privileged access management (PAM) software to perform regular scans to identify privileged users within the institution’s environment and incorporating access controls for those users with the layered security recommendations above.
Bad actors – The Guidance recommends specific controls related to call centers and IT help desks. Social engineering and other techniques have been used to deceive customer call centers and IT help desk representatives into resetting passwords and other credentials to gain access. The Guidance recommends a comprehensive risk assessment to support mitigation of this risk by “identifying emerging threats, setting secure processes, employee training, and establishing effective controls for the customer call center and IT help desk operations.”
Customer-permissioned entities (CPEs) – The Guidance highlights the risks associated with CPEs – data platforms that facilitate the exchange of user data between entities with the user’s permission, including data aggregators who access privileged data (and sometimes retain customer credentials) to provide financial institutions’ customers a variety of services. The Guidance recommends a comprehensive risk management program to assess and mitigate risks by implementing controls specific to CPEs.
Customer and user identity – A key consideration in reducing fraudulent activities includes reliable identity verification methods (including those related to synthetic identities and impersonations). As this is a dynamic area, organizations should consult with regulators and evaluate evolving technologies to address this point.
Where do financial institutions go from here?
Oversight of authentication and access activities and processes are key to mitigating the associated information risks. The FFIEC says, “Applying the principles and practices in this Guidance, as appropriate to a financial institution’s risk profile, can support alignment with such safety and soundness standards.” Protiviti also recommends that financial services companies:
- Ensure that high-risk users are considered as part of risk assessment activities so that practices related to high-risk users align to revised FFIEC recommendations.
- Have a formal perspective on CPEs and aggregators by implementing a comprehensive risk mitigation plan, including a risk assessment and sufficient controls related to “credential and API-based authentication.”
- Implement MFA for high-risk applications and more broadly, and use mitigating controls as needed.
- Consider how third parties, including cloud services, have altered the organization’s digital footprint. Risk mitigation for authenticity and access activities must continually evolve to address the dynamic third-party environment.