Cybersecurity: balancing customer needs with financial controls

This article was first published in the June 2015 international edition of Accounting and Business magazine.

The hacking of consumer credit card data at prominent US companies such as the Home Depot, Target and Neiman Marcus is merely the tip of the iceberg in the world of cybercrime and cybersecurity. If the largest businesses are prized targets for cybercriminals, so are US federal government computer systems, such as Fannie Mae and the Internal Revenue Service. This also affects technology enterprises such as Google, eBay, AT&T, Verizon and Apple. The Wall Street Journal reported that by July 2014, the biannual reports of 1,516 companies traded on the NYSE or Nasdaq stock market included the words ‘cybersecurity’, ‘cyberattacks’, ‘hacking’ or ‘data breach’. 

At a time when technology and financial executives share a consensus that the ‘bad guys’, the hackers, are always two steps ahead of the risk management team, accounting professionals need to adopt risk management strategies that are both responsive and resilient in their approach. 

Government agencies have played a leading role in identifying cyberattacks and developing countermeasures that are shared with industry partners. However, public alarm over repeated breaches of computer networks containing possibly millions of individuals’ confidential financial data has drawn the attention of government regulators. They are focusing their scrutiny on the executives of these businesses, and asking if appropriate cybersecurity measures have been taken, and if executives are properly vigilant. Is cybersecurity another area ripe for government oversight?

Who is accountable?

The anxiety over the theft of personal financial information has spread through the executive suite, from the IT professionals on the front lines to the financial executives who have to make sense of it all. Based on the results of two recent polls by credit card processor TSYS, in the aftermath of the big breaches at Target and Neiman Marcus, approximately 40% of respondents said that they had changed their shopping behaviour. 

Importantly, the majority of respondents believed that the companies should be held accountable for these breaches. Over 60% said they were willing to move their accounts to financial institutions that were capable of providing additional cybersecurity measures.   

As the public demands accountability for IT breaches and the theft of personal data, the conversation turns to who should be held responsible. Benjamin Lawsky, former New York State Department of Financial Services superintendent, has called for executive accountability at financial services companies as a way to prod executives into action. Some people, including prominent investors, argue that individuals, especially executives, should be held responsible for data breaches instead of the company as a whole.

The intense scrutiny on data vulnerability has meant that C-level executives and the individuals who report directly to them have to increase their participation in data breach response and resilience planning. 

The data breach incident at Target, the third largest retailer in the US, is but one example of the repercussions of a cyberattack: in May 2014, Target’s chief executive, Gregg Steinhafel, became the first CEO to step down over a huge customer data breach. Although data security was, by all accounts, taken seriously at Target, Steinhafel’s resignation shows that both preparedness and resilience are vital parts of the business process today. 

Room for improvement

There is an increased public belief that cybersecurity vulnerabilities are a consequence of a company’s lack of investment in appropriate security practices, including response plans, risk assessments of vulnerable areas and continuous monitoring of information systems to detect unusual traffic. According to a 2014 study by Experian Data Breach Resolution, companies have improved their overall preparedness and policies for data breaches compared to the previous year’s study. But while more companies have response plans, over 60% were not considered up-to-date and effective by respondents. 

This public demand for accountability could lead to a decision by government regulators that financial executives are liable for, among other things, not following proper information management security controls as specified by the Control Objectives for Information and Related Technology (COBIT) framework and the ISO 27001 information security management standard. If so, accountants will need to take a hard look at how they can influence financial controls and effective cybersecurity.

‘Due to the nature of the profession, accountants tend to have a lot of personal information. Any firm or business that is responsible for personal information is » a target for cyberattacks,’ said Catherine Putnam, product manager for portfolio management at Travellers Insurance, in Accounting Today. Therefore accountants must remain vigilant and ensure cybersecurity is a top priority. They can be seen as the gatekeepers of information; they have the ability to recognise irregularities and anomalies, and can red-flag them to the appropriate channels. Corporate accountants and individual firms should incorporate cybersecurity not only to protect against cybercrime, but as an obligation towards their clients’ privacy.

Whether real or imagined, the widespread dependency on cloud services for enterprise data storage is also a perceived vulnerability in the minds of the public and some regulators. There is a trend among all companies in the US to outsource cloud services. Accounting firms need to understand the liabilities associated with this service and gain more insight into their chosen company’s cybersecurity action plan. 

Poacher turns gamekeeper

President Obama’s executive order in February 2013, ‘Improving critical infrastructure cybersecurity’, warned that hackers sponsored by foreign governments and organised crime syndicates, as well as lone individuals, are probing financial, energy and public safety systems every day. 

These hackers are technologically sophisticated proxies for organised crime groups motivated by money and, increasingly, by the militaries of hostile governments intent on causing disruption and destabilisation. Financial systems are particularly rich targets. In addition to the threats from these criminals, spies, terrorists and ‘hacktivists’, there is worry about the inside threat represented by both current and former employees who have access to company systems and who may be motivated by money or revenge to jump to the dark side. 

24/7 online access, ‘bring your own device’ policies, work-at-home employees and insecure wi-fi connections create vulnerabilities that remain all too easy to exploit. Infamous hacker Cameron Lacroix, whose record includes hacking into celebrity phones, gift cards and credit cards, was recently sentenced to four years in prison despite his cooperation with the FBI in teaching them his hacking tricks. He stated that, upon completing his sentence, he hoped that Target and the Home Depot would hire him to protect their systems, adding ‘it’s still very easy to get into’.

Hacking techniques have become more sophisticated and more difficult to detect. The ongoing investigation into the breach at the Home Depot disclosed that hackers used custom-built malware, putting 56 million payment cards at risk. 

Playing cards

Cybersecurity vulnerabilities exist at the data storage and transaction levels. Without the latest microchip technology, US debit and credit cards remain at high risk of cyber theft. Digital payment solutions are increasingly accepted by banks and merchants, and card-based purchases resulted in more than $6bn fraudulent third-party charges in 2012, according to the Federal Reserve Bank. In the US, some of this has been attributed to outdated card technology that is, at the time of writing, just beginning to be changed to the widely acknowledged and more secure EMV (Europay, MasterCard and Visa) smart chip cards, which are widely used in Europe. Unlike EMV cards, US swipe cards do not contain a chip for storing encrypted information, making it easier for hackers to steal.

One major concern is the lack of professionals with advanced offensive and defensive cyber skills. According to a recent CNN report, approximately 20,000 to 30,000 professionals are needed in a variety of industries to adequately equip companies with the human resources to provide cybersecurity. Given the great need for these types of professionals, universities, colleges, community colleges and vocational schools are responding with a multitude of degree opportunities. Federal agencies even offer scholarship programmes in cybersecurity that require federal or state employment after completion of the degree, encouraging cybersecurity professionals to enter government agencies.

At risk is personal financial information, through retailers, third-parties, apps and so on, which have account information, credit information and other personal data, as well as people’s individual mobile devices, computers and laptops. To maximise their financial gain, hackers have ‘preferred’ industries: the financial industry can be attacked for financial gain or political reasons, followed by the retail, energy, aerospace, defence and healthcare sectors. Forgotten are the days of email scams and public wi-fi; cybersecurity is now at a point where all digital devices, regardless of their ownership and location, can and will be attacked if they hold any personal information at all.

Time to take steps

Cybersecurity is well on its way to becoming a regulated practice. The US Securities and Exchange Commission is currently deciding what sort of guidance it will provide on cybersecurity standards, while acknowledging the fact that a company’s cybersecurity strategies and practice must remain undisclosed in order to remain effective. Finding ways to collaborate with the military, law enforcement experts and computer scientists to devise effective cybersecurity that balances customer needs for easy access with appropriate financial controls must become part of accounting practice.

Although liability and responsibility have yet to be fully defined, since only financial institutions are placed under strict US data protection laws, accountants should understand how far their services and sub-services are protected against cyberattacks. In line with the US government’s new-found attention to medical devices and their vulnerability to cybercrime, accountants should take a more proactive approach and arm themselves with the right strategies and plans. The financial ramifications do not discriminate against legal liability, and it is in firms’ best interest to understand what steps can be taken to protect themselves and their clients from data breaches.

Jonathan Hill, associate dean, Seidenberg School of Computer Science and Information Systems, and Wenya Chen and Kalterina Latifi, research fellows