Lessons Learned from the MOVEit Data Breach
Financial institutions, as the guardians of critical financial data, have always been high-priority targets for cybercriminals. With the increasing reliance on digital infrastructure and technology in the financial sector, the risk of cyberattacks has grown significantly. The MOVEit data breach by the “cl0p” ransomware gang is yet another wake-up call to financial institutions regarding the growing sophistication of cybercriminals, constant need to adapt to new threats, and the preparation that is needed to respond to a data breach. MOVEit is a file transfer software allowing financial institutions to store and transfer large amounts of often sensitive nonpublic personal information (“NPI”) of their customers, employees, and other stakeholders.
The MOVEit data breach is still in its early stages and its real impact and fallout are still unknown. Some financial institutions have already learned that they have directly suffered a data breach through their own use of MOVEit. Others have been impacted by their third-party vendors’ use of MOVEit to store and transfer NPI of their customers, employees, and other stakeholders. Many others have not yet discovered that they have been impacted by the breach. Unsurprisingly, class action lawsuits have already commenced against financial institutions that merely used the MOVEit software directly or through another service provider.
Financial institutions should do the following to protect themselves from a cyber incident and from class action lawsuits:
1. Adopt data inventory, mapping, and classification practices.
The management guru Peter Druker famously said, “if you can’t measure it, you can’t manage it.” Financial institutions cannot build a data compliance program around data that they do not understand. Data inventory and mapping practices entail finding out what data elements are collected by the financial institution or on its behalf by third parties, the sources of the data, where the data is stored, how the data is used, what ultimately happens to the data. Data classification is the process of separating and organizing data into relevant groups (“classes”) based on their shared characteristics, such as their level of sensitivity, the risks they present, and the compliance regulations that protect them. For example, sensitive NPI should be afforded greater protection than other forms of data, and data regarding certain types of consumers, such as California residents, may be subject to comprehensive privacy laws like the California Consumer Privacy Act (“CCPA”).
2. Implement access controls and the principle of least privilege.
Financial institutions should adopt access controls for all NPI, including NPI stored in physical (non-electronic) systems and physical restrictions on access to hardware containing electronically stored NPI. The financial institution’s employees or vendors should be granted only enough access and authority to NPI to complete their specific task. The lack of access controls has been the culprit of internal data incidents, such as employees snooping on customer accounts and their colleagues, insider attacks and theft of NPI, and negligent handling of NPI by untrained employees who never should have had access to NPI.
3. Practice data minimization and retention limitation.
Hording and sharing unnecessary data increases the risk of a data incident. Financial institutions should limit their collection of data to only what they need to offer their products and services and keep such data only for as long as they need it for this purpose. Data minimization and retention principles should be harmonized by regulatory minimum data retention requirements. Equally important, financial institutions should provide third parties (i.e., vendors) with only such data elements that they absolutely need to perform their function. Financial institutions should also inquire whether de-identified or aggregated data may be substituted for personally identifiable data in their third-party engagements to minimize sharing personally identifiable data.
We have seen several instances where the vendor that used the compromised MOVEit application was provided with NPI that it did not need for it to perform its functions for the financial institution. But they received such data anyway because the financial institution did not minimize its data exposure with such vendors. In some instances, the vendors’ agreements stated that they do not need or want NPI, but such information was provided anyway. This is low-hanging fruit for the class action plaintiffs’ attorneys to pounce on and could be easily avoided by financial institutions that try to minimize what data they share with third parties.
4. Invest in Robust Cybersecurity Policies, Procedures, and IT Infrastructure.
Financial institutions must adopt a comprehensive cybersecurity framework that includes advanced threat detection, encryption, multi-factor authentication, email security and anti-phishing measures, network segmentation and DDoS protection, logging and system monitoring, and data backup and recovery. Continuous security assessments and regular penetration testing can help identify vulnerabilities and address them promptly. Financial institutions should also contractually require any third parties (i.e., service providers) that have access to NPI to do the same.
In addition to technical measures, financial institutions should take privacy and cybersecurity compliance seriously and devote sufficient time and resources to developing robust privacy policies and cybersecurity procedures. Due to ever increasing data security incidents, regulatory fines and penalties, and expensive class action lawsuits, the cost of non-compliance can be severe.
5. Training and Awareness.
Employees are often the first line of defense against cyber threats. Regular cybersecurity training and awareness programs can educate staff about common attack vectors, phishing attempts, and the importance of data protection. Employees should also be trained in sound data management principles in day-to-day operations. There are a lot of good educational resources and certification programs out there, such certification programs offered by The International Association of Privacy Professionals. Financial institutions should also consider hiring a data privacy profession that will be able to help elevate their internal data management and privacy compliance program.
6. Purchase Adequate Cyber Insurance.
Financial institutions should purchase cyber insurance that is adequate to cover the risks associated with a data breach that occurs on their networks and the networks of third-party service providers. Such risks include physical damage to IT infrastructure, reputation risk, operational downtime, costs associated with regulatory and consumer notifications, and coverage for third-party claims, which are often in the form of class action lawsuits filed against financial institutions.
7. Conduct Due Diligence on Third-Party Resources
When a cyber incident occurs, a financial institution typically only has a very short period to report the incident to regulators and consumers if the incident rises to the level of a reportable breach. This is not conducive to taking the time needed to properly vet third-party resources to help your financial institution after a data incident occurs. Cyber insurance policies typically provide a list of approved vendors for reputation management, forensic analysis, legal, et cetera. It is advisable to evaluate such resources and even talk to some of them before your institution is hit with a cyber incident.
8. Incident Response Planning
Financial institutions must have an incident response plan for a data breach on their systems or on systems of third parties that they provided access to NPI. A good response plan has the following components:
- Preparation. All the above recommendations are part of preparing for a cyber incident or, better yet, avoiding one. We also recommend designating appropriate business units, such as IT, legal, and marketing, that must work together, under the supervision of senior executive management and the financial institution’s board of directors.
- Identification. Financial institutions must have a robust cybersecurity framework that is able to identify intrusions quickly on their networks. When identifying a security incident, you should be able to answer the following questions:
- Who discovered the breach?
- What information systems have been accessed or misused?
- What employee, customer, member or consumer information has been accessed or misused?
- Is it affecting our operations?
- What is the source of the compromise?
- Containment. This step requires you to mitigate the damage once a breach occurs. Depending on the nature of the incident, this could mean taking actions to isolate the compromised data and removing the malware from your systems. During this phase, you should consider whether systems need to be taken offline or deleted, and whether there are immediate steps you can take to close vulnerabilities.
- Eradication. This phase of a cyber incident response plan is about rectifying the weakness that enabled the data breach to occur. The specifics will again depend on the type of incident, but during this stage, you must identify how the information was compromised and how you can eradicate the risk.
- Breach notification. Financial institutions must notify their functional regulator and impacted individuals if the incident resulted in unauthorized access and potential misuse of sensitive personal information. The timeframe for notification depends on the regulator and the state in which impacted individuals reside. Depending on the number of impacted individuals in a particular state, state Attorney Generals and other agencies may also need to be notified. Additionally, financial institutions must file a Suspicious Activity Report and notify applicable law enforcement authorities.
- Recovery. Once you have eradicated the threat, you can move on to the penultimate stage of cyber incident response, which is to get your systems back online.
- Lessons learned. The final phase of the cyber incident response plan is to review the incident and to identify opportunities for improvement.