Posted on

Insider Threats in Finance and Insurance (Part 4 of 9: Insider Threats Across Industry Sectors)

This post was co-authored by Jonathan Trotman.

In the previous post of our series analyzing and summarizing insider incidents across multiple sectors, we discussed some of the mandates and requirements associated with federal government insider threat programs as well as documented insider threat incidents. In this post, we will discuss information security regulations and insider threat metrics based on Finance and Insurance incidents from our CERT National Insider Threat Center (NITC) Incident Corpus.
For context, Finance and Insurance refers to a collection of organizations working across various facets of financial services. The graph below shows incident counts in this sector.

Bar chart of the number of insider incidents impacting finance and insurance organizations, from 1996 to the present. Banks and credit unions had 190 incidents. Insurance had 14. Other financial services had 33.

With the statistics that follow, keep in mind that Banks and Credit Unions are far more represented than Insurance or Other Financial Services in the CERT NITC Incident Corpus.

In total, we identified 237 malicious, non-espionage insider incidents where a Finance and Insurance organization was both the victim organization and the direct employer. There were 148 additional incidents where a Finance and Insurance industry organization was impacted by a Trusted Business Partner (e.g., temporary employees, outsourced computer support, or cleaning services) or an insider incident at another organization. In one incident, more than 20 individuals (approximately half of them insiders and half of them outsiders) targeted more than a dozen Finance and Insurance organizations across multiple states as part of a Stolen Identity Refund Fraud (SIRF) scheme coordinated by an outsider-ringleader. This incident underscores the ubiquity of SIRF schemes within Finance and Insurance organizations and the threat of collusion with outsiders. Finance and Insurance organizations are well-served by getting involved with information sharing groups, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) to collaborate with others in the sector.

Pie graph of Finance and Insurance Victim Organization Relationship to Insiders. 237 victims, or 62%, employed the insider. 148 victims, or 38%, did not directly employ the insider.

Sector Overview

To understand the Finance and Insurance insider threat landscape, we first need to understand its regulations and their background check guidance:

  • 1999: The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, requires that financial institutions take steps to ensure the security and confidentiality of customers’ personal and financial information. The Federal Trade Commission (FTC), as part of its implementation of GLBA, issued the Safeguards Rule. The Safeguards Rule in turn recommends, among other best practices, checking references and performing background checks as part of the hiring process for employees that would have access to customer information.
  • 2002: Section 404 of the Sarbanes-Oxley Act (SOX) requires an assessment of the internal control structure used to ensure financial statement account and disclosure accuracy, which involves detecting security breaches. It also implicitly necessitates employee background checks.
  • 2004: Guidance for reference and background checks is also provided by the Payment Card Industry Data Security Standards (PCI DSS) Council.

Taken together, these regulations would suggest that Finance and Insurance employees are vetted before they ever have system access. However, as we have demonstrated, insider threats still persist.

As the chart below shows, Fraud is the most frequent insider threat incident type for Finance and Insurance organizations (in the CERT Insider Incident Corpus), followed by Theft of Intellectual Property (IP) and IT Sabotage. In the four incidents where two case types were present, Fraud was one of them. Fraud is all too commonplace in the Finance and Insurance sector because employees have a high degree of access to money and sensitive financial data.

Bar graph of the number of Finance and Insurance Insider Incidents by Case Type. Fraud: 204. Theft of IP: 19. Sabotage: 10. Sabotage and Fraud: 3. Fraud and Theft of IP: 1.Given how few reported incidents involved Theft of IP or IT Sabotage, the following analyses focuses on incidents of Fraud where the insider was employed by the Finance and Insurance victim organization.

Sector Characteristics

Nearly all (87.8%) of the insider incidents impacting Finance and Insurance organizations involved Fraud. The Fraud statistics below include only the 204 incidents where no other incident type was known. Each attribute (i.e., Who, What, When, Where, How, Why) represents only the cases where that attribute was known.

Who? Approximately half (49.5%) of the insiders were employed by the victim organization for 5 years or more when they started their malicious activity. Insiders were primarily in their twenties (29.7%) or thirties (34.9%). Nearly all (97.1%) of the insiders were full-time employees and nearly all (93.4%) were current employees. Half of the insiders used an authorized account and data (50.0%) and over one-quarter were authorized, privileged users (26.4%). The most common roles occupied by insiders were management (32.8%), cashier (13.8%), executive (12.6%), accountant/bookkeeper (10.9%), and other non-technical positions (29.9%). What? Over one-third (40.7%) of insiders targeted money in an electronic form. An additional subset of insiders (5.4%) targeted money in a physical form. Insiders also targeted electronic customer data (5.4%), which in turn could be used to commit identity theft. When? For Fraud incidents where the attack time was known (179 total), nearly all (98.3%) involved insider activity during work hours. Nearly one-third of incidents (31.8%) of incidents also involved activity outside of work hours. Three incidents (1.7%) involved activity outside of work hours only. Where? For Fraud incidents where attack location was known (189 total), nearly all (99.5%) involved activity on-site. Over one-quarter (27.0%) also involved remote access. Only one incident (0.5%) appeared to involve remote access only. How? Nearly one-third (32.8%) of insiders created or used a fraudulent asset to commit their attack. One-quarter (25.0%) of insiders created or used an alias over the course of their Fraud scheme. Nearly one-quarter (24.5%) of insiders made fraudulent purchases. Insiders also abused privileged access (20.6%), falsified information (20.1%), and modified critical data (16.2%). Why? Unsurprisingly, nearly all of the insiders (97.8%) were motivated by the prospect of financial gain. Insiders were also motivated by gambling addiction (2.2%), family pressures (1.6%), competitive business advantage (1.1%), or a desire for recognition (1.1%). Some insiders (3.8%) had multiple motivations for committing Fraud.

Analysis

Insiders committing Fraud in Finance and Insurance organizations tended to be more tenured employees, and many were in leadership positions. These insiders also had privileged access to information systems and customer personally identifiable information (PII) commensurate with that level of experience or role. In turn, these insiders exploited vulnerabilities in processes they were familiar with to access money or customer data. Nearly all of the insiders were motivated purely by financial gain, with a portion of those insiders also under financial stress from a gambling problem or family distress. In Finance and Insurance insider incidents where the financial impact was known (221 total), the median financial impact was between $98,137 and $268,403. Again, the median impact across the CERT Insider Threat Incident Corpus is between $95,200 and $257,500. The Finance and Insurance incidents, since they comprise the majority of the incidents collected, essentially define the median financial impact range of the corpus.

Final Thoughts

As we addressed earlier in this post, organizations subject to the Safeguards Rule are encouraged to perform background checks before hire. At the NITC, we also advocate for employee background checks. However, given the evidence around the tenure of insiders, recurring background checks are also advisable, particularly when an employee receives increased or new access to customer information. After all, we saw that managers and executives are also capable of committing Fraud.

However, SOX compliance can pose significant financial and implementation challenges for organizations, even 16 years after its passage. With those costs, organizations may not be performing background checks as frequently or extensively as is needed to address emerging threats from within.

If you work for a small organization that must comply with SOX, review the Securities and Exchange Commission’s Section 404 Guide for Small Business. Organizations small and large can also reference the Common Sense Guide to Mitigating Insider Threats, Fifth Edition, for additional best practices on how to improve their security posture.

For recommendations for your insider threat program, stay tuned for future blog posts related to your industry. Check back in a few weeks to read our next industry post on state and local government, or subscribe to a feed of the Insider Threat blog to be alerted when any new post is available. For more information about the CERT National Insider Threat Center, please contact [email protected].

What are your thoughts?