Another Example for SOX & Cybersecurity
From time to time I’ve written about how poor cybersecurity and software patch management leads to faulty internal financial controls. Now a bank in Tennessee has disclosed a cybersecurity breach that seems to demonstrate the case.
The bank, First Horizon Corp. ($FHN), disclosed the breach in an SEC filing last week. The breach wasn’t large, and the disclosure doesn’t say much — but the details that First Horizon did share raise some intriguing questions about how proper oversight of ERP software is critical to internal control.
What happened, exactly? Let’s do a close reading of First Horizon’s 8-K filing. First, the bank said this:
In mid-April, First Horizon Corp. (the “company”) became aware of a data security incident affecting a limited number of customer accounts. Based on its ongoing investigation, the company determined that an unauthorized party had obtained login credentials from an unknown source and attempted access to customer accounts.
As cyber attacks go, so far that sounds pretty routine. Somebody somewhere out there probably purchased stolen First Horizon user IDs and passwords on the dark web, and tried to use those stolen credentials to access customer accounts. Nefarious nonsense like this happens every day.
Then comes the next sentence:
Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 on-line customer bank accounts, had access to personal information in those accounts, and fraudulently obtained an aggregate of less than $1 million from some of those accounts.
OK, now the picture gets more interesting. The attackers were using stolen credentials and exploiting a vulnerability in the software of one of First Horizon’s vendors. Through that combination of tactics, the attackers were able to steal actual cash from First Horizon customers.
Then we arrive at the remediation steps First Horizon took:
The company has remediated the software vulnerability, reset the passwords for the identified accounts, is working with the affected customers to close existing accounts and open new ones, has reimbursed the customers for the stolen funds, and has notified the appropriate regulators and enforcement authorities.
If First Horizon fixed the software vulnerability as part of remediation, that means the attackers used the vulnerability in some manner to execute their heist; First Horizon even says as much in the prior passage.
Questions About Internal Control
So, did the attackers first try the stolen credentials, failed with that tactic, and then exploited the vulnerability to succeed on a second try? We don’t know.
Next question: how, exactly, would they use a software vulnerability to steal customer money? We don’t know that either. Security firms have previously demonstrated how attackers can exploit poorly patched ERP systems like SAP or Oracle to sidestep user access controls and execute wire transfers outside the company walls; but we don’t know that’s what happened in this specific case.
Third question: how did First Horizon’s login credentials become available to attackers in the first place? That suggests that the bank actually suffered two breaches: the original theft of login credentials; and then the theft of customer monies via some combination of those credentials and the software vulnerability.
To be clear, this breach is not significant. Last year First Horizon had $84 billion in assets and $857 million in net income, so the theft of less $1 million is chump change. (Although, in fairness, I am sure it did not feel like that to the victimized customers.) Then again, that raises another question: Why disclose this incident at all, if the amount of money and number of customers wasn’t material? From the 8-K filing, we can’t tell. Maybe First Horizon was just being thorough.
The size of the breach, however, isn’t really the point for the rest of us. The point is that breaches like this — attackers exploiting vulnerabilities in your software supply chain, to steal money from corporate coffers — can happen. This particular breach was small, but the next breach at the next company could be for $10 million, or $100 million, or $1 billion.
Cybersecurity and SOX Compliance
If vulnerabilities in your ERP software can lead to unauthorized transactions, that’s a SOX compliance issue. Your IT general controls aren’t keeping pace with the requirement that access to assets is permitted only according to management authorization.
Moreover, remember that First Horizon’s breach happened thanks to a vulnerability in software from one of its vendors. So not only must your SOX compliance program address vulnerabilities in your own ERP software; you need to extend that capability down through your whole software supply chain. That’s vendor risk management, and First Horizon demonstrates why we’re talking about the subject so much these days.
The nettlesome detail here is that software vulnerabilities, patch management, and vendor risk management are typically the CISO’s responsibility. So how well has the internal audit or SOX compliance team communicated the need for effective software patch management? How closely have you worked with the CISO to develop a strong vendor risk management program? Are you testing and remediating the relevant processes? Is your company doing all that work manually, or are you trying to automate the task with some GRC tool?
Those are the questions that internal audit, cybersecurity, and compliance teams need to be asking these days — and the answers are what you’ll want to present to your board, CEO, and external auditors, to assure them that the company has its security issues under control.