How Financial Services Firms Can Improve Cybersecurity
By Calvin Hennick
The financial services industry experiences 35 percent of all data breaches, according to Forbes, earning it the dubious distinction of “most-breached sector” of all. Unfortunately, this makes sense. The industry houses high-value data and assets that are attractive to attackers for obvious reasons.
financial institutions’ wide array of interconnected systems — which process millions of transactions — make them particularly susceptible to attack.These threats carry the risk not only of data breaches but of legal risks such as litigation and steep regulatory fines. The trends that present the most potential for legal risks, according to a Forbes survey, include dealing with data (69 percent), cybersecurity (47 percent), a changing regulatory environment (46 percent), fraud protection (39 percent) and digital transformation (39 percent).
Financial Institutions Face a Range of Security Challenges
Financial institutions face a wide array of threats, including phishing attacks, distributed denial of service attacks, insider threats and browser-based attacks. But perhaps just as important are institutional challenges, such as limited budgets and a lack of buy-in from leadership. Security Magazine notes that cybersecurity often takes a back seat to factors like customer satisfaction and regulatory compliance in the minds of executives, especially at smaller institutions.
“[L]eaders at smaller firms are often convinced that their firm is not worth the attacker’s time or effort,” the publication notes. “This leads to a dangerous stance of security complacency, an attitude that nothing further is required to protect the firm, based on their own erroneous assessment of limited risk.”
How Experts Rate Financial Institutions Cybersecurity
Drawing from the U.S. National Institute of Standards and Technology, Deloitte divides financial institutions into four levels of cybersecurity maturity. Organizations with “partial” maturity rank at the bottom, while “adaptive” institutions rank at the top.
- Partial:At these organizations, cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc (and sometimes reactive) manner.
- Informed: This maturity level is characterized by institutions where management has approved risk management practices, but these practices may not be established as policy across the organization.
- Repeatable: Here, an organization’s risk management practices are formally approved and expressed as policy.
- Adaptive: At this highest maturity level, organizations adapt cybersecurity practices “based on lessons learned and predictive indicators derived from previous and current cybersecurity activities.”
Steps Financial Firms Can Take to Improve Security Practices
Forbes advises financial institutions to consider three different steps to ensure greater data security and minimize legal exposure. First of all, they should draft internal policies, procedures and contractual provisions related to the discovery, investigation, remediation and reporting of breaches.
This will prevent the problems related to “partial” maturity, where best practices aren’t followed throughout the organization, and should also ensure that leadership recognizes the importance of cybersecurity to the business. It will also help organizations cultivate what the three characteristics of “adaptive” firms: leadership and board involvement, recognition of the importance of cybersecurity beyond IT, and alignment of cybersecurity strategy with business strategy.
Next, institutions should obtain appropriate insurance coverage for various types of cyber risks and consider the adequacy of existing insurance programs. Not only will this help to mitigate risk if an institution is successfully attacked, but organizations may end up proactively improving their cybersecurity environments as a way to obtain coverage or lower their premiums.
Finally, financial institutions should seek out third-party cybersecurity partners that can help them manage their security environments and prevent data breaches.