Threat from Above: Cyber Criminals Take Aim at the Financial Services Industry

Date: August 11, 2015

These days it seems you cannot go one day without hearing about another large scale data breach conducted on some of the world’s largest organizations across industries, from healthcare, to retail, to finance.

 As these attacks become more sophisticated and wide-spread, the need for vigilance and security within all organizations is all the more paramount. A recent article that appeared in a Harvard Law School Forum, What’s New in 2015: Cybersecurity – Financial Reporting and Disclosure Challenges, maintains that one of the primary challenges in 2015 along with increased regulation and transparency is cybersecurity.

Financial Services Institutions are Prime Targets

Deloitte published a paper in 2014 on cyber risk management in the financial services industry that not only stated that the financial services industry was identified as the biggest target by cyber criminals across 26 industries  but also included the following  alarming statistics:

  • 88% of cyber-attacks are successful in less than one day, but in that same time period only 21% of firms are able to discover attacks and just 40% are able to restore business
  • 36% of financial services institutions are most concerned about financial losses resulting from cyber-attacks and 39% are more concerned with business and reputational risk

Cybersecurity and the accompanying processes to maintain data and information in a secure environment should be a mindset that permeates far beyond IT. It’s a methodology and approach that needs to be adopted enterprise-wide within an organization. Management consulting firm Booz Allen Hamilton outlined a comprehensive list of Cyber Trends for 2015. Two of these trends in particular have relevance and importance in the financial services industry.

Third-Party Risk

Most financial services organizations utilize numerous third-party solutions – from data warehouses to calculation engines to reporting applications – whose capabilities are woven together within the constructs of individual organizational needs and requirements. The use of multiple disparate systems has made it challenging for organizations to set up a consistent monitoring, testing and updating process designed to mitigate their security risks.

The move to a single platform that consolidates a number of these functions combined with a more active vs. passive cyber security mitigation approach accomplishes a couple of things. It not only reduces the overall number of third-party solutions that must be incorporated into the risk mitigation strategy, but also allows for a more coordinated threat testing and update process.

Information Protection at the Database and Data Element Level

Protection of the underlying information at the enterprise solution level as well as the individual data level is a significant shift from past practices where organizations looked to simply set up larger “walls”, preventing penetration into the environment. Security at the data level is crucial and can protect companies from the severe ramifications of a cyber-attack.

Organizations will continue to setup the applicable “perimeters” around their high-value data repositories but will coordinate and combine that defense with more data layer securitization.  Methods such as chip cards, tokens, stronger encryption practices, etc. are some of the ways organizations are looking provide additional layers of protection to sensitive information as the risk of cyber-attacks grow and the sophistication of hackers continues to increase.

If companies can protect data at the element level, then some of the most disastrous effects of cyberattacks can be avoided.  According to the Harvard Law article previously referenced, “the potential costs to a company of a successful cyber-attack can include loss of intellectual property; breach of customer data privacy; service and business interruptions; damage to physical infrastructure (e.g. corrupted servers); loss of brand value; response costs; loss of stock market value; regulatory inquiries and class action litigation; and management distraction.”

Managing Cybersecurity Risk

As the threat of attack grows each day, what can we do and what type of framework can we put in place for managing cybersecurity risk? In the news recently, many government officials in Washington have identified cybersecurity as a top policy priority for the nation. The U.S. government understands the risk that cybersecurity plays not only in their arena, but also in the very financial foundation of this country.

While the government may take years to enact policy, here are a few recommendations that can help organizations more effectively and proactively manage their cybersecurity risk today.

  1. Implement a risk management program including attack response protocol. Organizations need a process to respond to attacks that may arise in addition to having a more generalized risk management program. Areas such as system and data vulnerabilities and access by internal constituents and third parties should be included. As with all internal processes, these plans should be frequently tested, updated and documented with clearly defined ownership within the organization.
  2. Enhance internal education on cyber-security through training to senior executives and enterprise-wide to employees to ensure the appropriate steps are taken to minimize threats or areas of vulnerability within day-to-day operations.
  3. Ensure budgets include appropriate entries for audits, testing and other cybersecurity measures within the organization.
  4. Review all insurance policy provisions including clauses for data breach and privacy claims

As data breaches continue to affect organizations and individuals around the globe, the SEC, investors and other regulatory bodies are going to demand more diligence around mitigating the cybersecurity risk to their private information. Diligence in protecting data and information will require a more proactive approach and a more enterprise-wide cyber threat mitigation process where all stakeholders –from the board of directors to the day-to-day operations staff–are actively involved in the protection and safeguarding of critical data.

To learn more about 13f-2 watch our webinar replay Part 1: Unpacking the SEC's New Disclosure Rules for Shareholders
Join us for Part 2: Operationalizing the SEC's New Disclosure Rules, for Shareholders on December 12.