The finance industry is a popular target for cyberattacks - after all, money is the main ‘product’ being processed, stored and transmitted.
Economies of scale, competition and the increasing customer demands for technology-assisted connectivity to their finances has resulted in plenty of points of vulnerability for hackers to exploit.
Trust is a key issue for bank customers, whether corporate, small business or individual. They trust these institutions to protect their money, their privacy and their credit ratings. When (not if!) a security breach occurs, it can be a disaster for an organisation’s brand and reputation unless a well prepared response plan is at hand.
In this two-part blog, we’ll cover the key security concerns for financial services companies.
Competition from so-called ‘fintech’ and established banks, changes to the payments landscape (Bitcoin, NPP/Osko, e-commerce, mobile commerce etc) has driven a sharp increase in the number of third-party relationships, exponentially increasing the risks around cybersecurity, particularly with technology playing a greater role in the finance sector.
Financial institutions outsource a number of key product and service areas, such as payments, settlements, customer service, auditing and IT. These external relationships, and the added complexity of managing these relationships, certainly pose a greater level of risk.
The increase in supply chain attacks over the past five years – Target in the US is one example - are the consequences financial institutions face when the poor security practices of third-party providers has left customer data exposed in unprotected web sites, S3 buckets and similar.
With the number of security threats faced by financial services companies, protecting the confidentially of client and partner data and their own IP is increasing the legal obligation with associated financial exposure. The Australian Notifiable Data Breaches legislation and the EU’s GDPR are recent examples of security becoming a key requirement.
Increasing regulatory requirements mean large and small financial institutions need affordable cybersecurity solutions and programs in place as evidence of having “reasonable controls”.
Liability minimisation can take several forms. For example, having a cyber insurance policy in place protects the organisation from excessive financial exposure, but may not demonstrate a standard of care to customers or regulators in the event of a breach.
The evolving nature of risks
Cyber risks continue to both evolve and grow in quantity. Attackers become more sophisticated in finding new and easier entry points, while the increasing complexity of the technology delivery chain for financial services creates even more security complexity. Couple this with an expanding supply chain and the challenges look insurmountable at first.
To avoid damage to their reputation, financial institutions must take a multi-layered, enterprise-wide approach to cybersecurity, which involves stakeholders and key decision makers from departments, realistic cyber risk management capabilities and a collection of technical defences, sound policies and procedures, and regular cybersecurity training.
Financial institutions also need to make sure they are using the most up to date software and systems to defend against the known vulnerabilities in the complex technology delivery chain.
Legacy systems need to be replaced as they reach end of vendor support – the lack of security patches and increased attacker skills renders older applications and infrastructure increasingly insecure.
These legacy systems may have been inherited from acquired organisations, or are subject to vulnerabilities that can stay in the system for years while an organisations priorities result in deferred spending on replacing or updating ‘legacy’ systems.
Keeping track of personal data
People’s personal information and transaction data is increasingly a major concern for consumer-facing companies. It’s a constant battle to keep track of where this data is, and how to protect it in an evolving cyber landscape and technology delivery chain.
While the storage and usually the processing of data through third-party cloud providers is simple and inexpensive, the biggest concern is the need to identify the critical from uncritical data, then classify and secure each data category appropriately.
Software as a Service (SaaS) solutions complicate this, since critical and sensitive data may ‘leak’ into these environments through well-intentioned teams and individuals without due process over the protection requirements applying to your organisation.
Regulatory requirement changes
The ever-changing regulatory environment requires financial institutions to be agile and proactive.
For example, the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018, and the implications for financial services firms that have to operate under this regulatory framework is significant.
This regulation requires visibility into tracking every user’s data clearly, and the ability to erase that data upon request. GDPR’s impact can apply globally, since the consumer protections are afforded to any person who is in the EU when they interact with your firm.
In Australia, the Australian Federal Government increased cybersecurity accountability by enacting the Notifiable Data Breach (NDB) Scheme, that came into effect on February 22, 2018.
Keeping on top of these regulations ensures all organisations must be prepared to play an effective role in better protection for the public when companies and government organisations experience a data breach, or face significant penalties, adverse publicity and brand damage.
Stay tuned to read part 2 on the top security concerns for financial institutions.
Struggling with your cybersecurity strategy? Learn from the industry leaders on how to build a cyber resilient enterprise with our latest whitepaper