Cybersecurity is a fast-growing technology segment in financial services extending to branches, independent offices, RIAs and planners. With an increasing volume of cyber-attacks, this industry has had to find ways to efficiently approach incident and breach risks due to the high sensitivity and importance of data. The reality is, financial services firms are reportedly hit by security incidents a staggering 300 times more frequently than businesses in other industries.

Regulations Drive the Fast-Growing Cybersecurity Segment

As the cybersecurity segment grows, it has become an industry unto its own. According to industry data, “in the United States alone, more than 30 cybersecurity regulations have been released since 2014.” Key drivers for growth are regulatory and compliance demands, growth in IoT and BYOD, and the rise in malware and phishing threats. Both large and small firms often partner or outsource this critical function to manage components, layers and controls for better reporting, proof and compliance. In many cases, it is too much to manage in-house with how quickly the cyber environment and regulations shift.

The IBM / Ponemon Institute’s 13th Annual 2018 Cost of Data Breach Study states, “the global average cost of a data breach is up 6.4% over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% year over year to $148.”

Why Cybersecurity in Financial Services is Critical

An SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found:

  • 88% of broker-dealers (BDs) and 74% of registered investment advisers (RIAs) experienced cyber-attacks directly or indirectly through vendors.
  • While many BDs and RIAs have adopted Written Information Security Policies (WISP), the SEC staff found gaps in cybersecurity protection among many firms.
  • More than half of the BDs and almost half of the RIAs reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of the BDs reported losses related to fraudulent emails, but no single loss in excess of $75,000.

Chief information security officers at financial services institutions also reported that up to 40% of their time was spent on compliance requirements of various regulatory frameworks, not actual cybersecurity.

Top Ways the Financial Services Industry Can Stay Cyber-Compliant

1. Understand Traits: Review Companies with the Highest Levels of Cyber Maturity
Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC) surveyed members on how they managed cyber challenges from 2017 to 2018. Core traits of companies that reached the highest maturity level as defined by (NIST) were:

  • Secure the involvement of senior leadership, both top executives and the board
  • Raise cybersecurity’s profile within the organization beyond the information technology (IT) department to give the security function higher-level attention and greater clout
  • Align cybersecurity efforts more closely with the company’s business strategy

2. Employee Education: Prioritize Protecting People-Based Attacks
The Ninth Annual Cost of Cybercrime Study from Accenture and Ponemon Institute states, “Countering internal threats is still one of the biggest challenges, with a rise in phishing and ransomware attacks as well as malicious insiders. Cyber criminals are adapting their attack methods. They are targeting the human layer—the weakest link in cyber defense—through increased ransomware and phishing, and social engineering attacks as a path to entry.”

How do you protect the “human” layer? With cybersecurity tools and planning:

  • Desktop, Laptop, Server, Virtual Server, Smartphone and Tablet Security
  • Complex Passwords
  • Email Encryption
  • Firewalls
  • Event Logs
  • Screen Savers
  • OS Patches
  • Cyber Tools (Full-Disk Encryption, Antivirus, Antimalware, Multi-Factor Authentication, etc.)
  • Threat Identification and Detection
  • Mobile Device Management
  • Device Lifecycle Management
  • Malware Detection
  • Backups
  • Data Leakage Protection
  • Cyber Posture of Devices
  • Automated Security Alerts & Reports
  • 24×7 / 365 days per year

Automation of the above reduces user confusion and ensures proper configuration and controls.

When Choosing a Cybersecurity Partner, Dig Deep

Cybersecurity Vendor Checklist

  • Years of experience in cybersecurity
  • Understanding of cyber regulations in financial services
  • Use of best-of-breed software
  • Support for Windows and MacOS desktops, laptops, servers and virtual servers
  • Support for Android and iOS smartphones and tablets
  • Support for BYOD (Bring Your Own Device)
  • Offering aligned with the NIST Framework (Identify, Protect, Detect, Respond, Recover)
  • WISP setting(s) enforcement without user involvement
  • Capacity to stop users from making changes to WISP settings
  • Installation, management and update of cyber tools without user involvement
  • Remote mass vulnerability OS update (zero-day) without user involvement
  • NIST-based Asset Inventory Report
  • 24/7 cyber monitoring detection and response
  • Incident Response expertise and track record

There will be a continuous evolution of financial services cybersecurity policies, regulations and compliance. New threats and technology advancements are on the rise. Proof is strong for having a common language like NIST that offers a framework and standards to guide companies, vendors and policy-makers in creating a secure cyber environment. Staying secure and having the ability to prove compliance is no longer an option for the often-targeted financial services industry; it is now mandatory for regulatory-compliance.

Brian Edelman is CEO and Founder of FCI, a NIST-based Managed Security Service Provider (MSSP) with a focus in the financial services industry. He is an FPA Coach on cybersecurity, and will be offering one-on-one sessions at the 2019 FPA Annual Conference.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.