The financial services sector has been commended for being a step ahead of all other critical infrastructure sectors in their cybersecurity approach. Realizing the value of the data it is entrusted with like banking records and personal identifiable information (PII), and the detrimental impact of cyber breaches, this critical sector is seen as a leading figure in risk and compliance.
Financial service companies were the first to enlist the help of CISOs and have led in IT/security spending. According to the IDC Worldwide Semiannual Security Spending Guide, the banking industry is expected to invest more than 35% of its spending on security solutions and integration services. As the banking system continues to digitize, the financial services industry has a host of strict regulations that lay the foundation for security strategies and mandate compliance as the risk environment changes.
Sarbanes-Oxley Act, or SOX, mandates that firms must be able to prove that they have adequate cybersecurity programs and standards in place to remain compliant. The Bank Secrecy Act (BSA) reviews the legitimacy of currency transactions to prevent financial organizations from being manipulated into laundering or hiding money. This also allows auditors to examine a company’s cyber risk plans to ensure that threats can be contained or mitigated. Financial institutions are also subject to global standards like the Payment Card Industry Data Security Standard (PCI DSS) which regulates the handling of credit card information.
In addition to these regulations, financial institutions are subject to paying hefty fines for security breaches. In the case of the Capital One mega breach, which affected 100 million customers and leaked 140,000 social security numbers and 80,000 bank numbers, the company paid an $80 million fine.
Financial services enterprises are difficult to hack, but cybercriminals have successfully targeted and hacked large institutions time and time again. In 2019, financial services accounted for only 6% of data breaches, but that 6% translated into 60% of all leaked records in that year. The past year put even more targets on the backs of the financial sector as remote work setups, stimulus funds, and PPP loans became lucrative avenues to exploit.
There is no doubt that the financial services sector is miles ahead of other critical infrastructure sectors. Unlike the healthcare sector or transportation sector, financial services has strict compliance regulations, fines, and greater security budgets. In addition, this sector stands out from the rest with its communication networks in which companies can share regular changes with each other and inform of potential risks. Yet, many businesses struggle to scale their security programs over their large businesses and it leaves gaps for hackers to exploit.
The Current State of Affairs
Despite concerted efforts to raise up cybersecurity standards within the industry, there are considerable gaps that need to be addressed - starting with cyber-aware employees. According to IBM’s 2019 X-Force Intelligence Index, 29% of reported attacks were due to employees falling for phishing emails. A well-resourced IT team is not enough to protect an enterprise against breaching tactics if the staff, from C-suite to OT, is not prepped on healthy cyber practices.
In 2020, the cost of business email compromise (BEC) came to $1.86 billion - which accounted for half of all reported cybercrime losses. Financial enterprises can receive tens of thousands of vulnerability alerts a day, in order to aid IT teams from the deluge of alerts - all employees should receive in-depth security training on advanced phishing techniques, insider threat behavior, and risk-aware environments.
Digitization has helped the finance industry connect its consumers to services from mobile devices anywhere in the world. Businesses will have to contend with the risks involved with increased endpoint device usage which means more entry points for cybercriminals and greater difficulty in tracking data.
Similar to other sectors, the cloud transition has been difficult to adjust to. Using third-party vendors for cloud solutions, organizations make the mistake of assuming that the data stored will automatically be protected. Third-party vendors and financial organizations need to collaborate on security protocols, maintain compliance and perform regular assessments to efficiently track data and ensure that proper controls are in place.
The Info-Sharing Networks of Financial Services
Unique to this industry has been the global wave of info-sharing partnerships between private and public agencies. From the US FinCEN Exchange to the Hong Kong Fraud and Money Laundering Intelligence Taskforce (FMLT), these partnerships have been set up to examine the effectiveness of investments in governance, risk, and compliance management. Nearly 20 countries have established such networks in hopes that a voluntary and collaborative approach will provide enriched data and real-time feedback on security vulnerabilities and suspicious activity.
FinCEN issued Section 314(b) as part of the US PATRIOT Act which allows financial institutions to share information with other companies within the sector. Enterprises are able to share valuable information in a safe harbor that offers protection from liabilities. By sharing data on vulnerabilities, suspicious transactions, and security risks and controls, public and private agencies can improve their ability to identify and report on money laundering and terrorist financing schemes. This will also alert other financial enterprises of customers who have been flagged for dubious activity.
Over time, this will build a comprehensive data bank on suspicious behavior and best practices for privacy and asset management. Businesses can also reap the benefits of shared knowledge to draw on capabilities they may not own internally.
While these partnerships urge the sharing of knowledge, the transition has not been as seamless. There are flaws in the system that need to be remediated. According to experts, of the 80-90% of suspicious activity reported, only 1% of transactions will be frozen and confiscated. The main challenge is that data privacy has strict regulations and unique ones from state to state and country to country. With regulations like GDPR and the California Consumer Privacy Act in place, businesses will have to cautiously share information.
There are two main veins of information that should be shared and can be done so without exposing PII. Partners can co-develop typologies that cover general cybersecurity risks, financial crime threats and compile suspicious behavior indicators. When regulations allow, financial institutions should share tactical data, including identifying information, to relevant intelligence services. For the US, law enforcement agencies, through FinCEN, can request groups of or individual financial institutions for information when investigating money laundering or financial terrorism. By providing strategic and tactical information, when allowed, the financial services enterprises will gain real-time information of sector-wide vulnerabilities, compliance shifts, lessen duplicate efforts and advance financial investigations.
Approaching a Proactive Strategy
For the financial sector to capitalize on the investments made in cybersecurity, there needs to be a shift from reactively managing to proactively managing risks. According to a survey conducted by the Ponemon Institute, financial enterprises are 56% efficient in detecting security threats, but only 36% effective at preventing attacks.
Institutions can still reshape the state of cybersecurity if they build upon the regulations in place, collaboratively share information and implement new security measures to adapt to remote workspaces and cloud usage.
Using a Zero Trust security framework mandates that all employees must be continuously authenticated and authorized before they access company data or applications. Through this framework, companies can monitor users and device access and privilege. The National Institute of Standard and Technology (NIST) SP 800-207 and Gartner’s CARTA, both describe Zero Trust as an efficient method to combat changing network trends. With increased endpoint device usage and third-party cloud applications, Zero Trust is an added layer of security and a more efficient method of tracking information storage.
Malware and phishing continue to be the largest threats to security. Implementing network access controls (NAC) will aid security teams in monitoring device usage on a given network and data flow. NACs can also manage employee privileges which should be limited to those who absolutely need them. Anti-phishing web browser software and designating login points and which devices can be used are also methods that will prevent malware threats.
Information sharing networks will provide law enforcement agencies and financial enterprises with a bank of knowledge to learn from. With this network information, institutions can mature their security strategy against the shifting tide of technology and the sophisticated threats that come with it.
The banking industry has made leaps and bounds of progress compared to other critical infrastructure sectors. And this sector continues to invest and introduce new strategies and programs to safeguard itself from growing threats. As one of the most lucrative industries to target, the global movement to create a risk database partnership with public agencies is a huge step forward. It is something other sectors have not even considered.
The security gaps that arise with scaling complications can be mitigated at a faster rate by utilizing the information provided in these networks. The fight against malware, money laundering, and financial terrorism is now a shared struggle. With well-resourced and revitalized security programs, financial institutions will continue to outperform other sectors in risk management and bypass reputation damage and financial loss.
The Next Steps to Take
The financial services sector will remain a valuable target for cybercriminals. Like all other critical infrastructure sectors, security attempts will never cease but they can be prevented from becoming full breaches. Financial services outspend all other sectors in cybersecurity and most intend to increase their budget allocation. Efficient utilization of these resources should focus on malware prevention tactics, risk-awareness training, and collaboration through information sharing partnerships to provide enhanced and applicable data for sector-wide usage.
To learn more about security tactics and risk management in the financial services sector, check out our webinar. To learn how CyberStrong can be a vital cybersecurity assessment tool for you, contact us.