The financial services sector has been through tremendous adversity since the Great Recession. Institutions have emerged from the financial crisis only to find tougher regulations and constant threats from cyber attacks. In fact, these recent cyber attacks and data breaches are changing the way banks operate and view risk.
The cost of cybersecurity breaches for the financial services industry includes not only financial losses but damages to reputation and a reduction in customer confidence as in the case of Wells Fargo. Repeated security breaches can severely impact the long-term health of a financial institution. By understanding these threats, identifying them, and implementing strategies to mitigate damage are essential for the financial well-being of an institution.
An Enterprise-Wide Approach To Cyber Security
Cyber risk can often be considered a non-traditional risk to an institution. However, in reality, cyber risk should be treated as any other risk to an institution. Cyber risks should be part of the enterprise risk management at a holistic enterprise-wide level just like credit, market, operational and liquidity risk.
Reacting To Cyber Threats Is A Risk In Itself
Financial institutions must take a proactive stance when it comes to combating cybersecurity. Investing in new technologies is an important part of an enterprise-wide solution. Using those technologies proactively to identify, understand and prevent cyber attacks is critical. This holistic approach involves monitoring, testing and experimenting to identify risks. A cyber defense policy should be proactive rather than reactive as threats are always changing and becoming more sophisticated. Also, as the threats evolve, so too does the regulatory landscape. Consistently testing and monitoring can not only prevent attacks but can also prevent costly compliance violations.
Traditional Testing Fails In Detecting Cyber Threats
Although it’s important to test and monitor for cyber threats, an over-reliance on traditional testing techniques can be a risk in itself. With traditional testing, there are stress testing models where you have statistical models to forecast the amount of capital or liquidity needed to cover losses in the event of stress. Cyber risk is not statistical. A cyber threat is random and malicious and doesn’t happen in a predictable statistical fashion.
For cyber risk management, information security and identifying vulnerabilities to IT systems is of paramount importance. For example, identifying anomalies in a bank’s network traffic might help to hone in and prevent a cyber attack.
Look Within For Breakdowns In Cyber Security
Many financial institutions’ security breaches are the result of an employees’ actions, albeit in most cases by accident or the result of poor training. Whether it’s negligence in following security measures or inadequate training in identifying and preventing cyber threats, the human element to cybersecurity is a critical component of the enterprise-wide solution. Proper training surrounding security threat identification and threat monitoring should be embedded in a holistic internal program that’s standardized throughout the institution. Proper and consistent training can help eliminate a silo-driven mentality and gaps in security.
Old Systems Habits Die Hard
The most common data breaches in the financial industry are due to the lack of two-factor authentication. Institutions are still using the username and password combination for authentication as the primary access to their system. In 2015, 63% of confirmed data breaches were caused by a password-related hack or theft. In short, cybercriminals are using old vulnerabilities to gain access to data and financial information.
Investing In New Technologies
Investing in technologies that facilitate an institution’s enterprise-wide data visualization strategy can help identify and prevent threats from the outside and inside.
Some banks have begun using biometric authentication at ATMs. Other banks are exploring voice authentication methods. Citigroup has already registered 250,000 customers under their voiceprints system which identifies customers quickly when they call the bank’s customer service center.
MasterCard has created what they call selfie-pay which uses face recognition software to approve online purchases in parts of the U.S.
In all of these cases, the recognition will be matched to reference data within in the institution placing increasing importance on a holistic approach to investing in data management.
Over-Reliance On The IT Team
Cyber threats and security affect the entire institution, not just the IT department. Cyber risk management is far more efficient with a top-down approach across the whole enterprise, including the IT department. If an institution is over-reliant on their IT department and as a result using a silo-driven method of identifying and thwarting potential threats, they’re likely to be vulnerable to cyber attacks and regulatory violations.
A successful enterprise risk management approach to cyber security creates a transparent view on a holistic level of emerging cyber risks, gaps and vulnerabilities in the existing legacy systems, and helps to identify potential threats and security concerns.
By visualizing cyber threats across the entire enterprise, new technologies can be implemented, employee training enhanced, and threat monitoring techniques can be updated continuously to prevent data breaches, cyber attacks, and ultimately financial losses and regulatory violations.