27 Feb Compliance Report: Cyber Security Dominates Risk In The Financial Services Boardroom
Cybersecurity requirements need to be taken to the next level in the banking and global securities industry
– Rob Hegedus, CEO at Sera-Brynn
Suffolk, Va. – May 3, 2018
We all want the places that hold and process our money to be shimmering examples of cybersecurity. But as data and system protection is a process and not an end-state, there is a lot of work to be done. Here are six areas in the financial industry where cybersecurity requirements are being, or need to be, taken to the next level.
Banks: All Sizes, All Locations, All the Time
Banks have long been on the front lines of cyber warfare and theft. In 2013, South Korean financial instructions were attacked in a largescale attack by, what is now presumed, a nation-state actor. That same year, Iranian hackers targeted and hit a number of American banks in a wave of attacks that kicked some banks offline, and slowed others. The New York Times reported that the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC were disrupted.
In the five years that followed, banks have (hopefully) taken serious measures to shore up security. In the U.S., some states have enacted laws requiring financial institution to implement risk-based cybersecurity programs. Others have not. In the European Union, a game-changing law called the Payment Services Directive (PSD2) went into effect in January 2018. PSD2 will further regulate electronic payment in the EU. It will also let individuals make their financial data available to third-party providers (like Amazon), taking some control away from banks and making them more open. Strict security requirements will now attach to common banking transactions — like internet and mobile banking — in this more open EU environment.
Globally, cyber threat hunting is trending in banking. Security operations centers (SOCs) of financial industries are using human threat hunters to actively track and eliminate cyber adversaries within their respective infrastructures. The idea is that the sooner you locate the sign of an adversary in your system, the sooner you can intercept them. It’s become known as the cyber kill chain — an evolution of a military warfare term. Not all banks have the resources or can find the talent to perform in-house threat hunting, but it’s an effective tool. With the rise of mobile banking, it’s a service worth considering.
More Cybersecurity Transparency in Mergers & Acquisitions
Poor cybersecurity oversight during financial institution mergers and acquisitions increases risk. A cyber risk assessment of a targeted acquisition could help avoid unexpected and costly IT integration issues and unexpected liability. We know that data and system breaches can remain undiscovered and unreported for long periods of time. The timeline of the Equifax hack, which is proving to be one of the most costly hacks in history, is a good example. (The breach occurred between May and July 2017. It was detected July 29 and made public September 7.) From our perspective, this timeline is not atypical. The time from a data breach to containment is often months, sometimes even years.
An accurate valuation of a business should include an assessment on the integrity of its digital environment. It does not need to be a guessing game. Cyber resiliency can now be measured. There are a multitude of appropriate cyber standards against which an organization can be assessed by an independent cybersecurity auditor. With the ability to measure a cybersecurity program, comes the ability to value it.
Global Securities Market
While bank cybersecurity is highly-desired, the stakes are higher in the global securities market. Global financial stability is at stake. If a securities exchange is unable to settle obligations when they are due, or at least by the end of the value date, the global economic consequences will be severe.
The International Organization of Securities Commissions (IOSO), an international body and standard-setter in the securities sector, issued public guidance in 2016 on cyber resilience for financial market infrastructures. The basis of the guidance is that the integrity and availability of the financial infrastructure must be maintained. More specifically, the IOSO strongly recommended that cyber resilience should include the ability to quickly recover from a cyber incident. The financial infrastructure should be able to safely resume all critical operations within two hours of a cyber disruption — even in extreme situations. Global securities markets are critical infrastructure on a worldwide scale, warranting the highest level of cybersecurity support.
And that Brings Us to Bitcoin Exchanges
Bitcoin exchanges, many of which act as virtual banks, are at the center of the perfect storm of cyber risk: they are largely unregulated, there is no deposit insurance backing them up, and they are prized targets for cybercriminals. Many bitcoin exchanges are speculative start-up ventures; many more go out of business within a year of opening. Others are experiencing rapid growth. In 2014, hackers stole about $350 million in bitcoins from Tokyo’s MtGox exchange. The Wall Street Journal reported that since 2014, investors have lost about $1.4 billion in hacks of cryptocurrency exchanges. Cybercriminals know how to take advantage of a business that is growing too fast to keep up with key technology updates.
Cybersecurity Transparency in Securities Transactions
In March 2018, the U.S. Securities and Exchange Commission (SEC) published guidance indicating that the mandatory disclosure law in effect for publicly-traded companies definitely covers cyber incidents and events. Conceptually, in the U.S., companies and businesses have to disclose on events that make their securities risky or speculative. It’s a way to level the playing field. However, there is evidence that when a business reports a cyber-attack, it actually invites more cyber-attacks. So while silence may be desirable, it’s not possible. In the case of a publicly-traded company with disclosure requirements, the need to recover from an attack and immediately build cyber resiliency becomes even more important.
Cybersecurity Reporting to Boards of Directors
Data security and IT risk continue to dominate board level discussions. The trend in emerging cybersecurity regulations in the financial industry is to include some sort of requirement that boards of directors are at least briefed on cybersecurity events and cyber risk. In general, best practice is for boards to have situational awareness of the full spectrum of cybersecurity considerations — including the results of recent risk assessments, the threat landscape, and a general knowledge of the processes, procedures and controls involved with building cyber resilience. The research firm Gartner projects that by 2020, 100 percent of large enterprises will have to report to their boards on cybersecurity and technology risk annually (or more frequently), up from 40 percent today.
Understanding cyber risk is actually good practice for all levels of leadership and employees. The financial industry, in all its forms, will be constantly challenged to keep up with cybersecurity regulations and best practices, many of which will change rapidly. From global exchanges to small community banks, smart cybersecurity will benefit all.
– Rob Hegedus is CEO at Sera-Brynn, a global Cybersecurity Audit and Advisory firm.
Contributors: Colleen H. Johnson, Senior Cyber Legal Analyst; Heather Engel, Chief Strategy Officer.
Sera-Brynn is a global cyber risk management audit and advisory firm. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #9 worldwide on the Cybersecurity 500 list. Sera-Brynn’s clients include many of the world’s most admired and recognized brands. Sera-Brynn is also the only cybersecurity firm in North America directly partnered with a large multi-billion-dollar financial institution, providing it unique insight into and experience with the global financial network.
