The Federal Financial Institutions Examination Council (FFIEC), oversees five of the largest banking industry regulators, enabling this group to have an in-depth understanding of trends and threats. The FFIEC has recently stated that financial institutions have become increasingly dependent on information technology and telecommunications to deliver services.1 This means that a degradation or disruption to a system or information can impact core processes and undermine confidence in the financial sector. As threats and regulations continually change, to better ensure network resilience, financial institutions must understand the top security challenges.
Organizations are dealing with a large number of compliance mandates and security regulations – Basel II and the Gramm- Leach-Bliley Act are two that are finance specific. The Gramm-Leach-Bliley Act, also known as the US Financial Modernization Act, ensures that any type of organization that offers financial products or services must explain their information sharing process to customers, including how collected data is safeguarded. Basel II are regulations that aim to reduce the risk of internal and external fraud from unauthorized activity by setting best practices.
There are many reasons why a financial institution should comply with these regulations. Meeting any of these regulations ensures compliance, which creates a framework to help secure company systems and data, and it also secures the business. Demonstrating compliance can be costly but the end result is a more secure organization. This will reassure existing customers that their personal information is safeguarded, improve the organization’s reputation and help attract new customers. Penalties will occur from non-compliance. Those found to be non-compliant depend on the jurisdiction in which the offense occurs and penalties can vary depending on the failure, and can include fines and even imprisonment.
Compliant doesn’t necessarily mean secure – and not all financial organizations identify or classify data based on sensitivity or criticality which can increase the chance of network vulnerabilities. CEO of IBM Ginni Rometty said, cybercrime is the largest threat to every organization in the world.2 Although there are a variety of network security threats, ransomware is the largest and costs associated with it are predicted to reach $11.5 billion in 2019.3 Many times, deploying multivendor solutions without an effective management approach can cause data to be lost or stolen and makes it difficult to support regulatory requirements.
3. Third Party Risk
Many financial institutions participate in partnerships and outsource services to reduce costs. Doing so, allows these third party entities to access data and internal systems which increases the risk of vulnerabilities and can cause an outage – with one minute of downtime costing $5,500 this is something most organizations don’t want to happen.4 Just a few years ago one of the largest retailers in the world, Target, was attacked when hackers gained access to their network through a third party heating and ventilation company who was hired to monitor their systems.5 Using the HVAC organization’s credentials to install malware on POS devices, credit card information was stolen effecting thousands of customers. How these parties are managed can either greatly decrease or increase the chance of an outage. Most financial organizations centrally manage third parties which includes ongoing monitoring and creating protocols to reduce these risks.
4. Human Error
A 2016 IBM survey found that more than 60% of cyber attacks came from inside financial institutions and because of their large assets, finance was one of the top three industries targeted.6 Three quarters of attacks were by employees and done intentionally, the other remaining quarter of these attacks occurred by human error which could be as simple as opening a suspicious email.
5. Emerging Threats
Just last year, one of the largest Distributed Denial of Service (DDoS) attacks ever in IoT occurred. Attacks like these can have a large impact on a financial institution, many times customers aren’t able to access accounts, websites or funds until the attack’s complete. To ensure financial institutions can continue to operate without disruption from an attack, regulations are constantly being updated, like the NIST Cybersecurity framework – a set of standards that by 2020, over 5o% of US organizations will use.7 This requires written policies and procedures to protect consumer information from cyber attacks.
Financial institutions are constantly facing a variety of customer demands, emerging threats and updated regulations. Ensure resilience for your financial network, visit our finance page to learn more.