Board discussing cybersecurity at board room table
Article
8 min

Financial Services Cybersecurity: 5 Questions Boards Should Be Asking

Financial institutions are the leading targets of cybercrime, including extortion, theft, and fraud, accounting for over 20 percent of all cyber-attacks. In fact, financial services firms are 300 times as likely as other companies to be targeted.

Threats can include phishing schemes, ransomware, other malware attacks, and even insider activity. In this environment, boards must play a key role in guiding and assessing security strategies.

The Changing Risk Landscape

The risks to financial institutions have been complicated by rapid digitisation and disrupted working habits.

To keep up with changing technology and customer expectations, the last decade has seen widespread investment and transition to digital service provision.

This shift to digital was accelerated by the pandemic, forcing many institutions to bring forward their transformation timelines.

However, the explosion of digital financial services and mobile banking has also expanded the available attack surface that criminals can exploit. During the pandemic, the number of cyber-attacks rose by over 200%.

Financial institutions are primary targets of cybercrime, facing a range of threats

In this charged environment, cybersecurity must be a key concern for everyone in financial services organisations, from boards to frontline staff.

The Cost of Financial Crime

The impact of financial crime is significant and growing.

Accenture estimates that banks will lose $347 billion to cybercrime in the coming years. Alongside the loss of revenue and reputation involved comes the risk of financial penalties and regulator scrutiny.

Maintaining customer confidence is also a key concern. Customers trust institutions with their financial information and livelihood.

Financial services businesses must demonstrate the ability to preserve confidentiality, maintain the availability of systems and services, and guard the integrity of data.

While cybersecurity awareness has grown in the financial sector along with new defences, the threats are constantly evolving.

In this guide, we explore the five key questions that financial boards need to be asking to be prepared for these challenges and the solutions arising to protect businesses and customers.

Cyber Attacks Are No Longer a Matter of ‘If’, But When

New rules in place from March 2022 require firms to proactively address disruption to important business services from a range of events, including a cyber-attack, technical glitches, and power outages.

Meanwhile, in Europe, the proposed Digital Operational Resilience Act (DORA) would introduce an EU-wide regulatory framework on digital operational resilience for a wide range of financial services firms, focusing on business continuity and the management of third-party risk.

However, many institutions are held back by outdated technology.

1. How Resilient Are Our Systems?

Legacy core operational systems are one of the major barriers to digital transformation.

They are unnecessarily slow to update and fix, with a shortage of expertise available in the market to work on them. Repair work is necessarily slow due to disconnected systems, large code bases, and outdated workflows.

When it comes to a cyber-attack, every hour of downtime is lost revenue, trust, and resources. With cyber-attacks a near certainty, businesses need to prioritise quick recovery and data security.

The Challenge

  • Investment in technology and systems to detect issues sooner to provide maximum response time.
  • Established data and disaster recovery protocols with backups of essential data off-site that can be restored if an attack impacts business. With robust, verified backups, fast system recovery means quick operational spring-back.
  • Documented threat response protocols to standardise your approach to issues and limit the impact of cyber-attacks to a disruption rather than a disaster.

For leading financial firms, modern systems and security protocols can reduce the cost of a breach by as much as 72 percent, saving $273,000 per breach.

At an average of 22 incidents per year, these savings add up to potentially $6 million annually for the average firm.

The Solutions

  • Automated penetration testing.
  • Security Information and Event Management (SIEM) systems to comply with necessary mandates more efficiently and track issues.
  • AI and ML-powered fraud detection algorithms to spot suspicious activity.
  • Smart incident resolution to handle low-level issues and automated attacks.

2. Are Our People Empowered To Be Part Of The Solution?

Cybersecurity is a constantly evolving field - now more than ever.

Making your people an asset in detecting and solving threats requires the right training, structures, and protocols.

The Challenge

Financial institutions have invested heavily in some areas, such as ‘don’t click the link’ training to avoid traditional phishing.

The result is that the sector is one of the least vulnerable to traditional phishing, with only 8.5% of targets opening malicious links or attachments, but tactics are always evolving.

The cost of BEC (business email compromise) attacks has reached $1.86bn, accounting for almost half of all reported cybercrime losses.

The Solutions

  • Top management should periodically rehearse scenarios to prepare and respond to a major cyber incident - building resilience and business continuity planning is absolutely key to reducing the impact.
  • Protocols should be formalised in systems that strictly manage permissions, known as ‘Privileged access management’ where user credentials and privileges are honed, controlled, and audited.
  • Cybersecurity should be considered a C-level priority, bringing security leaders to the highest level of the business.
  • Cybersecurity also needs to adapt to new working habits, including expanding ‘Endpoint Detect and Respond’ (EDR) to support and secure the hybrid workforce. 70 percent of organisations report setting aside a budget for extended EDR (XDR).
  • Employees need to be regarded as part of the cybersecurity team with corresponding investment in training and education. This includes regular refreshes to keep up with changes in the landscape.

Empowering employees and maintaining scalable systems are crucial

3. Are Our Systems Scalable?

As the volume and complexity of cyber risks and threats grow, financial institutions need to invest in threat detection, solutions, and recovery.

However, with scalability a necessity, businesses will need to augment their human analysts with additional technological capabilities.

The Challenge

While cyber threats are becoming more numerous and complex, the ongoing cybersecurity skills gap means that there are simply not enough professionals with the right skills to tackle the problem.

In practice, security analysts typically receive more alerts than they can handle, particularly if alert parameters are not clearly defined.

This is exacerbated by the expanding network of interconnected systems that must be monitored.

In complex ecosystems, traditional indicators of compromise may not always capture the breadth or nature of a cybersecurity threat or attack campaign, possibly leading to false alert fatigue and missed detections with security analysts.

Meanwhile, attackers and adversaries are increasingly using automated & AI-driven tools to penetrate and attack corporate networks. Defences need to adapt.

The Solutions

  • Automated penetration testing.
  • Security Information and Event Management (SIEM) systems to comply with necessary mandates more efficiently and track issues.
  • AI and ML-powered fraud detection algorithms to spot suspicious activity.
  • Smart incident resolution to handle low-level issues and automated attacks.

4. How Do We Track and Assess Cyber Risk Long Term?

As financial services become increasingly digitised, the scope, importance, and integration of cybersecurity will become increasingly essential, embedded in every part of the organisation.

The Challenge

In the modern financial landscape, every service is a digital service, bringing a new level of risk.

Meanwhile, changing working habits have created a more distributed workforce with an expanded surface for vulnerabilities.

Cyber-readiness is no longer a matter of managing threats, but a core business operational capability. Accordingly, reporting on cybersecurity needs to evolve beyond simple incident tracking to a version of continuous optimisation to stay ahead of evolving threats.

The Solutions

  • Forming technology committees with a mandate that includes cyber oversight.
  • Expanding protocols in the event of an attack to include broad groups of senior managers, not just the people directly fixing the issue.
  • Elevating reporting on cybersecurity to a C-level concern with plans for every department.
  • Expanding oversight to include not just the state of systems but intelligence on threats, case studies of breaches, and the impact of regulatory changes.

For modern boards, cybersecurity must be an essential part of every project plan and scope – included alongside other measures of risk.

In the same way, boards must decide their risk tolerance for cybersecurity to guide management’s resourcing and spending so that they can address the consistent and persistent risks inherent in this area.

5. How Secure Is Our Communication?

In the course of conducting day-to-day business, financial institutions deal with large amounts of sensitive information.

This passes through external and internal stakeholders, being enriched, amended, and updated. Breaches in this chain are costly, on multiple fronts.

The Challenge

Financial institutions are strictly regulated, making data breaches especially dangerous, as organisations face reputational damage, fines, and remediation costs, in addition to compensating the lost funds.

The implementation of GDPR has expanded the number and scale of fines for data and privacy while jurisdictions around the world have been introducing stricter data laws.

Financial institutions need a secure way to send and receive sensitive documents and protect customers from email interception and fraud.

The Solutions

  • Stakeholders can send sensitive documents and forms to customers over an encrypted email channel, directly to their inbox.
  • All customer replies should equally be protected, including when sensitive documents are attached.
  • Inefficient paper-based systems should be replaced with secure, centralised, paperless digital communications.

Secure communication is essential to protect sensitive information and comply with regulations

Financial institutions need an end-to-end communication solution that can protect internal resources and transfer data securely between parties, finding the right combination of security and flexibility.

Staying Ahead of the Cybersecurity Curve

Keeping up with the rapid changes taking place in the cybersecurity landscape while maintaining service levels and core systems is one of the chief challenges for financial providers, platforms, and intermediaries.

To maintain competitive positioning, institutions must prioritise solutions that maximise security and minimise service disruption, cost, and risk.

Communicate with Confidence

Mailock is a secure email solution designed specifically for the financial services industry that integrates easily with existing systems and processes. It uses the most secure encryption technology with no disruption to the email recipient experience.

In a click, you can exchange files quickly and securely with advisers, clients, and customers, minimising paper and protecting against interception and fraud.

Deliver sensitive information securely with Mailock

References:

The cybersecurity posture of financial-services companies, McKinsey, 2020

Cyber Threat Intelligence Report, Accenture, 2022

Cyber security breaches survey 2024, UK Government, 2024

Cost of a data breach 2023: Financial industry impacts, Security Intelligence, 2023

Cybersecurity Threat Report, Cyber Edge, 2023

Financial Services Risk Trends, Allianz, 2023

73% of cybersecurity leaders allocating budget to advanced solutions, CIO, 2022

Reviewed By:

Sabrina McClune, 27.06.24

Sam Kendall, 05.06.24

 

Originally posted on 04 05 22
Last updated on July 9, 2024

Posted by: Sabrina McClune

Sabrina McClune is a Women in Tech Excellence 2022 finalist who writes extensively on cybersecurity, digital transformation, data protection, and digital identity. With a postgraduate degree in Digital Marketing (Distinction) and a First-Class Honours degree in English, she combines a strong academic foundation with professional expertise. At Beyond Encryption, Sabrina develops research-led content that supports financial and technology sectors navigating the complexities of the digital age.

Return to listing