Financial institutions are the leading targets of cybercrime, including extortion, theft, and fraud, accounting for over 20 percent of all cyber-attacks. In fact, financial services firms are 300 times as likely as other companies to be targeted.
Threats can include phishing schemes, ransomware, other malware attacks, and even insider activity. In this environment, boards must play a key role in guiding and assessing security strategies.
The risks to financial institutions have been complicated by rapid digitisation and disrupted working habits.
To keep up with changing technology and customer expectations, the last decade has seen widespread investment and transition to digital service provision.
This shift to digital was accelerated by the pandemic, forcing many institutions to bring forward their transformation timelines.
However, the explosion of digital financial services and mobile banking has also expanded the available attack surface that criminals can exploit. During the pandemic, the number of cyber-attacks rose by over 200%.
In this charged environment, cybersecurity must be a key concern for everyone in financial services organisations, from boards to frontline staff.
The impact of financial crime is significant and growing.
Accenture estimates that banks will lose $347 billion to cybercrime in the coming years. Alongside the loss of revenue and reputation involved comes the risk of financial penalties and regulator scrutiny.
Maintaining customer confidence is also a key concern. Customers trust institutions with their financial information and livelihood.
Financial services businesses must demonstrate the ability to preserve confidentiality, maintain the availability of systems and services, and guard the integrity of data.
While cybersecurity awareness has grown in the financial sector along with new defences, the threats are constantly evolving.
In this guide, we explore the five key questions that financial boards need to be asking to be prepared for these challenges and the solutions arising to protect businesses and customers.
New rules in place from March 2022 require firms to proactively address disruption to important business services from a range of events, including a cyber-attack, technical glitches, and power outages.
Meanwhile, in Europe, the proposed Digital Operational Resilience Act (DORA) would introduce an EU-wide regulatory framework on digital operational resilience for a wide range of financial services firms, focusing on business continuity and the management of third-party risk.
However, many institutions are held back by outdated technology.
Legacy core operational systems are one of the major barriers to digital transformation.
They are unnecessarily slow to update and fix, with a shortage of expertise available in the market to work on them. Repair work is necessarily slow due to disconnected systems, large code bases, and outdated workflows.
When it comes to a cyber-attack, every hour of downtime is lost revenue, trust, and resources. With cyber-attacks a near certainty, businesses need to prioritise quick recovery and data security.
For leading financial firms, modern systems and security protocols can reduce the cost of a breach by as much as 72 percent, saving $273,000 per breach.
At an average of 22 incidents per year, these savings add up to potentially $6 million annually for the average firm.
Cybersecurity is a constantly evolving field - now more than ever.
Making your people an asset in detecting and solving threats requires the right training, structures, and protocols.
Financial institutions have invested heavily in some areas, such as ‘don’t click the link’ training to avoid traditional phishing.
The result is that the sector is one of the least vulnerable to traditional phishing, with only 8.5% of targets opening malicious links or attachments, but tactics are always evolving.
The cost of BEC (business email compromise) attacks has reached $1.86bn, accounting for almost half of all reported cybercrime losses.
As the volume and complexity of cyber risks and threats grow, financial institutions need to invest in threat detection, solutions, and recovery.
However, with scalability a necessity, businesses will need to augment their human analysts with additional technological capabilities.
While cyber threats are becoming more numerous and complex, the ongoing cybersecurity skills gap means that there are simply not enough professionals with the right skills to tackle the problem.
In practice, security analysts typically receive more alerts than they can handle, particularly if alert parameters are not clearly defined.
This is exacerbated by the expanding network of interconnected systems that must be monitored.
In complex ecosystems, traditional indicators of compromise may not always capture the breadth or nature of a cybersecurity threat or attack campaign, possibly leading to false alert fatigue and missed detections with security analysts.
Meanwhile, attackers and adversaries are increasingly using automated & AI-driven tools to penetrate and attack corporate networks. Defences need to adapt.
As financial services become increasingly digitised, the scope, importance, and integration of cybersecurity will become increasingly essential, embedded in every part of the organisation.
In the modern financial landscape, every service is a digital service, bringing a new level of risk.
Meanwhile, changing working habits have created a more distributed workforce with an expanded surface for vulnerabilities.
Cyber-readiness is no longer a matter of managing threats, but a core business operational capability. Accordingly, reporting on cybersecurity needs to evolve beyond simple incident tracking to a version of continuous optimisation to stay ahead of evolving threats.
For modern boards, cybersecurity must be an essential part of every project plan and scope – included alongside other measures of risk.
In the same way, boards must decide their risk tolerance for cybersecurity to guide management’s resourcing and spending so that they can address the consistent and persistent risks inherent in this area.
In the course of conducting day-to-day business, financial institutions deal with large amounts of sensitive information.
This passes through external and internal stakeholders, being enriched, amended, and updated. Breaches in this chain are costly, on multiple fronts.
Financial institutions are strictly regulated, making data breaches especially dangerous, as organisations face reputational damage, fines, and remediation costs, in addition to compensating the lost funds.
The implementation of GDPR has expanded the number and scale of fines for data and privacy while jurisdictions around the world have been introducing stricter data laws.
Financial institutions need a secure way to send and receive sensitive documents and protect customers from email interception and fraud.
Financial institutions need an end-to-end communication solution that can protect internal resources and transfer data securely between parties, finding the right combination of security and flexibility.
Keeping up with the rapid changes taking place in the cybersecurity landscape while maintaining service levels and core systems is one of the chief challenges for financial providers, platforms, and intermediaries.
To maintain competitive positioning, institutions must prioritise solutions that maximise security and minimise service disruption, cost, and risk.
Mailock is a secure email solution designed specifically for the financial services industry that integrates easily with existing systems and processes. It uses the most secure encryption technology with no disruption to the email recipient experience.
In a click, you can exchange files quickly and securely with advisers, clients, and customers, minimising paper and protecting against interception and fraud.
The cybersecurity posture of financial-services companies, McKinsey, 2020
Cyber Threat Intelligence Report, Accenture, 2022
Cyber security breaches survey 2024, UK Government, 2024
Cost of a data breach 2023: Financial industry impacts, Security Intelligence, 2023
Cybersecurity Threat Report, Cyber Edge, 2023
Financial Services Risk Trends, Allianz, 2023
73% of cybersecurity leaders allocating budget to advanced solutions, CIO, 2022
Sabrina McClune, 27.06.24
Sam Kendall, 05.06.24