As the financial services industry becomes increasingly technological, so does the threat of cybersecurity attacks. New technologies like internet banking and smartphone apps broaden the attack surface and offer new vulnerabilities. Hence, the rising number of attacks against financial services businesses reflects this growing reliance on technology. In addition, some of the attacks may be related to the increasing usage of big data by financial organizations. By tapping into consumer databases and social media, financial institutions can gain valuable information about their customers and attract new customers.
The impact of cybersecurity on financial services companies is a significant concern for the industry as customers are moving away from using checks and cash to electronic banking. Cybercrime is rising, and the financial services industry is not immune. Regulatory requirements are increasing pressure for cybersecurity in the financial services industry, but they are also the biggest reason consumers feel safe working with financial institutions. Companies need to develop written cybersecurity programs, implement robust cybersecurity standards, and create an internal reporting system. Financial services companies should also prepare for future audits by financial regulators and ensure employees are trained on cybersecurity.
While cyberattacks against financial institutions in high-income countries usually make the news, cyberattacks on softer targets are also on the rise. Many countries have leapfrogged to digital financial services, which presents a rich target for cybercriminals. In Uganda, for instance, a hack of one of the largest mobile money networks led to a four-day outage. It could be indicative of the broader impact of cybercrime on financial institutions.
The financial services industry is heavily regulated, and the May executive order only adds to the complexity. Nevertheless, compliance with cybersecurity regulations is essential to protect against cybersecurity breaches. As a result, financial services companies must develop comprehensive cybersecurity programs, create internal controls for cybersecurity incident disclosure, and cultivate a culture of cybersecurity compliance. Weigh the advantages and disadvantages of each cybersecurity program to identify which security program is most appropriate for your organization. Regulatory compliance requirements are becoming more stringent. It is a recipe for disaster in the financial services industry.
As technology and cyber-threats continue to evolve, it’s vital to stay abreast of the latest trends and best practices in cybersecurity. In February, FINRA released a Report on Cybersecurity Practices that doesn’t impose new industry rules but explicitly outlines best practices and expects member firms to prioritize cybersecurity and allocate sufficient resources to manage the risks. Further, FINRA issues information security bulletins, alerting member firms to specific attack behavior. These bulletins provide the means for financial services firms to respond effectively to these threats.
Managing vendor risk
Managing vendor risk in the financial services industry involves establishing contractual and operating policies and procedures to ensure that financial institutions don’t incur risks that might make it difficult to perform their obligations. Contractual terms and conditions are legally binding and should be carefully crafted. Financial institutions should consult with legal counsel to ensure their interests are protected and all possible contingencies are considered. The contract should clearly state the expectations of both the financial institution and the vendor. It is also crucial to periodically review contract performance and operational issues to ensure that the conditions are met.
Vendor contracts should clearly state which activities are considered risky and express the vendors’ commitment to mitigating those risks. Vendor agreements and service-level agreements should be carefully reviewed, as incentives may cause fraudulent activity or a lack of adherence to contractual obligations. Regular oversight of the vendor’s activities should include independent testing and monitoring. This way, vendors can be held accountable for delivering quality services and meeting all agreed-upon levels.
While a typical community-based financial institution has revenues roughly four percent below that of a large bank, they should still invest in cybersecurity. Depending on size, they can spend anywhere from twenty to ninety percent of their revenues. One source estimates that cybersecurity costs are around $2,300 per FTE. This number should be applied across different asset sizes. It should be noted that these costs are not necessarily proportionate to the level of protection provided.
In 2018, cybersecurity costs for the financial services industry increased. The average cost per employee was $243,101 – up by 44% from the previous year – while costs for ransomware, phishing and social engineering, and web-based attacks cost $84,954 each. According to reports, the most expensive cybersecurity attacks were malicious insiders, which took the longest time to revolve. Ransomware, for example, took nearly five months to revolve. Meanwhile, the fastest-moving cybersecurity attacks were web-based and malicious code.
Security is a top priority for the financial services industry, and it cannot be achieved at the expense of network performance. The financial sector is a complex amalgam of many smaller businesses. One of the greatest challenges for financial services organizations is vetting and managing these third-party vendors. Third-party vendors can introduce cyber risk to financial institutions. Consequently, financial institutions need to develop an efficient process for vetting these vendors and improving their security posture.
The financial services industry is vulnerable to cyberattacks and sophisticated schemes, and regulators are increasing pressure to protect consumer information. Cyberattacks can erode consumer trust and damage the reputation of financial services firms. Cloud-based botnets took over processing power, and distributed denial-of-service attacks became more sophisticated.