Cybersecurity Phishing. Ransomware. DDoS attacks. These are terms financial services security professionals have come to know intimately—and despise. Amid threats from individual actors and organised attackers, security teams have had to step up. As attacks have become more sophisticated, regulators are raising their level of scrutiny, and global cybersecurity and privacy legislation are changing. It’s a big challenge for firms that have come to rely so heavily on digital technology.
Threat actors keep finding weaknesses to exploit. According to our Global State of Information Security® (GSIS) Survey, the most common type of cyber attack in 2016 was phishing. Firms also faced growing risks due to business email compromise, ransomware, and distributed denial of service (DDoS) attacks. And criminals and other threat actors aren’t giving up, they’re actually raising the bar.
As more sensitive data moves to the cloud, many financial institutions are upping their game. In Luxembourg, 76% of business leaders we’ve interviewed in our CEO Survey consider cyber threats the third most important concern for 2017.
Regulatory focus on cybersecurity isn’t going away
Cybersecurity isn’t a partisan issue. Financial institutions will be pushed to collaborate more with regulatory bodies to collectively share information. As a result, they’ll have better visibility into emerging threats—and a greater responsibility to prepare for them.
Most companies are still reluctant to sharing experience and information, despite the deep need for collective effort on managing threats. Some of them, however, have understood the benefits of working together and with governmental bodies to prevent cyber attacks. In Luxembourg, industry collaboration will grow through venues such as the MISP project, initiated by the CIRCL (Computer Incident Response Centre Luxembourg), which has already convinced over 500 organisations to participate.
New technology, new challenges
Combining cloud services with tools like artificial intelligence and blockchain will introduce new risks and thus require new approaches to combating them. As business goes digital, cyber spend increases.
Firms should integrate cybersecurity, anti-fraud, and anti-money laundering efforts. They can improve their ability to ward off threats by combining analytics from pooled data, strengthening their risk management environment, and implementing controls more effectively. Companies should focus first on building a robust risk-based cybersecurity programme. This can help them achieve their broad strategic objectives while also complying with regulatory requirements.
The second line of defence is keeping the security governance and oversight capabilities separate from cybersecurity design, implementation, and operations. Also, it should engage the board and its risk committee on cyber topics. Companies have to collaborate with third party vendors to make sure they take the right measures to protect their data. When designing and developing new digital products and services, businesses should integrate cybersecurity and privacy in the beginning stages.