A recent industry report suggests that the Financial Services (“FS”) industry attracts 300% more attacks than any other sector. The huge amount of customer data (e.g. identity, finance, etc.) stored by Financial Institutions (“FIs”) as well as financial incentives make FIs attractive targets of cyber criminals.
In the past few years, we have witnessed several big cybercrime cases in the FS Industry. For example, JP Morgan Chase had 83 million bank accounts exposed in a phishing scam in 2014 and earlier this year in February hackers stole USD 81 million from Bangladesh’s central bank. Due to the broad scope and complex perimeters, Cybersecurity Management becomes challenging work for FIs.
Increasing Risk Concern Per a recent survey sponsored by FIS, 77% of bank executives rank cybersecurity as the top risk concern. As shown below, Malware, Phishing and Distributed Denial of Service (DDoS) are the main types of cybercrime affecting FIs.
Apart from the above common cybercrimes, the below emerging new risks require FIs to strengthen their cybersecurity risk management framework.
Mobile: To enhance the customer experience, FIs have embraced new technologies such as mobile banking and digital wallets, which open the door to large-scale identity theft, which is hard to detect via existing controls.
New hacker opportunities: penetration of connected devices and alternative payment solutions create additional potential vulnerable points for hackers, such as wireless payments (NFC) and Bluetooth.
Cross-border data exchanges: Broker-dealers, banks, brokers, exchanges, trading & market data networks are permanently connected, which means a single vulnerable point can make the entire network affected.
The sophistication of attacks is another source of rising concern.
Multiplicity of adversaries: Exponential increase in threats while defensive approaches remain singular
Hacktivism: Risk no longer limited to financial criminals but also hacktivist groups driven by political or social agendas
Threats from outside the country: Nation-states have the potential to create market havoc and disrupt the global financial system
As shown in the below heat map of cybersecurity risks, the cyber threat landscape is evolving. FIs should consider the severity of impacts from different adversaries when building a risk management framework.
We list the top industry trends as mentioned above regarding cybersecurity, including evolving regulatory requirements, increasing cost & impact and enhancement of risk governance.
As cybersecurity is on the FIs’ top priority of risk management, we foresee the below trends of cybersecurity management practice in the Financial Service Industry in the coming years.
Investment in core safeguards: In 2015, FIs increased their investment in information security budgets by 14%. This increase is expected to continue in the near future as a response to rapidly evolving complex technologies and stricter regulatory requirements.
Adoption of advanced technology: FIs are applying advanced technology as defence solutions, such as cloud-based cybersecurity services, Big Data analytics, and advanced authentication and biometrics.
Establishment of risk management framework: Increasing number of FIs are aware of the importance of setting a proper risk management framework.Per recent survey, 65% of banks have an overall IT security strategy and 59% have a Chief Information Security Officer (CISO) in charge of security.
Key Challenges & Long-Term Solution Cyber criminals only need to find one vulnerable point, while FIs need to make sure that the entire system is perfect. However, FIs are facing several challenges to achieve necessary defence capabilities.
Scarcity of security talent: lack of professionals is a challenge across all the industries. Banks might not have IT talent to tackle security issues derived from customers’ mobile phones, wireless sensors and connected devices as well as emerging new technology in the future.
Low transparency of breaches: in some emerging markets, it is not required to disclose cyber breaches to regulators, which makes other banks miss the chance to take timely measures and eventually makes the whole industry exposed to a wave of similar cyber-attacks.
Low capability of emerging markets: emerging markets have lower capabilities to handle cybercrimes compared to developed countries. As cross-border data exchanges are required for international client service, an imbalance of defence capability between developed and emerging markets will make the entire data network vulnerable to cyber-attacks.
Due to potential reputational damage and monetary loss from cybercrimes, cybersecurity management should be included in banks’ long-term development agenda to tackle those challenges. The following key initiatives are recommended:
Establish Risk governance: set up a risk-based security framework, provide necessary workshops to staff for awareness enhancement & professional trainings to IT talent
Use Cyber intelligence: use threat intelligence to improve ability to identify, detect and respond to cybersecurity threats
Assess Cyber insurance: evaluate the utility of cyber insurance as part of risk management processes and conduct an analysis to ensure alignment between existing coverage and risk assessment processes
Mitigate third party risks: manage cybersecurity risks that can arise across the lifecycle of vendor relationships using a risk-based approach to vendor management
Externally, it is encouraged to share cyber breaches information within the industry and establish collaborative relationships between small banks and large banks, developed and emerging markets, FIs and Fintech.
Same as FIs, Fintechs are also facing cybersecurity management challenges, given the rapid growth and complexity of the industry. They are taking initiatives for enhancement, which Financial Institutions can draw lessons from. For example, in September Ant Financial acquired U.S.-based EyeVerify, Inc., to increase safety in financial transactions by leveraging EyeVerify’s mobile eye verification technology (i.e. Eyeprint ID).
 2015 Industry Drill-Down Report: Financial Services, Websense  2016 Risk Practices Survey sponsored by FIS
What are your views about the cybersecurity management challenges for Financial Services Industry? Email us, we would love to hear them.
The CH&Co. Editorial team
Recent Regulatory Developments in Cybersecurity
CH&Co Digital Case of the Month – Digital Shadows
Want to keep up to date with the latest innovations? CH&Co. has built a global database gathering all worldwide innovations across the Financial Services industry. More than 500 case studies are already available online with hands-on insights. Every month, about 20 new start-up case studies are added on fintank.chappuishalder.com by our CH&Co. global digital team! Here’s a look at this month’s most striking discoveries.
Conferences, exhibitions, workshops…If you would like to participate in our events, please register here. Membership is free!
Share the news!
If you enjoy CH&Co.’s news, please share it with your colleagues. They can also sign up for future editions. Membership is free!
Chappuis Halder & Co. is a consulting firm specialized in Financial Services with offices in North America, Europe and Asia. We help our clients in several industries, Corporate & Investment Banking, Commodity Trading, Insurance and Retail & Private Banking, with a permanent focus on expertise and research, especially in the Digital area.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
These cookies allow us to determine the number of visits and sources of traffic to our website in order to measure and improve performance. They also help us to identify which pages are most / least visited and to evaluate how visitors navigate through the site. All information, collected by these cookies, is aggregated and therefore anonymized. If you do not accept these cookies, we will not be able to know when you have visited our website and we will not be able to measure its performance.