Cyber Risk Continues to Plague Financial Services

Originally Published in Corporate Compliance Insights.

The eventuality of a cyber attack is cause for concern for all kinds of organizations, but lately the financial services industry has been especially afflicted. Drawbridge’s Martin Passante explores the growing cybersecurity threat in financial services and how firms can proactively prepare.

Cybersecurity is a growing concern for firms in the financial industry. Whether it is via social engineering or malicious outsiders hacking into a network, cybercrime is on the rise and people are taking notice. Without proper security controls in place, firms’ networks are at risk of intrusion.

Without proper logical and technical controls in place, firms’ employees are more susceptible to phishing and social engineering attacks – the root cause of a great majority of cyber breaches. Firms are also vulnerable in places they don’t even realize or control, such as the third-party vendors they engage with. Proper cybersecurity due diligence exercises are essential to ensure that the third parties a firm engages with have proper practices and policies in place. In addition, due to increased scrutiny from regulators, as well as investor demand for certain cybersecurity precautions in place to ensure their investments are safe, firms have begun to take note and implement various cybersecurity programs.

There are various steps a firm can take to ensure they are checking their cybersecurity boxes.

Firms have begun undertaking cybersecurity initiatives that involve implementing cybersecurity policies (such as information security plans and incident response plans), engaging in phishing exams and cybersecurity training for firm employees, conducting penetration tests on the firm’s network and conducting pointed cybersecurity vendor due diligence to ensure the third parties the firm engages with are secure.

1. Plans and Policies

Items such as cybersecurity policies are imperative to have in place. In fact, regulators such as the Securities and Exchange Commission and National Futures Association require cybersecurity policies in guidance they have issued. Also, on many occasions, large investors require these documents be implemented and often times request to view them (in addition to viewing other reports and assurances that a firm has a solid cybersecurity posture). Policies that firms should be looking to implement, as a baseline, include an information security policy, incident response plan and business continuity and disaster recovery plan.

With these policies in action, the firm, as well as those interested parties, can be assured as to what the firm has in place to protect their data and sensitive information. These policies also serve as guidance for firm employees regarding their role in keeping information secure, what measures the firm has in place and how they function, as well as what to do in the event of a breach or loss of firm data. Maintaining cybersecurity policies is crucial to assure regulators and investors that a firm is secure from a cybersecurity perspective.

2. Training: Addressing Human Error

Training firm employees is another initiative that most regulators and investors view as imperative. Most data breaches occur because of human error. Whether it’s clicking on a link in a phishing email that installs malicious spyware on a computer or something as simple as poor password management leading to a breach, missteps by employees can lead to several unwanted issues for firms.

But there are efficient ways to help employees understand the various cyber threats they face on a daily basis. This includes conducting phishing exams regularly to ensure employees know what to look out for, as well as (at least annual) cybersecurity training for employees. Cybersecurity training should inform employees of the steps the firm has taken to secure its infrastructure, various mandatory policies (such as password policies, clean desk policies, secure transferring of information, etc.) that help the firm stay secure, as well as the cyber threats employees face and what to do in situations where they are being targeted. Training employees on cybersecurity should be a measure that all firms implement, regardless of size or the amount of assets managed, because a firm is only as strong as its weakest employee.

3. Testing

Conducting penetration tests is another great way a firm can secure its infrastructure. Testing a firm’s network can elucidate risks that may have otherwise gone undetected. Once a test is conducted and the firm has a better understanding of its network perimeter vulnerabilities, it can properly remediate the risks with items such as network firewall solutions with IDS/IPS capabilities, network monitoring solutions, antivirus and antimalware and patch management policies to ensure devices connected to the firm’s network are always up to date with the most recent firmware. Ensuring that the firm’s IT infrastructure and network perimeter are secure is essential to good cybersecurity practice, and penetration testing is the best way to accomplish this.

4. Third-Party Due Diligence

Third parties are a cybersecurity risk for firms and should not be ignored. Many vendors engaged with firms in the financial industry maintain sensitive data related to the firm, its employees and its investors. Therefore, ensuring that this information is being guarded is intrinsically linked to a firm’s success. Baseline questions to ask when considering a vendor for review are:

  • Does this vendor store, create, manage or access your firm’s business confidential information?
  • Does this vendor store, create, manage or access your firm’s personally identifiable information?
  • Does this vendor store, create, manage or access your firm’s investors’ or customers’ personally identifiable information?

If the answer is “yes” to any of the above questions, then the firm should conduct cybersecurity due diligence on the vendor to ensure that the vendor is secure and has cybersecurity top of mind. Conducting thorough cybersecurity vendor due diligence is the best way to identify which third parties a firm engages with are secure and uphold cybersecurity best practices.

Firms in the financial industry should indeed be aware of the ever-growing cyber threat if they aren’t already because regulators and investors will continue to voice their concern. Cybersecurity programs should be implemented, and upper management must ensure that they are taking every precaution to ensure the firm’s, its employees’ and their investors’ sensitive data is being safeguarded.

Originally Published in Corporate Compliance Insights.