Financial Services Cybersecurity: 4 Ways to Combat Modern Threats in this Vulnerable Sector

The financial services sector is one of the highest performing in terms of cybersecurity. One factor that contributes to this performance is regulation. Laws such as FFIEC IT, the Gramm-Leach-Bliley Act, NYDFS, GDPR, and SOC2 have placed pressure on financial services companies to build and enforce some of the strongest cyber risk management programs across any industry.

Another factor is money. Because of the extremely sensitive personal and financial information they handle, firms in this sector typically have higher security budgets than other organizations.

But as threats continue to evolve, there’s always work to be done. Indeed, a recent BitSight study found that finance companies have much to do to improve their security postures.

Given this sobering discovery, here are four best practices that can bolster financial services cybersecurity.

1.  Reduce Ransomware Risk

According to the Verizon 2021 Data Breach Investigations Report, ransomware incidents have doubled in the past year and are now the most common form of cyberattack. Yet despite their sophisticated risk management programs, when we analyzed the security posture of financial institutions, we found that 54% are at heightened risk of ransomware attacks.

This conclusion is drawn based on two key security program performance indicators – patching cadence (the elapsed time between software patches becoming available and when they are implemented) and configuration management (weak TLS/SSL configurations create vulnerabilities in infrastructure that could expose companies to attacks). Both indicators correlate with the risk of ransomware threats. 

When this analysis is applied to the financial services sector, we found that 30% of institutions are slow to apply patches. This makes them seven times more likely to experience ransomware than those that maintain a regular patching cadence.

Perhaps more worrying, 70% of these companies are exposed to ransomware risk due to misconfigured systems.

What can financial services sector security professionals do? Our findings stress that continuously monitoring security performance so that vulnerabilities are discovered and remediated before they are exploited is key to defending against ransomware, and indeed any cyberattack.

Ransomware in Financial Services

Download the “Ransomware in the Financial Sector” eBook to see how the ransomware trend is specifically impacting organizations throughout the financial services industry, and how the right technology can combat the unique risks.

Download eBook
Button Arrow

2. Focus on third-party risk management


Cybersecurity vigilance also extends to a finance organization’s suppliers and vendors.

As they seek to get around traditional defenses, cybercriminals are increasingly finding and attacking the least secure business in the supply chain and using it as a foothold to gradually compromise their partners.

The financial services sector is acutely aware of these risks and the need to properly manage them. However, security professionals are often hampered by the limitations of traditional vendor cyber security assessments that provide incomplete and time-bound views of cyber risk. 

A better approach is to use tools that provide deep and continuous insight into the risks and security performance of every organization in a company’s supply chain. Using these data-driven insights, security and risk management teams can speed up their vendor onboarding processes and, once the contract is signed, keep tabs on their vendors’ security postures for the remainder of their partnerships.

Business leaders also benefit. With an unparalleled visibility into third-party cyber risk, they can make informed decisions about which organizations to do business with, hold those accountable for security performance, and, ultimately, reduce the risk of a supply chain attack.

3. Share information on cyber risk

Acting in collaboration rather than in isolation is key to thwarting threat actors. This is something the financial services sector already does well. For instance, the Financial Services Information and Sharing Center (FS-ISAC) is a forum dedicated to strengthening the financial system through a global peer-to-peer network of experts and practitioners.  

Firms can build on these efforts using the BitSight platform. For instance, users can exchange critical cyber risk information, including self-published security ratings. They can also invite third-party vendors so that they can view their own ratings and investigate forensic data on potential security issues in their environment. If a large-scale cyber attack occurs, organizations can reach out to partners and vendors as a group to notify them so they can proactively assess their security postures and take action to reduce the risk of becoming a victim.

4. Gain buy-in from executives

Executive leaders and board members make critical decisions about cybersecurity – notably how and where money is spent. But upper-level managers are not in the trenches everyday and there can be significant gaps between what the Security Operations Center (SOC) knows about cyber risk and what it reports to leadership. That’s not to say that security professionals are holding information back, it’s just that they speak a different language than the C-suite.

To ensure that the most important information is passed up the chain of command and meaningful investments can be made, SOC leadership must learn the art of effective executive reporting. That means talking to executives in a non-technical way they understand and that ties their company’s security challenges directly to its financial and reputational performances.

We discuss these challenges in an earlier blog, in which we offer some uncomplicated suggestions for “speaking the C-suite’s language” and gaining buy-in from senior executives. Also check out these handy guides: The CISO’s Guide to Reporting to the Board and A Security Operations Center Report Template for Executive Buy-In.

Continuous Monitoring eBook

Learn how to adapt to the continuously changing risk environment with an efficient, continuous risk monitoring strategy.

Download eBook
Button Arrow

Financial services cybersecurity -- it's a matter of trust

Financial services cybersecurity is highly regulated, and for a good reason. But regulation isn’t the only reason that information security is critical – it’s about trust.

Customers trust financial institutions with their earnings, their savings, and their wealth management. But if data is breached or services are interrupted due to ransomware, customers may lose faith in the ability of a company to safeguard their data and their money. It’s a financial and reputational risk that no institution can afford to take. 

For this reason, financial services companies must move beyond security for compliance’s sake and apply best practices such as continuous monitoring, collaboration, and making security performance understandable and accessible to the C-suite. 

Establishing a Universal Understanding of Cyber Risk with Financial Quantification Report Cover

BitSight Financial Quantification empowers you to assess your organization’s financial exposure to cyber risk and allows you to transform the technical side of cybersecurity into business language.

Read The eBook
Button Arrow