The financial services sector is one of the highest performing in terms of cybersecurity. One factor that contributes to this performance is regulation. Laws such as FFIEC IT, the Gramm-Leach-Bliley Act, NYDFS, GDPR, and SOC2 have placed pressure on financial services companies to build and enforce some of the strongest cyber risk management programs across any industry.
You should consider another factor, which is money. Because of the extremely sensitive personal and financial information they handle, firms in this sector typically have higher security budgets than other organizations.
But as threats continue to evolve, there is always work to do. Indeed, a recent Bitsight study found that finance companies have much to do to improve their security postures.
Given this sobering discovery, here are four best practices that can bolster cybersecurity in the financial sector.
- Reduce Ransomware Risk
- Focus on third-party risk management
- Share information on cyber risk
- Gain buy-in from executives
1. Reduce Ransomware Risk
According to the Verizon 2021 Data Breach Investigations Report, ransomware incidents have doubled in the past year and are now the most common form of cyberattack. Yet despite their sophisticated risk management programs, when we analyzed the security posture of financial institutions, we found that 54% are at heightened risk of ransomware attacks.
This conclusion is drawn based on two key security program performance indicators – patching cadence (the elapsed time between software patches becoming available and when they are implemented) and configuration management (weak TLS/SSL configurations create vulnerabilities in infrastructure that could expose companies to attacks). Both indicators correlate with the risk of ransomware threats.
When this analysis is applied to the financial services sector, we found that 30% of institutions are slow to apply patches. This makes them seven times more likely to experience ransomware than those that maintain a regular patching cadence.
Perhaps more worrying, misconfigured systems expose 70% of these companies to ransomware risk.
What can financial services sector security professionals do? Our findings stress that continuously monitoring security performance so that vulnerabilities are discovered and remediated before they are exploited is key to defending against ransomware, and indeed any cyberattack.
2. Focus on third-party risk management
Cybersecurity vigilance also extends to a finance organization’s suppliers and vendors.
Cybercriminals are progressively identifying and targeting the most vulnerable businesses within the supply chain, bypassing conventional security measures. They use this weak link as a stepping stone to slowly infiltrate their partners.
The financial services sector is acutely aware of these risks and the need to properly manage them. However, security professionals are often hampered by the limitations of traditional vendor cyber security assessments that provide incomplete and time-bound views of cyber risk.
A better approach is to use tools that provide deep and continuous insight into the risks and security performance of every organization in a company’s supply chain. Using these data-driven insights, security and risk management teams can speed up their vendor onboarding processes and, once the contract is signed, keep tabs on their vendors’ security postures for the remainder of their partnerships.
Business leaders also benefit. With an unparalleled visibility into third-party cyber risk, they can make informed decisions about which organizations to do business with, hold those accountable for security performance, and, ultimately, reduce the risk of a supply chain attack.
3. Share information on cyber risk
Acting in collaboration rather than in isolation is key to thwarting threat actors. This is something the financial services sector already does well. For instance, the Financial Services Information and Sharing Center (FS-ISAC) is a forum dedicated to strengthening the financial system through a global peer-to-peer network of experts and practitioners.
Firms can build on these efforts using the Bitsight platform. For instance, users can exchange critical cyber risk information, including self-published security ratings. They can also invite third-party vendors so that they can view their own ratings and investigate forensic data on potential security issues in their environment.
If a large-scale cyber attack occurs, organizations can reach out to partners and vendors as a group to notify them. This allows these organizations to proactively assess their security postures and take action to reduce the risk of becoming a victim and improve security measures.
4. Gain buy-in from executives
Executive leaders and board members make critical decisions about cybersecurity – notably how and where money is spent. But upper-level managers are not in the trenches everyday and there can be significant gaps between what the Security Operations Center (SOC) knows about cyber risk and what it reports to leadership. That’s not to say that security professionals are holding information back, it’s just that they speak a different language than the C-suite.
To ensure that the most important information is passed up the chain of command and meaningful investments can be made, SOC leadership must learn the art of effective executive reporting. That means talking to executives in a non-technical way they understand and that ties their company’s security challenges directly to its financial and reputational performances.
We discuss these challenges in an earlier blog, in which we offer some uncomplicated suggestions for “speaking the C-suite’s language” and gaining buy-in from senior executives.
Financial services cybersecurity -- it's a matter of trust
Regulators highly regulate financial services cybersecurity, and for a good reason. But regulation isn’t the only reason that information security is critical – it’s about trust.
Customers trust financial institutions with their earnings, their savings, their wealth management, and their overall sensitive information. If this data is breached or services are interrupted due to ransomware, customers may lose faith in the ability of a company to safeguard their data and their money. It’s a financial and reputational risk that no institution can afford to take.
Financial companies must prioritize more than just security for compliance. They should also focus on continuous monitoring, collaboration, and making security performance accessible to top executives.