Vendor Risk Management

The 5 Pillars Of Cybersecurity In Financial Services

Melissa Stevens | March 31, 2016

Financial services is a wide industry, encompassing banks, insurance companies, investment firms, analysts, consultants, and many more. We’ve found financial services to be one of the best performing sectors in terms of cybersecurity. We’ve been able to pinpoint a handful of basic facts, ideas, and principles that make the financial sector so successful at cybersecurity, and we’ve outlined those “pillars” below. Take a look!

Pillar #1: You have to meet the expectations of regulations (and beyond).

Download Guide: 12 Cybersecurity Metrics Your Vendors And You Should Be Watching

Financial services is a regulated sector—and regardless of your feelings on regulation, it does get some interesting results. When you know that someone is holding you accountable and that this party has the authority to fine or potentially shut you down, you know you have to take action. Thus, financial service organizations typically have implemented proper protections and risk management solutions, invested in the right technologies, and hired the best talent.

And while regulations are mostly about compliance, it’s pretty well understood that compliance does not equal security. To properly manage risk (and go above and beyond your fiduciary duty), you need to identify the greatest threats to your organization and focus your time and attention there.

Pillar #2: You must have vigilance in your cybersecurity execution.

Any company could do the bare minimum when regulators come knocking and let things slide when they leave—but that would be a big mistake. Therefore, you need to continue to be vigilant every day, not only when you’re being monitored.

Executing consistently takes both training and resources. Part of the reason financial service organizations excel at cybersecurity is because of the amount of high-level executive buy-in. The top people in the organization typically demand and expect a strong cybersecurity posture and provide the resources needed to support world-class information security risk management programs.

Have you implemented these twelve cybersecurity metrics at your organization? 

Pillar #3: You must excel at detection and recovery.

High-performing financial service organizations recognize that you’re never going to stop every cyberattack. There are too many gaps and too many ways that someone can access and exploit a system. So while you need to excel at protecting your high-value assets and data, you also must excel at detecting security issues and recovering any data loss quickly and efficiently.

Pillar #4: You need to manage risk in the third-party ecosystem.

Many breaches that happen to financial service organizations originate on vendor networks. Financial organizations are keenly aware of risks in the supply chain and the need to properly manage those risks. This is a challenge of scale—how should an organization focus on areas that are of medium criticality and high criticality? This requires an investment of both time and resources; but when you consider the consequences to your data (or your customer’s data) if a third- or fourth-party system goes down, it seems the investment is certainly worth it.

Pillar #5: You should consider information sharing.

Another thing the financial services industry does well is sharing information. The Financial Services Information and Sharing Center (FS-ISAC) is a mature industry forum created specifically for the financial services industry to share regarding cybersecurity in their sector. In it, you’ll find a tremendous amount of collaboration around threat actors and the capabilities of those actors. Members feel that acting in collaboration is better than acting in isolation—which makes membership in the FS-ISAC extremely advantageous.

A final note on cybersecurity in financial services:

Cybersecurity has been of great importance in the financial sector because of the amount of regulation in the industry. Even if you aren’t subject to regulations, one of your vendors likely is, and their organization could be breached compromising your data.

But regulation isn’t the only reason that this is critical. It’s also critical because you’re in the business of trust. If your customers lose faith in your ability to protect your information or provide a service reliably, your reputation and business may suffer as a result.

Download Guide: 12


Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.