Financial services is a wide industry, encompassing banks, insurance companies, investment firms, analysts, consultants, and many more. We’ve found financial services to be one of the best performing sectors in terms of cybersecurity. We’ve been able to pinpoint a handful of basic facts, ideas, and principles that make the financial sector so successful at cybersecurity, and we’ve outlined those “pillars” below. Take a look!
Pillar #1: You have to meet the expectations of regulations (and beyond).
Financial services is a regulated sector—and regardless of your feelings on regulation, it does get some interesting results. When you know that someone is holding you accountable and that this party has the authority to fine or potentially shut you down, you know you have to take action. Thus, financial service organizations typically have implemented proper protections and risk management solutions, invested in the right technologies, and hired the best talent.
And while regulations are mostly about compliance, it’s pretty well understood that compliance does not equal security. To properly manage risk (and go above and beyond your fiduciary duty), you need to identify the greatest threats to your organization and focus your time and attention there.
Pillar #2: You must have vigilance in your cybersecurity execution.
Any company could do the bare minimum when regulators come knocking and let things slide when they leave—but that would be a big mistake. Therefore, you need to continue to be vigilant every day, not only when you’re being monitored.
Executing consistently takes both training and resources. Part of the reason financial service organizations excel at cybersecurity is because of the amount of high-level executive buy-in. The top people in the organization typically demand and expect a strong cybersecurity posture and provide the resources needed to support world-class information security risk management programs.
Have you implemented these twelve cybersecurity metrics at your organization?
Pillar #3: You must excel at detection and recovery.
High-performing financial service organizations recognize that you’re never going to stop every cyberattack. There are too many gaps and too many ways that someone can access and exploit a system. So while you need to excel at protecting your high-value assets and data, you also must excel at detecting security issues and recovering any data loss quickly and efficiently.
Pillar #4: You need to manage risk in the third-party ecosystem.
Many breaches that happen to financial service organizations originate on vendor networks. Financial organizations are keenly aware of risks in the supply chain and the need to properly manage those risks. This is a challenge of scale—how should an organization focus on areas that are of medium criticality and high criticality? This requires an investment of both time and resources; but when you consider the consequences to your data (or your customer’s data) if a third- or fourth-party system goes down, it seems the investment is certainly worth it.
Pillar #5: You should consider information sharing.
Another thing the financial services industry does well is sharing information. The Financial Services Information and Sharing Center (FS-ISAC) is a mature industry forum created specifically for the financial services industry to share regarding cybersecurity in their sector. In it, you’ll find a tremendous amount of collaboration around threat actors and the capabilities of those actors. Members feel that acting in collaboration is better than acting in isolation—which makes membership in the FS-ISAC extremely advantageous.
A final note on cybersecurity in financial services:
Cybersecurity has been of great importance in the financial sector because of the amount of regulation in the industry. Even if you aren’t subject to regulations, one of your vendors likely is, and their organization could be breached compromising your data.
But regulation isn’t the only reason that this is critical. It’s also critical because you’re in the business of trust. If your customers lose faith in your ability to protect your information or provide a service reliably, your reputation and business may suffer as a result.
