Large banks have fairly strong cyber-security controls in place, but cyber-criminals are changing their strategy and the financial sector remains difficult to secure against cyber-attacks, according to a special report by Thomson Reuters’ risk management business.
Several large banks suffered cyber-attacks a year ago, including JPMorgan Chase, where intruders managed to compromise contact data of 76 million households and 7 million businesses, JPMorgan confirmed in filings with the US Securities and Exchange Commission.
Malicious attempts to make a network resource unavailable to users, also known as distributed denial-of-service attacks, remain a threat but have declined in the past four years. The threat that’s on the rise is data theft, as breaches at Fidelity Investments, Target, Sony, and Citi suggest. Using techniques, tactics, and procedures developed by high-level espionage groups, cyber-crime gangs aim these data theft attacks specifically at oil companies, the power industry, and banks, Thomson Reuters reported.
Most of the breaches exploit vulnerabilities of technology and applications that are 25 or 30 years old and remain unpatched, network security experts told Thomson Reuters. Other weaknesses exist in some firms’ risk assessments and whistle-blowing mechanisms. The financial sector in Asia is particularly exposed because of the region’s higher degree of political volatility.
A global survey PwC conducted in 2014 found that 39% of financial services respondents had been victims of cyber-crime. Organisations’ response time has become faster, but the most recent median time between breach and discovery was still 229 days, according to the Thomson Reuters report.
JPMorgan responded to the 2014 cyber-attack by doubling its cybersecurity spending in 2015 and 2016 to about $500 million per year, SEC filings show.
To become more resilient to cyber-attacks, Thomson Reuters suggested that financial services organisations take these steps:
Determine what information needs to be protected. Map all in-house and outsourced processes and assets, from customer data to operational networks. Include manual workarounds, which often go back to business acquisitions. Prioritise threats by, for example, asking the chief information officer what the top five business systems are that need to be protected.
Expand the concept of risk and risk appetite to all information assets. Consider establishing an in-house cyber-intelligence team to gather information about current threats and threat actors. Former intelligence, government, or military staff could be well-suited to serve on such a team.
Design cyber-security measures to fit the nature and activities of the organisation. Produce user security policies covering the acceptable and secure use of organisational systems, including for home and mobile working, and manage user privileges. Train staff. Establish a monitoring programme and an incident response and disaster recovery capability. Ensure that security patches are applied in a timely manner. Scan for malware continuously, and maintain strong anti-malware defences.
Test regularly whether the security measures work. Ensure the control infrastructure is thoroughly tested and any gaps are followed up on. Inform third-party vendors about vulnerabilities, so they can take preventive action. Also, an organisation needs to consider the worst-case scenario of becoming the victim of a full-blown cyber-attack. Carefully thought through and tested incident management and contingency plans need to be agreed upon pre-emptively at the highest levels.
Update the board periodically. Security updates help the board and senior management stay engaged and appropriately manage risks. Without updates, the board may be less likely to understand why financial resources needed to be diverted to cyber-security. Ensure the board has an agreed-upon approach towards the organisation’s unique risk profile.
Share information about cyber-attacks with similar organisations. Directors can play a crucial leadership role in sharing information about cyber-attacks and combining resources with their counterparts at similar organisations to find solutions.
Related CGMA Magazine content:
“Use a Layered Cyber-Security Approach to Protect Crown Jewels”: Maintaining a strong outer defence to networks and systems may not be enough to protect an organisation from data breaches. Cyber-security expert Sajay Rai, CPA, said organisations are adopting layered approaches to cyber-security, with more controls around the most sensitive information.
“Cyber Concerns Show No Signs of Cooling Off, Former US Homeland Security Chief Says”: With growing connectedness of devices and infrastructure, cyber-security concerns are also going to grow, Tom Ridge, the former secretary of the US Department of Homeland Security, said at the AICPA CFO Conference.
“CFOs Increase Spending on Cyber-Security”: A majority of technology CFOs in a survey earlier this year said they had increased their spending on cyber-security, and a broader survey of finance executives showed increased concern about cyber-attacks.
—Sabine Vollmer (email@example.com) is a CGMA Magazine senior editor.