Are financial services firms doing enough to protect systems and stay resilient?

Cybersecurity is a big issue for financial services firms, and it has been outlined as a key priority for 20/21 by many of the regulators, including the Financial Conduct Authority, Prudential Regulation Authority and the European Securities and Markets Authority. According to research from Boston Consulting Group, financial services firms experience up to 300 times as many cyber-attacks per year as other industries so cyber resilience could not be more critical.

So, what should financial services firms be doing to improve their cybersecurity?

Cyber threats have dogged the financial services industry for some time – at the end of 2018, the FCA revealed cyber attacks had increased by five times from the previous year – and in the Covid-19 crisis with so many people working from home, attackers have more opportunity to exploit weakness than ever.

Put governance in place and treat cybersecurity as a compliance issue

Technology has transformed the financial services industry, automating and simplifying many routine processes, but many firms have built huge systems that they rely on with little or no insight into the associated risks and the governance needed to manage them. Cybersecurity needs to be treated as a compliance issue and handled with the same seriousness as anti-money laundering or know-your-customer processes. Firms need to clearly allocate cyber resilience responsibility to a senior manager, and engage external specialists if necessary, to pro-actively spot and mitigate cyber threats.

What are the most common cyber threats for financial services firms?

It’s crucial to understand the attacks that are most likely to happen, in order to negate them, and as cyber criminals are becoming increasingly sophisticated and the type of threat evolves, continuous monitoring is essential.

Web application attacks are one of the most common threats, especially as web apps become more accessible and rely on user input. The best way to negate this type of attack is with robust firewalls and regular auditing of databases to pick up vulnerabilities before they are exposed. Distributed denial of service (DDoS) attacks are prolific and commonly used by attackers to slow down websites and make them unobtainable to users. Recent research from insights firm, Mindsight, found that one third of network downtime, which causes business interruption and reputational damage are caused by DDoS attacks. Many of these could be avoided as there are a multitude of tools that have been developed to negate DDoS attacks but not all financial services firms are using them effectively.

 Data theft and breaches are one of the other most common problems in the sector, and they can be staggeringly expensive – IBM recently calculated that the average cost of a data breach amounts to $3.92 million. Protecting data has become particularly critical since PDS2 came into effect – the directive that forces banks to release information in a secure, standardised form. The best way to mitigate data theft is by tightening up authentication processes and, in particular, using two factor authentication wherever possible.

Insider threats and human error

According to IBM, 60 per cent of cyberattacks actually come from inside a company and the financial services sector is one of the top three industries at risk of insider attacks. Many of these attacks are intentional so maintaining strong cyber security controls, especially during remote working periods, is paramount. Along with intentional attacks like this, around a quarter of internal breaches are caused by human error such as using weak log in and password credentials or failing to recognise phishing scams. It’s crucial to make sure good cybersecurity principles, such as strong passwords and protecting credentials are filtered down through every area of a firm.

The repercussions of inadequate cybersecurity

The consequences of not prioritising cybersecurity can be huge for financial services firms, in terms of financial loss, penalties imposed by regulators and reputational damage. Under the GDPR regime alone, European regulators have imposed a huge 114m EUR in fines, with UK regulators threatening a further 329m EUR for data privacy breaches. Firms will sustain significant damage to their reputations if customer data is stolen, for example, or if trading is shut down because of a DDoS attack. In the wake of last month’s Wirecard scandal, even though the specific situation was due to accounting fraud rather than cyber infringements, payment systems are also likely to come under extra regulatory scrutiny. 

Generally, regulators expect to see adherence to best practice in data storage, proper configuration of network storage and a good robust framework of cyber-security governance. Emerging technologies such as AI, big data and the Internet of Things have had an immensely positive impact on financial services but they have also introduced ever-evolving risks so as new technologies are introduced it’s critical that there is a continuous monitoring of potential threats.