Growth in cyber-crime has continued, if not accelerated in the financial services industry according to the recently released report, “Transforming cybersecurity: New approaches for an evolving threat landscape” by Deloitte Center for Financial Services.
FFIEC launches cybersecurity web page, promotes awareness
The Federal Financial Institutions Examination Council (FFIEC) launched a web page on cybersecurity as a central repository for current and future FFIEC-related materials on cybersecurity.
FFIEC members are taking a number of steps to raise awareness of cybersecurity risks at financial institutions and the need to identify, assess and mitigate these risks in light of the increasing volume and sophistication of cyber threats that pose risks to all industries. The web page provides links to joint statements, webinars and other information that may help financial institutions when thinking about the issue of cybersecurity.
The launch of this web page coincides with a pilot program at more than 500 community institutions, to be conducted by state and federal regulators, which will be completed during regular scheduled examinations. Information from the pilot effort will assist regulators in assessing how community financial institutions manage cybersecurity controls, service provider and vendor risk management and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance and examiner training.
|
According to this report, U.S. financial services companies lost, on average, $23.6 million from cybersecurity breaches in 2013, which represents the highest average loss across all industries. This number is 43.9 percent higher than in 2012. Aside from the financial impact, the effect cyber-crime has on customer and investor confidence is substantial. A recent global survey of C-level executives cited by Deloitte revealed cyber risk as the world’s third corporate risk-priority overall in 2013. In 2011 it was ranked number 12.
And, the solutions to these problems have created further problems.
“The business and technology innovations that financial services companies are adopting in their quest for growth and innovation and cost optimization are in turn presenting heightened levels of cyber risks,” the report stated. “These innovations have likely introduced new vulnerabilities and complexities into the financial services technology ecosystem.”
As an example, the continued adoption of Web, mobile, cloud and social media technologies has likely increased opportunities for hackers. Outsourcing, offshoring and third-party contracting have further diluted institutional control over IT systems and access points according to the report.
This impacts the effectiveness of prevention and response mechanisms. Deloitte analyzed an annual investigative report on data security by Verizon and found in 2013, 88 percent of the attacks initiated against financial services companies are successful in less than a day. However, only 21 percent of these are discovered within a day. Once they are discovered only 40 percent are restored within that one day time frame.
“The lack of threat awareness and response suggests that more preventative technologies are, alone, likely to be inadequate,” the report stated. “Rather, financial services companies can consider adopting a multi-pronged approach that incorporates a more comprehensive program of cyber defense and response measures to deal with the wider array of cyber threats and risks.”
The report recommends several security layers that provide redundancy and slow down the progression of attack in progress, if not prevent them altogether.
“In today’s environment, it is unrealistic to expect that defenses can prevent all cyber incidents,” said Deloitte & Touche LLP National Managing Partner, cyber risk services Ed Powers. “The financial industry should continue developing capabilities for detecting incidents when they occur, minimizing the impact on business and critical infrastructure and tying these capabilities together in a comprehensive framework.”
Cybersecurity needs to be an executive level priority and not just delegated to the IT department and any strategy must include continuous monitoring. According to the report sharing information within and outside of the organization will likely help many financial services companies address weaknesses in their ability to discover and recover from attacks. The report also recommends forming a cyber-threat intelligence unit to provide updates to the team on threats and controls that require enhancement and storing three-six months of historical data.
“Financial services firms should consider raising their level or preparedness and evolve into a new cyber risk management paradigm that strives to achieve three fundamental qualities: being secure, being vigilant and being resilient.”