Article
Navigating cyber risks in 2024: Insights, controls and strategies for financial institutions
Feb 19, 2024 · Authored by Christopher J. Tait, Brian Nichols
The cybersecurity landscape is always evolving, and it can feel like your financial institution is constantly on the defense trying to keep up with the latest cyber risks, regulations and emerging trends. As we have seen in recent headlines, even the most established organizations are subject to cybersecurity attacks. While sophisticated hacking is a valid threat, it is rarely the root cause of a data breach. To mitigate risk, you must understand your organization’s unique vulnerabilities, cybersecurity processes and controls. One important thing to remember: In this day and age, there will always be cyber risks to tackle. Learning to pinpoint and stay on top of those risks through proper risk management while still allowing your organization to function is essential.
Internal cyber risks: Risks you can control
Internal cybersecurity risk factors are the type of risks that you ultimately have control over. As your organization grows and starts to implement new systems, services and applications, these risks start to bubble up to the surface and can impact both your internal and external stakeholders. Ensuring proper network security, including your internal network as well as any network you share with your third-party service providers, is a key component in protecting your organization’s assets, data and client information.
As organizations continue to evolve their internal and external-facing systems and services, the old ways of securing the network perimeter have given way to a more user-centric approach. Managing user access and user identifies is now the top priority to prevent unauthorized access to sensitive information. But the question remains, how do you do this in a trusted but frictionless approach?
Organizations have implemented multifactor authentication (MFA) on remote access points, but those are not the only risk factors that need to be considered. The more Software-as-a-Service (SaaS) solutions an organization implements, the more MFA controls need to be put in place. But users are getting authentication fatigue as they are constantly being required to enter those MFA tokens into sites throughout their day.
Beyond thinking about security, it is also important to focus on user experience and how frustrating it can be to constantly type in passwords and authenticate to internally hosted and external applications. The future lies in password-less capabilities. We trust our personal devices to authenticate us with our face, and now it is time to evolve that technology to include the devices we use for work.
Practicing good cyber hygiene, the fundamental cybersecurity best practices that an organization’s security team and users can undertake, is essential. Cyber hygiene is a balancing act between the responsibilities of IT operations and the security team. Foundational activities related to patch management should extend beyond operating system level patching to include firmware and applications. Organizations can no longer rely on annual penetration testing activities; they must be performing ongoing continuous vulnerability scanning and remediation to ensure known vulnerabilities are identified and mitigated as quickly as possible.
A key area that hinders progress is technical debt, which can come in the form of a key business system still running on a mainframe application or even an individual that created a critical internal application/service that no longer works at the organization. The inability to update vulnerable applications and systems really creates a key risk area and can greatly hinder the security of your organization. Many organizations ignore technical debt until it is too late.
Many organizations have transitioned into cloud hosted infrastructure services, and they are finding the transition more challenging than initially anticipated. Organizations should not lift an on-premises environment out of a co-location datacenter and shift it into a cloud-hosted service provider without addressing the nuances with the new technical capabilities provided by the cloud-hosted services. Organizations need to design a transition strategy that utilizes cloud native solutions to get the greatest return on the investment.
As the everyday use of generative artificial intelligence (AI) systems like ChatGPT grows, it is important to communicate to employees specific guidelines about what is and what is not acceptable to ensure data security and privacy. Putting confidential information into generative AI platforms not approved by the organization is not a practice that should be supported. However, there are many AI-related internal capabilities that an organization can start to leverage that does allow more privacy and security. After communicating a clear and concise message to employees regarding external generative AI tools, it would be a good idea to consider introducing internal AI tools that can be trusted with privacy and security and can benefit your organization in the long run.
External cyber risks: Risks that you have limited control over
Unlike internal cybersecurity risks, your organization has little to no control over external cybersecurity risks. Despite this, many of the impacts are the same. If an external risk impacts your organization, you can still be held liable for it, whether it be legally or in the court of public opinion. It is always important to remember that hackers themselves are also running a business, and with organizations establishing more and more complex cybersecurity measures, hackers are getting creative and changing their tactics and methods of attack.
Social engineering is a broad category that includes any attack that uses deception or manipulation to trick their target, such as phishing or baiting. Some reports say that over 90% of all cyber-attacks rely on some form of social engineering. As more and more organizations employ more complex cybersecurity measures, hackers are not getting paid as frequently as in the past. Therefore, they are changing the methods and tactics behind their attacks, including multiples layers of attacks and growing forms of extortion. It is important to remember that many hackers are, more than anything, running a business. Scams are getting more complex and convincing and can come in the form of fake LinkedIn profiles, false job listings and the impersonation of company leaders.
While security may not be the daily role of your standard end-user, it must be in the back of their mind. Many are finding that annual cybersecurity training for internal employees no longer works. It is important to remind employees on a regular basis that security and protecting the organization’s data is everybody’s responsibility.
The importance of incident response readiness through the form of ransomware prevention and malware detection cannot be stressed enough. Over 70% of financial institutions have been targeted for ransomware attacks – and the attacks keep coming. The recent attack on Microsoft’s corporate network proves that no organization is too big or too tech-oriented to fall victim. In this case, hackers could launch a password spray attack on a legacy non-production tenant account. From there, they were able to pivot to other areas of the Microsoft network. Weak passwords with no form of two-factor identification are often how hackers can gain a foothold and take advantage.
Incident response capabilities are like muscles – they need to be trained and tested on a regular basis. The question isn’t will something bad happen, it’s when something bad happens, how will we respond? Having a solid playbook put together to break down every step your organization will take in the event of a cyber-attack, along with tabletop exercises and practice, will prove to be fruitful in a low-cost capacity.
The proliferation of new technologies is exposing financial institutions to risks they may never have seen before. It seems like every organization is currently going through a digital transformation of some kind, which involves bringing in new partnerships and new technology vendors that can expose a financial institution’s infrastructure to vulnerabilities and attack. Many entities are still struggling with third-party risk, but fourth-party risk is a growing concern.
To grapple with these risks, leading organizations are hosting two- or three-day conferences where they bring in all of their vendors on-site to their location and they have a vendor management seminar where they discuss challenges and talk about strategies, where they are headed and what their needs are. By inviting third and fourth parties to the discussion, organizations are able to forge better relationships with open communication, and therefore gain a better understanding of the associated supply chain risks that everyone needs to address together.
Compliance risks: Risks you have to deal with
Operating in the financial services industry, compliance risks are risks you must deal with, and there is no way to avoid them. In the ever-evolving world of cybersecurity, mixed with regulatory expectations, the need to maintain an adequate cybersecurity posture is more important than ever.
Completing the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) is a significant task consisting of responding to 39 questions to determine the inherent risk profile and then another 494 declarative statements, broken out between five different cybersecurity domains.. It is recommended that the CAT be revisited and reanalyzed at least annually. The results will allow organizations to evaluate their cyber maturity across the five domains and determine their cybersecurity posture. However, there is always the uncertainty of whether the CAT is really adding value. Many organizations go through this because they know regulators will inquire about it during the upcoming exam and assume that if something was misrepresented, it would be identified during the examiners review.
So, are organizations over-relying on the CAT to determine their cybersecurity posture? Typically, it is completed by one individual within the organization and then presented to executive leadership. However, very rarely is there any validation being performed over the responses input by management into the assessment. On many instances where we have been engaged to validate the CAT, we’ve identified that the control requirements identified within the declarative statements aren’t suitably designed and/or operating effectively, leading to a change in the overall cyber maturity scoring. While the CAT is a comprehensive tool, completion without validation is creating additional risks for organizations that may be misrepresenting their cybersecurity posture and making strategic decisions based on the results of the assessment.
Starting in 2023, the SEC added additional requirements for public companies’ cybersecurity disclosures with a goal of increasing accountability and enhancing transparency. The SEC adopted new rules that require publicly traded companies to report material cyberattacks within four business days. The key word in the rule is ‘material,’ and the SEC leaves the materiality threshold open to interpretation. Organizations are expected to internally define and document a threshold which can be quantitative or qualitative. However, the material determination must be made in a reasonable amount of time after discovery of the incident. Organizations are expected to disclose material aspects of the nature, scope and timing of the incident and the material impact on the registrants, including its financial condition and results of operations.
Additional requirements include providing summarized cybersecurity risk management strategy and governance information, including proof of Board of Directors oversight surrounding cyber risks within the 10-K.
Based on our 2023 engagements and trends identified, there has been an increase in risks posed due to lack of governance. With many organizations investing in technologies or vendor relationships, there is an assumption that no further oversight is required. This is leading to inadequate services being provided, incorrect data being produced and monetary losses. Even with these investments, proper governance and oversight is essential. Ongoing monitoring should be occurring to ensure that the technologies are providing reliable data to make practical business decisions. Executive management should be setting that governance tone at the top and ensuring that the rest of the organization also recognizes the importance of this.
As cyber regulations grow and the financial services industry evolves in the digital era, the need for robust cybersecurity measures has never been more critical. By adopting proactive measures to address internal and external cyber risks, and by staying vigilant in compliance with regulatory standards, you can bolster your cybersecurity defenses. A comprehensive and adaptive cybersecurity strategy is not only a necessity for protecting sensitive data, but also a cornerstone for maintaining the integrity of your financial institution. Below you will find the recording from our recent webinar,Navigating cybersecurity in 2024: Trends, controls and mitigating attacks. If you have questions regarding cybersecurity and risk management, schedule a 30-minute meeting with one of our banking industry specialists.