With the rapid digitalization of financial services institutions, cyber risks to customers, data, networks and activities are growing. With around two-thirds of consumers favouring digital engagement with their financial institution, the stakes are especially high: firms must guarantee the safety of these consumer interactions as well as the effectiveness and reliability of daily operations. Failure to do so can result in significant regulatory fines (for example Equifax was fined $700 million for data breaches dating back to 2017) and material damage to their brand reputation.
While financial institutions are encouraged to accelerate their digital transformation, they face operational resilience challenges. The core of this stems from the proliferation of customer channels and an increased dependence on information and communication technologies (ICT), including AI and blockchain, amid an increased number of operational incidents and cyberattacks.
Investing in the latest state-of-the-art cybersecurity architecture could generate both opportunity and risk, as an incorrect implementation or design will lead to increased vulnerability and instability. Organizations, in their quest to increase resilience and mitigate cybercrimes, tend to focus more on building up their internal defenses and often forget about the inherent security risks third-party providers can pose.
The Cybersecurity Risk of Third-Party Service Providers
Third-party providers of services to financial institutions serve many different companies and therefore constitute a broader risk as attacks against one of their clients have the potential to propagate to other clients. These providers often have access to core IT systems, and if employees are trained improperly, or if their own threat prevention protocols are inadequate, they could become a key vulnerability. Any weakness in a third-party provider IT structure can therefore represent a clear exposure to a financial services firm. While such exposures are particularly egregious in a heavily regulated industry like financial services, this applies to businesses in all sectors.
In response to the rapidly evolving cybersecurity landscape for the financial service sector, the European Commission introduced the Digital Operational Resilience Act (DORA) to improve the cybersecurity and operational resilience of financial services in the European Union. This legislation requires financial entities and ICT third-party providers to adhere to a comprehensive risk framework and upgrade their ICT risk requirements. It will enable the financial services sector in Europe to operate more effectively in the case of serious operational disruption. Having this framework in place will enable financial institutions to assess their current environment against the new standards, identify gaps and potential downstream impacts, and build a robust mitigation plan to address them. Similar requirements are also being imposed in the U.K. following the Prudential Regulation Authority (PRA) Policy Statement (PS) 22/21.
Complying with Regulations that Boost Security
These new regulations provide a strong framework to strengthen the security of financial firms by subjecting all different key players to similar security requirements. Businesses must, therefore, design solutions that are proportional to the risks by focusing on ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and information sharing.
It is time for financial services organizations to get more serious about investing in the right technology and partnerships to modernize their IT systems and address risk. How should they do this? By adopting more sophisticated incident detection and response capabilities, assessing the risks of engaging third-party providers, enhancing control access, improving risk identification methods and focusing on employee education initiatives. In addition, while increasing cooperation between banks and other financial organizations by sharing information (on indicators of attacks, alerts and techniques) will not completely prevent cyberattacks, it will contribute significantly to preparing for attacks by reducing detection and response times.
The article Trends 2022: How to Survive the Evolution of Banking highlights the main areas banks should focus on to thrive in the future and face possible threats. This can also be applied to other financial entities such as insurance, credit institutions or investment firms, which all depend on digitalization.
ISG helps financial services firms assess their existing cyber security posture, mitigate identified gaps and maintain the appropriate level of caution. We help clients address internal and third-party risks with innovative approaches that comply with regulations and position them for growth in the digital era.