Data security and cyber security are always important issues for financial services firms. After all, almost every business line in the industry depends on good, clean data. Until recently, however, cyber security hadn't received all that much attention, since firms had traditionally done a pretty good job of protecting against attacks.
This changed, however, when the he Izz ad-Din al-Qassam Cyber Fighters attacked major financial institutions in September with what is thought to be the largest distributed denial of service (DDoS) attack in history. Bank of America, JPMorgan Chase, Wells Fargo and PNC Bank were all targeted and had service disruptions to their online banking portals.
Luckily, no major damage was caused by the September attacks, but banks aren't taking any chances. Many are doing a lot of work to bolster cyber defenses and are working with federal agencies to help protect against the next attack, according to speakers at the Bloomberg Link Enterprise Risk Conference last week.
[For more recent analysis of cyber security in the financial services space, read Can Banks Prevent the Next Cyber Attack?.]
"When we think about the lethal daily threats to the globally integrated financial services industry from nation-states and individuals, it is imperative that Chief Information Security Officers begin looking around corners, talk with each other and better prioritize the real threats to their firms," said Mike McConnell, Booz Allen vice chairman and former Director of National Intelligence in a statement. "Self-evaluation and industry-wide conversations are the new 'rules of the road' to creating successful, integrated cyber defenses. The CISO can really drive organization-wide change while still championing efficiency and customer service."
Here are Booz Allen Hamilton's Top 10 Financial Services Cyber Risk Trends for 2013:
1. Business/Information Risk Protection is not Just a Technology Issue: Spending on new technology alone is not enough to protect a firm's information and business. Firms must also invest in people and in fine-tuning processes to ensure, not only the proper use of technology, but that the processes that require interfaces between organizations are well managed and executed flawlessly. No matter how good a technology is, if not used correctly by skilled employees who follow well-defined processes, vulnerabilities will surface that can be leveraged by both internal and external threat actors.
2. Data Disruption Attacks May Become Data Destruction Attacks: The potential of threat actors actually destroying data is a major concern among risk and security professionals. Over time, the financial services industry will face threats from extremist groups who, when denied access to weapons of mass destruction, will use cyber as a "weapon of mass disruption." Additionally, threat actors who mean to disrupt a firm's business operations to make a statement or prove what they consider a moral point will also utilize destruction of data to ensure they make an impact.
3. Nation States and Threat Actors Are Becoming More Sophisticated: We now have to face more sophisticated threat actors such as smaller nation states and terrorist elements obtaining similar capabilities. The financial services industry must fully understand the entire threat landscape and what this means in terms of employing the right people, technology and processes to ensure business continuity and proper risk management.
4. Legislation Could Push Industry Standards Around Cyber Risks: Banks already share information, but they will need to do more in light of possible legislation to set standards for cyber protection. If Congress allows the sharing of important national security information, industry standards could become a benchmark requirement that firms must meet before they are given access to government information. Additionally, such legislation could help in reducing the valid fears of firms in sharing cyber incident information due to the threat of penalties and further regulation. The industry and government must acknowledge and treat firms as part of the nation's critical infrastructure because a breach at anyone bank or firm can have severe, cascading effects on the nation's stability.