5. Predictive Threat Intelligence Analytics Will Create a More Effective Risk Management Capability: Financial services firms must begin to employ a more predictive threat intelligence capability to determine who might be trying to attack them and how. Focusing on understanding their own individual business risks, (as well as industry risks), and combating real potential threats that could focus on such risks is much more effective than trying to create a defense that could cover any possible threat.
6.Vendor Risk Management Is Becoming an Increasingly Important Concern Among Firms: Most firms buy much of their information technology and services from suppliers. Therefore, these suppliers' vulnerabilities become the vulnerabilities of the firms they provide products and services. Firms are becoming more focused on the security requirements for these suppliers and engaging independent third parties to evaluate the risks around such products and services.
7. Cyber Risk Continues to be a Board-Level Issue: Information, legal documents, communications with clients and employees are all becoming more and more electronic every day to include an even greater usage of mobile technologies and social media. The boards of financial institutions must create and embrace a culture that acknowledges the evolving risks and more openly share incident information across the industry, with technology providers and with both law enforcement and the federal government.
8. Firms Must Continue to Embrace and Adapt to the New “Boundless Network”: Cloud, social and mobile technologies, including "Bring Your Own Device" (BYOD), are simply too cost efficient and effective for institutions to ignore them. Security and risk professionals need to better integrate these technology trends, which will require they embrace the fact that the corporate network now has extended beyond their control. Risk management and mitigation is evolving to better control how corporate data travels these boundless networks and ensuring the education of their employees on the responsibilities they have in securing such data.
9. Identity and Access Management Is Becoming a Key Security Control Area: The days of focusing solely on perimeter defense have long since past. Phishing and other social engineering strategies employed by threat actors have been very effective in allowing them to penetrate almost any network. Banking institutions must assume these actors can get in. Ensuring proper identity of an authorized individual is a key area that is being addressed by all firms in all industries to address this new paradigm. Most threat actors employ a strategy to gain access to networks and information by gaining access to valid authorized credentials of a firm's employee so that they can go undetected in their actions. Firms will continue to invest heavily in ensuring that an authorized user is actually an authorized user. Additionally, firms will invest more heavily in tracking unusual activity of a user to detect stolen credentials or an insider threat.
10. The Financial Services Industry Will Rely More Heavily on Cyber Benchmarking: The FS industry is investing more and more in protecting its information assets and wisely spending these scarce dollars is becoming increasing important, not only from an effectiveness standpoint, but to also be able to articulate to business leaders, the value of such an investment. The FS industry, therefore, will continue to use industry benchmarks to understand how their competitors and suppliers are investing in people processes and technology for cyber risk management.