With Financial Sector Cyber Risks Soaring, What Are Your Options?
By Jason Harrell, DTCC Managing Director, Operational and Technology Risk, Head of External Engagement
Cybersecurity continues to top the list of risk management concerns across the financial services industry.
A survey of more than 200 operations and risk professionals at the end of 2021 saw respondents naming cyber risk the top overall threat to the industry. More specifically, over half the respondents had cited cyber risk within their top five threats, with 24% identifying it as the top risk facing the global financial system in 2022.
With the evolving nature of the cyber threat environment and the technology-driven shifts in the delivery of financial services, it is critical that firms routinely assess their security measures to address the changing risks they face.
Keeping our “eyes wide open”
In carrying out continual assessments of risk, firms should be mindful of how the geopolitical environment, pandemics, and natural disasters may impact business operations so that they can develop the capabilities necessary to address threats quickly and effectively.
Surprising developments in ransomware-, third party-, and emerging technology risks have required firms to re-examine their exposure to these threats.
A quick review: ransomware attacks are on the rise globally.
- In the US, the FBI received more than 2,400 reports of ransomware attacks in 2020, which cost victims at least US$29m.
- In the UK, the infamous 2017 WannaCry cyberattack reportedly cost the NHS £92m through services lost during the attack and IT costs in the aftermath.
- In Asia, Singapore rose from being ranked 44th for the share of ransomware attacks in 2019, to become 21st in 2020.
Attacks can and sometimes will get past defenses; it is how an organization responds when an attack occurs that is critical. To hone response capabilities, tabletop exercises and simulations that replicate ransomware attacks can be beneficial in preparing firms for these types of events and to work toward timely recovery.
Supply chain attacks
The landmark case of the 2020 SolarWinds breach is an example of a supply chain attack, in which the intrusion into the victim’s network was facilitated by first compromising one of the victim’s trusted suppliers.
Supply chain attacks can have broad impacts due to the interconnectedness between financial institution systems and the expansive customer base of the third-party provider. Because of this growing risk, financial services firms are applying robust risk management practices around the adoption of any new software or third-party products to identify security, governance and control weaknesses.
Further, firms are developing process maps for the people, processes, technology and third-party suppliers needed to deliver critical operations. These maps will assist firms in identifying how attacks may impact their operations to develop plans to mitigate those risks.
Adoption of new technologies
Any change to a firm’s technology composition may create new risks or change how existing risks are realized.
While not an explicit threat like ransomware or a supply chain attack, the adoption of any new technology requires firms to re-evaluate the potential risks created.
This is particularly relevant as fintech adoption in the Asia Pacific region is on the rise. Traditionally, financial services technological adoption and transformation have been somewhat muted, with firms in the sector often running technology and infrastructure that is proven and tested. However, as firms consider their modernization journey and deliver new capabilities and services, new and emerging technology must inevitably become part of that analysis.
It is imperative that firms have a robust risk framework, whether the new technology is delivered within the firm or by a third party.
Everyone is a cyber stakeholder
The events of the last two years have challenged local and global economies, with cybercriminals increasingly looking to capitalize on these events.
To protect the industry in the face of an evolving threat landscape, firms need to increase both the rigor and flexibility of their cybersecurity and risk management activities.
Keeping our collective eyes wide open will necessitate consistent discipline in conducting simulations, reassessing security measures, and considering the interconnectedness of everything — and how the adoption of new technology impacts cybersecurity posture.
This article was originally published in CyberSec Asia on April 1, 2022.