In the good old days — five years ago — the leaders of financial services firms thought their hardest risk management issues were such things as regulatory compliance, bad debt and liquidity risk.
Looking ahead to 2014, board members, CIOs, chief risk officers and chief information security officers at big and small firms are acutely worried about cybersecurity risk management, calling it the “new normal” of persistent threats, according to Booz Allen, a provider of management consulting, technology and engineering services.
Increasingly, wealth managers, hedge funds and midlevel banks are on attackers' radar, Booz Allen says.
In recent years, executives have seen how distributed denial of service (DDoS) attacks from the Izz ad-Din al-Qassam Cyber Fighters had the potential to destroy data as well as reputations.
Cyberattacks, they learned, threaten a bank wherever it does business, not just where it is headquartered. And they witnessed the critical benefits of public-private information sharing.
“As financial institutions increasingly deploy mobile and cloud technologies and integrate their partners, suppliers and customers, their data perimeters are becoming much harder to define,” said Bill Stewart, senior vice president and head of Booz Allen’s commercial finance program, in a statement.
“As a result, some are essentially redefining the concept of a network perimeter. They do this by developing a much more dynamic cybersecurity approach that includes actionable threat intelligence, advanced adversary hunting as well as data protection and access controls developed at a much greater degree of granularity.”
Here are the top financial services cybersecurity trends for 2014, accoring to Booz Allen's annual list.
1. Identifying Actionable Intelligence
Major financial institutions process enormous volumes of potentially relevant information, but find actionable intelligence harder to identify. Fusing threat intelligence with other disciplines, such as incident response and fraud prevention, is a proven method for connecting data elements to create actionable intelligence, according to Booz Allen. Although total accuracy can only be a goal, an active defense is critical to protecting against offenders that become exponentially smarter with each attack.
2. Mobile Security Platform Weaknesses
Cross-platform malware, such as the crimeware kit Perkele Trojan, has identified large gaps in mobile device security. These threats take advantage of weaknesses in mobile device platforms when information is sent to a hacker who then “owns” the device. Although still a local Middle East phenomenon, Perkele is expected to lengthen its reach during the holiday season as consumers increase their online purchases.
3. Criminals Follow the Money
Countries across the Middle East, Latin America and Asia Pacific are making rapid progress in modernizing their economic infrastructures. This puts them on sophisticated attackers’ radar. The Saudi Arabian Monetary Agency, for instance, reports that fraudulent operations target Saudi and Gulf Cooperation Council banks once every 14 seconds.
4. Mid-Tier Opportunity for Attacks
Attackers are moving down the food chain to mid-tier and regional banks, wealth management organizations, hedge funds and the like, which often lack the financial and technology resources and manpower to introduce widespread cybersecurity protections. When grouped together, these organizations are like a row of dominos that, when attacked, can create a cascade of systemic risks that could affect banks of any size.
5. Firmwide Approach to Security
Today’s cyber “hygiene” challenges can no longer be a responsibility solely of IT. Booz Allen says banks need to develop multidisciplinary teams that include IT, human resources, internal communications, marketing and legal to communicate to all staffers the importance of being cyber-risk aware and knowing what to do when a concern arises.
6. Opportunity for Cybersecurity Insurance
The National Institute of Standards and Technology cybersecurity framework moves financial services firms closer to a set of voluntary guidelines that would create a de facto “standard of care.” This would then make private sector enterprises liable in the event of cyber breaches in which personally identifiable information or other valuable data are destroyed or taken over by attackers. Although this creates liability risk for banks, it also opens the window for the insurance industry to offer policies that help firms offset this liability.
7. Data-Level Security Requirement
As banks’ operational data are moved to the cloud, proper security controls are necessary to ensure banks not only avoid sharing sensitive data, but also defend against adversaries moving laterally across their data sets. As part of this transition, financial institutions can upgrade security architectures and integrate improved controls. The new architecture would allow for the deployment of advanced analytics to deal with enormous volumes of security data to better identify trends of malicious behavior.
Check out more Top 10 lists on ThinkAdvisor: