Cybersecurity is a key issue for investors, consumers, regulators and employees in the financial services industry all the way up to boards of directors.
As a year when major breaches were headline news draws to a close, stakeholders wonder what new cybersecurity horrors lie ahead. How bad will they be?
Cybersecurity experts at Booz Allen have looked ahead to 2015 and beyond, and identified future threats and new approaches to cybersecurity.
“When it comes to cyber, clients are wary that they are studying to fight the last war,” Bill Stewart, a Booz Allen senior vice president who heads the firm’s financial services sector, said in a statement. “They’re looking for a fundamentally different way to deal with the cyber threats of the future, based on a clear understanding of those emerging threats.
Booz Allen strives to figure out how the nature of attacks will evolve with what it call a lifecycle approach: anticipate, protect, detect, respond and recover.
“When you link together all of these segments, they become very powerful tools that can help our clients thrive in this time of increasing peril,” Booz Allen principal Albert Belman said in the statement.
Following are Booz Allen’s top financial services cybersecurity trends for 2015:
1. Third-party risk tops the list.
Companies understand the potential cyber risks associated with partners, vendors and other third parties, and are feeling more pressure from U.S. and European regulators to better manage this risk. In 2015, a shift will occur toward active cyber risk mitigation and monitoring with third parties, versus the current self-certification process that is proving less reliable.
Third-party relationships will cease being an afterthought. Security will be built into any product, service, solution or software capability provided by a third party, and will be subject to frequent testing and updates.
2. Rise of the “fusion center.”
Financial services institutions’ search for a holistic, integrated approach to cybersecurity has often proven elusive. Now, firms are building cyber “fusion centers” that better integrate teams focused on fraud, cyber, IT, physical security and product development to boost intelligence, speed response, reduce costs and leverage scarce talent. The result is more efficient and faster threat awareness and mitigation.
3. Defending raw data.
How does a financial services firm protect its most valuable, sensitive and regulated data, and where is it located? In 2015, the discussion will move away from “building bigger walls” to a “defense in depth” risk-based approach around high-risk and high-value repositories that limits the value of raw data, such as debit card PINs.
The use of tokenization, chip cards and other solutions will increasingly render stolen data useless to hackers.
4. New hacker opportunities.
New electronic wireless payment systems are a boon to hackers as they present more targets. In particular, use of underlying technologies like Bluetooth or near-field communications creates opportunities for cyber attacks and breaches.
Simple “bench testing” of new systems will no longer suffice. Companies must adopt a holistic approach that assumes a breach will happen and protects the data.
5. Cyber crime analysis evolves.
Cyber-crime analysis will increasingly move toward more of a big data approach. The use of powerful, real-time analytics across multiple structured and unstructured data will vastly improve the quality and speed of real-time cyber threat analysis while greatly reducing overall cost.
6. Hacktivism infects the Middle East.
Hacktivism will become a major threat to financial services institutions in the Middle East as it has long been to U.S. and Europe-based multinationals. The proliferation of cyber tools and hacking knowledge is giving independent hackers and loosely connected groups that have adopted local grievances an opportunity to participate in cyber attacks against the region’s financial sector.
Some popular targets are already emerging. In early August, regional hacktivists — Izzah Hackers and AnonArabOps — attacked the Saudi Stock Exchange (Tadawul).
7. Cyber problems hit developing nations.
Phishing, ATM skimming and banking malware are no longer the sole concern of Western or multinational financial firms. Economic prosperity and light-speed growth in mobile banking in some developing countries have bypassed regional and local financial organizations’ ability to manage threats.
Industry research shows that the Gulf Cooperation Council region experiences ongoing threats, including widespread banking malware in the United Arab Emirates and a significant amount of phishing attacks in Saudi Arabia.
8. War gaming aids response preparation.
Financial services firms will adopt military approaches to preparation and simulation training. In particular, the use of war gaming — as opposed to more rudimentary testing — will help firms better understand and prepare for those seeking to attack their cyber defenses.
9. Privacy has changed.
The next generation of privacy is focused on transactional, behavioral and navigation information generated as individuals move and interact through the online and physical world. This information is currently unregulated, yet consumers expect a high level of protection.
Companies that manage this well will create a competitive advantage through customer loyalty and insight.
10. Cyber insurance usage grows.
The National Institute of Standards and Technology’s Cyber Security Framework, financial statement reporting requirements and directors-and-officers insurance risk have created a new perfect storm of potential liability.
The insurance industry, where premiums are projected to grow to more than $2 billion, is racing to actuarially quantify new cyber risks and to carve out coverage of large, uncertain future risks. Insurance companies — increasingly litigating with policy holders over coverage — are insuring not only future financial loss, but also brand, reputation and goodwill.
— Related on ThinkAdvisor: