By Rob S. Hegedus, CEO Sera-Brynn
As the only cybersecurity firm in North America directly partnered with a large financial organization, Sera-Brynn is uniquely positioned to observe the operational complexities and security needs of the financial services industry. Our support to this critical industry has revealed some commonalities among its members, whether they be large multi-billion dollar international banks or small community credit unions. From my perspective, here are the top five:
1. They’re paying too much for technology.
In numerous instances we’ve seen banks and similar institutions trying to manage years of layered technology purchases in order to keep up with the latest threat environment or to adapt to periodic internal organizational changes. What inevitably results is a redundancy in capabilities, and in the worst cases an oversight of others. The cross-pollination of SIEM, endpoint security, access management, and threat intelligence solutions can quickly become burdensome for IT support staff. Smart institutions are auditing their security infrastructures, getting rid of redundancies, and upgrading where necessary.
2. They’re probably already compromised.
Chances are the intrusion is benign. However, all systems have weaknesses that can be exploited, and high-value targets are more likely to be attacked. We’re observing more and more financial institutions turning towards threat hunting to find the unauthorized interloper and to see what, if any, damage has occurred (or could occur). No system is impenetrable, and this proactive approach already adopted by other industry verticals helps explain why security testing is the fastest growing segment of the financial services cybersecurity market.
3. There’s always room for improvement in Cyber Incident Response.
Some personal experience: in the best of cases, Sera-Brynn was able to follow the “digital crumbs” of a financial breach and help recover domestic funds from overseas bank accounts. This was only possible because we were asked to start the forensics process almost immediately after the breach was detected. This is the exception, not the rule. In cyber incident response, speed is everything, and every organization we’ve worked with has had room to improve their response time. This leads to the next observation:
4. They aren’t testing their response procedures enough.
Vigilance (and detection) only go so far…response actions must be tested deliberately and habitually. The axiom “time is money” has never held more relevance than when the difference between thousands and dollars and millions of dollars lost can be measured in minutes. An established and tested incident response plan, whereby all stakeholders are aware of their role and responsibility, will significantly decrease the time from breach detection to response actions.
5. The industry should continue elevating the role of the CISO (or CSO)
A common trend throughout the financial services industry is the gradual promotion of the CISO to a position equal to yet separate from the CIO. This should continue. We’re seeing more and more banks and credit unions adopting this C-level philosophy, whereby the CISO has the responsibility of the cyber security lifecycle which includes breach response, overseeing security policy development and implementation, and validating the financial institution’s IT investments with a focus on security. This is a very positive trend.
One final note:
Our clients within the financial services industry are well aware of the approaching changes to their cybersecurity regulatory environment. A little over two months ago, New York State enacted into law the “financial cybersecurity rule”, specifically Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York. In a nutshell, it’s a financial regulatory compliance requirement with detailed protection programs, policies, and procedures to protect their information systems from cybersecurity threats.
This regulation will spur financial regulators in other states to consider imposing cybersecurity requirements on their financial services firms. For example, the Colorado Department of Regulatory Agencies, Division of Securities, recently proposed new cybersecurity rules applicable to broker-dealers and investment advisers. If adopted, Rules 51-4.8 and 51-4.14(IA) would require broker-dealers and investment advisers to establish written cybersecurity procedures that meet a number of specified requirements and include cybersecurity as part of their annual risk assessments.
The bottom line is that cybersecurity regulatory compliance requirements in the financial services industry are only going to increase, and the observations noted here are all applicable to meeting those standards once they become mandatory. In my opinion, the smart financial institutions addressing the items above are already getting ahead of the game.
Sera-Brynn is a leading global cybersecurity audit and advisory firm. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #10 worldwide on the Cybersecurity 500 list and supports clients within the financial services industry throughout North America.