Since financial services industry collects, stores, and transmits sensitive non-public informationinformatino, malicious actors continue to target it. As the financial services industry embraces digital transformation, it opens itself up to new risks. Cloud infrastructures act as a primary target, leading to new risks arising from the new technologies. Emerging risks facing the financial services industry require continuous monitoring to retain a robust cybersecurity posture.
Risks in Financial Services
How the Current State of Cybersecurity Breaches Impacts The Financial Services Industry
The 2019 Verizon Data Breach Investigations Report detailed cybersecurity trends in the financial services industry.
The Verizon analysis details numerous breaches across a range of industries indicating no organization is impenatrable. The financial services industry, for example, experience a level of attack that ranks fourth in number of incidents and disclosures having:
- 927 incidents
- 207 with confirmed data disclosure
Top 3 Patterns
Awareness of patterns of attack assist in breach prevention and allow the organizations to better secure frequently targeted areas. Out of the nine categories of security incidents, three comprised 72% of all data breaches:
- Web Applications
- Privilege Misuse
- Miscellaneous Errors
Attack pattern awareness provides only part of the picture, attack origin is necessary for a comprehensive analysis. Organizations tend to focus only on external attackers when architecting their security. However, over a third of all threat actors are internal to an organization which changes the security needs.
- 72% of breaches were External Actors
- 36% of breaches were Internal Actors
- 10% of breaches involved Multiple Parties
- 2% of breaches involved Partners
Trends in data targeted within the financial services industry serve as a directional guide when designing security solutions. Knowing the target data is the first step in protecting it.
- 43% of compromised data involved Personal information
- 38% of compromised data involved Credentials
- 38% of compromised data involve Internal information
Regulatory requirements mandate financial services organizations monitor, process and protect millions of transactions daily. The numerous compliance activities necessary to manage the ever-evolving threat landscape, demand a robust risk management program. Regulatory compliance combined with informed security decisions offers comprehensive prevention of security incidents.
What New Regulations and Standards Impact Financial Services?
Regulations and standards provide guidance that assists businesses in ensuring cybersecurity. While aligning with new regulations necessitates expenses, the return on investment far outweighs the costs. Potential penalties associated with breaches or failed audits further incentivize compliance.
General Data Protection Regulation (GDPR)
The GDPR creates a broad privacy law governing all data controllers and data processors established in the EU and outside the EU who have contact with EU citizens. The GDPR focuses on personal data related to identified or identifiable data subjects and prohibits processing that information under a defined set of categories.
The GDPR contains rights such as opting out of processing data for marketing purposes or withdrawing consent for processing activities. While the financial services industry has been required to engage in opt-out notifications for a long time, the GDPR also requires financial services organizations to ensure that they can locate and delete personal information upon request.
California Consumer Protection Act (CCPA)
The CCPA focuses only on for-profit entities doing business in California who meet one of the following three requirements:
- Gross revenue greater than $25 million
- Annually buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices for commercial purposes
- Earns 50% or more of annual revenue from selling personal information
Of note, CCPA also applies to entities controlled by or shares a common branding with a business that meets the above requirements.
The CCPA focuses on consumers which it defines as either people living in California for more than a temporary period or California residents whose primary residence is in the state but residing outside the state for a temporary period. It can, however, also include customers of household good and services, employees, or business-to-business transactions.
How Continuous Monitoring Enables Continuous Assurance
Continuous auditing provides in-depth, real-time analytic evidence demonstrating how closely a company is adhering to security policies and procedures. As threats evolve, risk management activities need to evolve. Risk analysts propose new controls based on the new threat landscape. Internal auditors need to ensure that established controls are consistently applied to all information systems.
Continuous assurance uses automated systems to collect documentation and indicators about your information systems, processes, transactions, and controls. Using these tools, your auditors can collect information from processes, transaction, and accounts in a more timely, less costly manner that allows you to move away from point-in-time reviews. Continuous assurance activities prove that you know your environment and identify noncompliance immediately.
Where do continuous monitoring and continuous assurance fit into a “security-first” compliance program?
Regulations and standards increasingly focus on management’s governance over your cybersecurity compliance program. A continuous monitoring tool provides management the visibility into emerging threats that allow them to make decisions based on their risk tolerance.
Once you respond, you need to update your control and risk assessments, and you need to prove that you complied with standards and regulations. Your continuous audit tool allows your internal auditor to review your security controls for compliance alignment.
Essentially, you need a tool that connects the continuous monitoring of a security-first approach to compliance with the documentation required to support an audit of your controls and procedures. This is where the two tools overlap.
How ZenGRC Enables the Financial Services Industry to Manage Emerging Risks
Compliance programs require communication between internal and external stakeholders and an audit system that enables this.
ZenGRC offers workflow tagging so that you can delegate compliance tasks and monitor their progress and completion. Moreover, it allows you to prioritize tasks so that your team members know how to plan their activities.
ZenGRC’s workflow management capabilities include a centralized dashboard that continuously documents your control effectiveness making compliance documentation easier.
Additionally, it helps you create an audit trail by documenting and remediation activities to support your responses to auditor questions.
Using ZenGRC’s single source of information platform can speed up internal and external stakeholder communications and provide all documentation necessary thus reducing external auditor follow up requests.
For more information on how ZenGRC’s audit management workflows can streamline your process, contact us for a demo.