Since the financial services industry collects, stores, and transmits sensitive non-public information, malicious actors will always target this sector. And as the U.S. financial services industry embraces digital transformation, it opens itself up to new risks and cyber threats, such as:
- Denial of service or DDOS attacks
- Banking trojans
- Financial scams
- Data theft
At the same time, financial firms have also expanded the realm of assets they manage: ATMs, bank accounts, credit cards, cryptocurrency, and more. That expansion means more targets that cyber-criminals can pursue—directly, digitally, through third-party vendors, and even via the cloud.
Cloud infrastructures in particular are a target for cybercriminals. This innovation has led to the need for new risk management protocols to combat cybercrime from new technologies and service providers as well as protect sensitive data.
All of these emerging risks mean that the financial services industry needs continuous monitoring to maintain a robust cybersecurity posture.
Before we review the steps you can take to protect your organization, let’s talk more about the current state of cybersecurity and corresponding new regulations.
The Current State of Cybersecurity Breaches to Financial Services
The 2020 Verizon Data Breach Investigations Report details the top operational risks to the cybersecurity of banks and other financial firms. The financial sector ranked fourth among all industries for the number of incidents (1,509) and confirmed data disclosures (448). Both numbers were double the prior year’s report.
Top 3 Patterns
Compliance officers must be aware of trends in operational risk for banks so they can secure assets more effectively and develop appropriate breach prevention protocols. Out of the nine categories of security incidents in Verizon’s report, 81 percent of all breaches fell into three of them:
- Web applications and network security
- Privilege misuse
- Miscellaneous errors
Threat intelligence is only part of the picture; a comprehensive analysis must also consider the threat actors who launch attacks. Too often, financial firms focus only on external attackers when designing security systems. In reality, however, more than one-third of all threat actors are internal to the firm.
- 64 percent of breaches were external actors
- 35 percent of breaches were internal actors
- 1 percent of breaches involved multiple parties
Trends in the types of data targeted in attacks can also inform compliance officers when designing security solutions. More statistics from the Verizon 2020 report:
- 77 percent of compromised data involved personal information
- 35 percent involved user credentials
- 32 percent involved banking and financial information
- 35 percent involved data that came from other sources
Financial firms are obligated by regulatory requirements to reduce their operational risk by creating processes that govern the monitoring, handling, and protection of their transactions. Maintaining a robust cyber risk management program is part of that duty. Understanding the nature of the threats against the industry is the first step to build that program.
What New Regulations and Standards Impact Financial Services?
General Data Protection Regulation (GDPR)
The GDPR is a broad privacy law in the European Union governing all data “controllers” (organizations that collect personal data) and data “processors” (organizations that somehow process that data, even for other businesses) that either are established in the EU, or that handle the data of EU citizens regardless of where the business is based.
The GDPR focuses on personally identifiable information (PII) and allows the processing of that data only under a certain set of guidelines. For example, the GDPR grants EU citizens rights such as opting out of data collection for marketing purposes or withdrawing consent for processing activities.
While the financial services industry has been required to engage in opt-out notifications for a long time, the GDPR also requires financial services organizations to assure that they can locate and delete personal information upon an EU citizen’s request; or rectify incorrect data; or provide a complete record of PII to the consumer upon request.
California Consumer Privacy Act (CCPA)
The CCPA focuses on for-profit entities doing business in California that meet one of the following three requirements:
- Gross revenue greater than $25 million
- Annually buys, receives, sells, or shares personal information of more than 50,000 California residents, households, or devices for commercial purposes
- Earns 50 percent or more of annual revenue from selling personal information
CCPA also applies to entities that are controlled by, or share common branding with, a business that meets the above requirements. It can apply to non-profit organizations under some circumstances, but not all non-profits are automatically covered.
The CCPA is another privacy law—similar to the GDPR, but not identical to it. The law protects consumers, which it defines as either people living in California for more than a temporary period or California residents whose primary residence is in the state but who reside outside the state for a temporary period.
The CCPA offers many of the same rights to consumers as the GDPR. For example, persons have a right to see what data the business has collected about them; the right to opt-out of data collection; the right to have data about them deleted; and the right to equal service from the business even if they don’t agree to data collection.
How to Manage Threats to the Financial Services Industry
Continuous auditing provides in-depth, real-time analytic evidence demonstrating how closely a company is adhering to security policies and procedures. As threats evolve, risk management activities need to evolve along with them.
Here are a few ways financial institutions can respond to a changing threat landscape and assure that established controls are applied consistently to all information systems.
- Use automated systems to collect documentation and indicators about your information systems, processes, transactions, and controls.
- Move away from point-in-time reviews by collecting information from processes, transactions, and accounts in a more timely, less costly manner.
- Use a continuous monitoring tool as part of your governance and cybersecurity compliance program. A continuous monitoring tool provides management the visibility it needs to prevent cyberattacks and make better decisions based on risk tolerance.
- Update your control and risk assessments frequently, so that in the event of an audit you can prove that you complied with standards and regulations. Your continuous audit tool allows your internal auditor to review your security controls for compliance alignment.
The message here is that financial firms should use a tool that ties together the continuous monitoring of a security-first approach and the documentation required to pass an audit of your controls and procedures.
How ZenGRC Enables the Financial Services Industry to Manage Emerging Risks
ZenGRC offers workflow tagging so that you can delegate compliance tasks and monitor their progress and completion. Moreover, it allows you to prioritize tasks so that your security team members know how to plan their activities.
ZenGRC’s workflow management capabilities include a centralized dashboard that continuously documents your control effectiveness, which makes compliance documentation easier. It also helps to create an audit trail by documenting remediation activities to support your responses to auditor questions.
Using ZenGRC’s single-source-of-information platform can accelerate internal and external stakeholder communications, and provide all documentation necessary, which reduces external auditor follow-up requests.
For more information on how ZenGRC’s audit management workflows can streamline your process, contact us for a demo.