4 minute read
Constant Evolution: Cyber Threats, Regulation and Technology
The cyber landscape is changing fast. Year over year, organizations face new threats and tactics from threat actors who want to capitalize on the security shortfalls of financial institutions. While these risks change, one thing remains the same; the need for robust cybersecurity to defend against evolving threats and threat actors.
Financial institutions are a prime target for cybercriminals as they process monetary transactions and house highly sensitive customer and financial data. Cybercriminals also know financial institutions have easier access to funds to pay off ransoms than many other businesses, such as small online retailers. And these criminals know reputation is everything and may threaten to leak company data or expose the hack publicly.
Assessing the risk landscape is a critical first step to ensuring financial institutions are protected from evolving cyber risks. Before investing in technology to bolster your firm’s cybersecurity efforts, you must fully understand what risks you are up against and create a well-thought-out plan to mitigate these risks. Mindlessly throwing software solutions at issues is not an adequate fix. While technology suppliers and vendors can offer valuable solutions to protect against cyber-attacks, it can be money wasted if your business does not invest in the right solutions.
Mitigate third party risk
Cybercriminals continue to attack critical supply chains that are vital for all businesses including financial institutions. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains. Securing the supply chain and ensuring proper third party and vendor risk management is now as crucial as your in-house risk management process.
Today, businesses across verticals rely on third party vendors to perform daily business operations. The financial services industry is a large consumer of outsourced technology, elevating exposure to potential third party risk. As financial
institutions continue to adopt permanent hybrid work policies and ramp up technological transformation efforts, the need for proper third-party risk management is evident.
Firms must continuously ask questions and gather data to ensure vendors are following the proper procedures to secure their data and privacy, from the vendor search to long-term vendor relationships. Performing adequate due diligence and allocating resources to third party risk management is necessary for financial institutions to minimize supply chain based cyberattacks.
Emerging technologies
As the threat landscape continues to evolve, so too do technologies aimed to protect firms. For example, Extended Detection and Response (XDR) combines endpoint detection and network protections to provide a holistic overview of abnormal activity from multiple data points. With XDR, technologies can work in conjunction from technical controls (such as anti-malware protection) to cloud security and network security.
XDR is just one example of new emerging technologies that have entered the cybersecurity marketplace. As technology evolves, new technologies can be configured to meet your firm’s specific cybersecurity needs and work in tandem with the systems and processes your firm already uses.
Use available government resources
Governments across the globe recognize how critical it is to protect critical infrastructure, including financial institutions, from cyberattacks, and regulators are taking different approaches, from legislation to working groups.
The Kaseya attack last year displayed the critical nature of protecting software supply chains, and government action in response to disruption. While less than 60 direct customers were affected over 800 global businesses were impacted through their supply chain. In response, the CISA released Guidance for Affected MSPs and their Customers. (MAS) has acted to prevent cyberattacks on financial institutions. It’s clear that regulators across the globe are prioritizing cybersecurity for financial institutions.
This government focus has resulted in threat intelligence that is more coordinated and available to private businesses and security firms than ever before. For example, in the US, the CISA publishes Top Routinely Exploited Vulnerabilities highlighting critical vulnerabilities threat actors continue to exploit. In the EU, ENISA releases annual Threat Landscape Reports, identifying threats and attack techniques and offering relevant mitigation measures. These freely available government resources provide insight into the evolving threat landscape and current trends and can be used to inform your firm’s cyber preparedness and plans.
Regulation is king
As regulators become more focused on cybersecurity, we can expect multiple governments to introduce new regulatory efforts to aimed at pushing financial institutions to prioritize cybersecurity and ensure compliance.
Different localities are taking different approaches. In the US, the SEC listed cybersecurity as one of its examination priories in 2022. In the UK, FCA/PRA released rules to ensure cyber resilience. In Asia, the Monetary Authority of Singapore
Navigating the evolving cybersecurity landscape
Today’s cybersecurity landscape is increasingly complex and multidimensional, but this should not scare you or deter your cybersecurity efforts. Rather, it should serve as a wake-up call to prioritize cybersecurity efforts at your firm.
Robust cybersecurity is possible for any firm of any size. The goal of cybersecurity efforts should be to become a resilient and trusted financial institution. The first step is to understand the risk and regulatory landscape, constantly analyze and reassess your defenses and incident response plans, and invest in the solutions, talent and technologies that will ensure your firm remains protected and compliant.
Simon Eyre, CISO, Drawbridge.
Source:
1
2 3 4
https://www.gartner.com/en/newsroom/pressreleases/2022-03-07-gartner-identifies-top-security-and-riskmanagement-trends-for-2022 https://www.cisa.gov/uscert/kaseya-ransomware-attack https://www.cisa.gov/uscert/ncas/alerts/aa22-117a https://www.enisa.europa.eu/topics/threat-riskmanagement/threats-and-trends
