Cybersecurity in Financial Services — A CSC Point of View
Author:CSC Cybersecurity's Christian Haider and Chandra Prakash Suryawanshi
Today’s financial services institutions are challenged globally to keep pace with changing and covert cybersecurity threats. The likelihood and potential impact of newer more sophisticated attacks breaching an organization has moved security front-and-center on most executive boards’ agendas.
Download the paper, Cybersecurity in Financial Services, to read our point of view on the top security challenges financial services institutions face, ranging from geographically diverse compliance requirements and cross-border regulatory challenges to expanded vulnerabilities due to increasing supply chain and partner integration.
The paper also presents CSC’s view on how to best prepare and defend against increasingly sophisticated and well-funded threats, and suggests mitigation strategies to strengthen security and decrease risk.
The financial services industry forms the backbone of today’s globalized monetary and economic environment and is therefore highly regulated. The prospect of direct access to money with a capitalisation expected to have exceed $143 trillion worldwide in 2014 has resulted in the financial services industry becoming a prime target for cybercrime — such as financial fraud, identity theft, unauthorised access, or loss of data and denial of service attacks.
Hackers and organised criminal groups with potential government funding have been constantly developing and improving techniques to circumvent information security controls and safeguards in order to commit fraud, financial theft and other cybercrimes with advanced capabilities to execute persistent and targeted attacks.
Today’s organizations enable multi-country operations through centralized shared services and regional hubs and are dependent on partner ecosystems to provide cost effective, efficient and customer-focused business services. As a consequence, modern banking systems have evolved across legislative borders with increased interconnection and complexity. This evolution has led to complex regulatory requirements, greater exposure to internal and external cybersecurity threats, and intensified concerns around data security and privacy across virtual borders.
This paper highlights the cybersecurity challenges faced by the financial services industry due to the changing nature of threats and business, and provides a view on mitigation strategies in order to strengthen the security posture.
Challenge 1 — Regulatory Compliance Across Geographies
The financial services industry is highly regulated with a variety of sometimes contradicting regulatory requirements on country and state levels. Consequentially, organizations are challenged with multiple views on compliance obligations with a large overlap and inconsistencies between mandates. As a result, excessive controls and silo-based solutions are leading to an increase in cost and complexity. Significant security breaches at Target, KB Kookmin Card, Montana Department of Public Health and JPMorgan Chase, etc., illustrate that being compliant is not necessarily a guarantee that all risks are adequately managed and mitigated.
Our point of view is that information security should be risk based with compliance being a significant driver, but not the sole focus. It is essential to identify and monitor compliance, however, it is equally important to prepare the organisation to respond to previously unknown threats in a timely manner. This is achieved by building sufficient flexibility into the organization’s risk-and-control framework to ensure continuous monitoring and identification of new and emerging threats via a comprehensive information security risk management framework.
Furthermore, financial services organisations should develop an overarching global compliance framework by identifying all the applicable requirements followed by an elimination of overlapping obligations. Subsequently, requirements should be mapped to the operating environment and country-specific regulations.
To further reduce the cost of compliance, testing and reporting on the effectiveness of controls should be centralised where feasible to ensure consistency. This further enables the organization to provide a compliance status for multiple regulatory bodies by facilitating the mapping of controls to country-specific regulations.
Challenge 2 — Data Security, Privacy Protection and Cross Border Data Transfer
Many organizations do not identify and clearly classify data based on sensitivity and criticality, and therefore lack an understanding of which information matters most. Financial services institutions traditionally focus on the deployment of multiple point solutions (e.g. data leak prevention, access logging, rights management and encryption tools) to manage intentional or unintentional data loss, however, they lack an organizational-wide integrated approach to adequately protect data on risk-based decisions.
Yet another challenge is the difficulty in aligning the organization’s operating model and supporting environment to meet regulatory requirements. For example, managing privacy protection in the context of cross-border data transfer as a consequence of shared services and centralised processing facilities.
Concerns over privacy of sensitive information have resulted in countries adopting specific national and regional jurisdictional mandates across the globe with an increasing number of countries introducing mandatory disclosure of data breaches.
Our point of view is that financial services institutions should have a holistic view on data security requirements managed by a comprehensive data governance framework that includes roles and responsibilities, geographic compliance requirements, inventory and reporting on assets, data classification and handling, and technical solutions, such as data leak prevention.
One key element of a solid data governance framework is the identification of data flow inside and outside the organisation and mapping those to the organizational control environment. Furthermore, a risk assessment should be conducted to identify control gaps and an implementation roadmap developed to mitigate risks outside the organization’s risk appetite.
The above initiatives should be complemented by a global security incident response plan with local notification and reporting. Mandatory disclosure of a data breach requires a comprehensive analysis of incidents to determine whether a breach has occurred. Organizations therefore require either sophisticated internal or readily available external forensics capabilities provided by a trusted partner.
Challenge 3 — Managing Information Security Requirements Beyond the Enterprise's Boundaries
Partnerships, outsourcing and offshoring have become the reality and accepted business practice in the financial services industry to enable cost effective, efficient and customer-focused business services.
Traditional models used to outsource non-essential internal functions, such as the maintenance of IT equipment, whereas recent models reach significantly further into the supply chain. Most financial services institutions have started to actively consume cloud services and engage a variety of business partners to provide material business functions, such as claims management and insurance brokerage.
These trends introduce complex data-sharing requirements and new information security challenges that need to be proactively managed to ensure that the services meet business objectives and information is protected throughout its lifecycle, from its collection to its destruction.
Our point of view is that financial services institutions should implement a comprehensive vendor risk management framework to ensure that vendor risks are adequately managed, taking into consideration the sensitivity of information, criticality of the business activity and possibility of outsourcing and offshoring.
The importance of adequate vendor risk management is also represented in a variety of regulatory requirements, such as the Australian Prudential Standard CPS 231 for Outsourcing.
A comprehensive vendor risk management framework includes, but is not limited to, roles and responsibilities that are clearly defined and understood throughout the organization, as well as periodic vendor risk and due diligence assessments to ensure due care and reduce risk and legal liability. It further ensures that minimum information security requirements, service level agreements and standard terms and conditions are defined and contractually agreed on in legally binding contracts with the right to monitor and audit.
Challenge 4 — Business Continuity and Disaster Recovery
The shift from traditional brick and mortar based business models to fully digitalized customer-focused distribution channels has resulted in customers and prospects expecting exceptional experience on a 24x7 basis. Furthermore, service level agreements may impose financial penalties in the event the financial institution breaches the contractual agreement with its customers. To support the business in its objectives, a close to zero tolerance in regards to downtime and data loss has to be accomplished by highly interconnected, centralised shared services and banking systems.
Our point of view is that financial services institutions should acknowledge that business continuity and disaster recovery are key business requirements and therefore need to be managed throughout the organization. This should be accomplished by establishing an understanding of what impact service outages have on business objectives and subsequently translating those impacts into adequate recovery time and recovery point objectives for internal and third-party provided services. In addition, business units need to prepare contingency plans including alternative work practices and processes to support the business during a disaster.
It is essential to periodically test DR and BC plans to ensure that involved parties are aware of their responsibilities and to identify opportunities to improve and enhance the plans. Furthermore, a vendor risk management framework should ensure that vendors can provide agreed service and are equally prepared to handle a disaster. It is also advised that alternative suppliers for critical services are identified in case of a complete failure of the primary service provider.
Lastly, the globalisation of travel and the world economy requires modern organizations to proactively monitor events around the world and prepare a Pandemic Plan as a worst case scenario. As communication with clients and business partners is a critical element of every DR and BC planning, organizations should consider using social media as a highly available communication channel.
Challenge 5 — Managing Cyber Risk From Emerging and Advanced Threats
Cybersecurity is a dynamic problem of velocity, volume and value, in that the threat agent is unknown, covert and laced with skills and arms (funds and channels) looking for the weakest link to exploit. On top of this, cybercrime is widespread and aggressive and poses a major threat to economic and national security, however, many financial services institutions do not share information about threats or cooperate externally.
Our point of view is that financial services institutions should consider a risk-based approach to cybersecurity with actionable threat intelligence by collaborating internally and externally. The risk-based approach consists of two parts. Firstly, organizations need to identify risk at a point in time and then undertake periodic reviews to identify changes in the threat landscape, threat actors, the likelihood of threats and any associated impact.
Secondly, organizations should undertake continuous risk assessment by introducing a monitoring process for unknown threats. Increasing the source of information using threat indicator behaviour monitoring with notification and analytical capabilities will enhance an organization’s defense.
While the first part is traditional, known and done periodically, the second part is more complex. Continuous risk monitoring requires financial institutions to leverage internal and external threat intelligence, add proactive components of honeypots and malware analysis, and collaborate with other financial institutions for sharing threat intelligence to construct a risk-based holistic approach to cybersecurity.
The benefits of a risk-based approach allow the identification of value and risk related to the significance of data and the weakest link, i.e. point of vulnerability. It helps prioritize efforts and focus on the weakest link to patch, gives visibility into the threat environment and enables better and informed information protection.
Christian Haider is a CSC Cybersecurity senior security consultant and Chandra Prakash Suryawanshi is a CSC Cybersecurity Consulting associate partner, business strategy.