How financial services firms are strengthening cyber resilience in a new regulatory environment
As digital transformation and AI adoption continue to deliver important new benefits for financial services organizations, a corresponding and increasingly urgent concern has emerged: the risk of highly disruptive and costly cyberattacks.
The severity of cyberattacks has grown exponentially in the past decade, with nation-states and criminal organizations frequently targeting the financial services sector, sometimes to devastating effect. These threats have prompted government and industry leaders to undertake deep evaluations of cyber security practices, which in turn have generated a set of upcoming regulations that firms must now prepare for. Designed to enhance resiliency through greater transparency and cooperation across the value chain, these important regulations have significant implications for how firms manage technology and engage with regulators.
Helping financial services businesses become more secure in a world of escalating threats is an area of special focus for Microsoft Cloud for Financial Services. We’re working closely with customers, governments, and stakeholders across the industry to strengthen cybersecurity technologies and practices to protect against future attacks. This is a critical responsibility, and very much in line with our commitment to making security the top priority at Microsoft, above all else.
Microsoft Cloud for Financial Services
Unlock business value and deepen customer relationships
The impact of cyberattacks on financial services resilience
The resilience of financial services has been strained by the evolving cyber threat landscape in recent years, as attackers have employed ever more sophisticated tools and techniques to penetrate business networks and operations.
For example, when nation-state cyber attackers compromised the widely used SolarWinds Orion IT monitoring and management platform in 2019, they were able to operate undetected for months. By the time the breach was discovered, the damage was far reaching, with billions of dollars in economic losses and an untold espionage impact.1 This and other incidents have prompted industry leaders and regulators to undertake a comprehensive re-evaluation of cybersecurity practices in order to identify and address key areas of improvement. One of these concerns the risk posed by third-party suppliers, in the form of what is called a “supply chain attack.” This is what happened with SolarWinds, where a trusted technology provider was exploited to send malicious code downstream to unsuspecting customers, underscoring how a successful attack on just one link of the chain can have global repercussions.
The financial services sector, which increasingly relies on cloud computing to innovate, has sharpened its focus on mitigating these and other third-party risks with new regulatory frameworks.
New regulations and frameworks for greater cyber resilience
Aiming to improve cyber security and strengthen resilience overall, regulators around the world are developing guidelines that impact many financial services companies. Below are some of the most prominent ones:
- DORA (Digital Operational Resilience Act): A European Union regulation that establishes a framework designed to strengthen and harmonize risk management for financial institutions operating in the European Union. DORA goes into full force on January 17, 2025.
- United Kingdom consultation paper 26/23: A consultation paper from the Bank of England that outlines proposed requirements for strengthening third-party risk management in the United Kingdom financial sector.
- United States Department of the Treasury report: An assessment of cloud adoption in financial services, highlighting the importance of strengthening cybersecurity and ensuring proper provider due diligence and monitoring.
- Financial Stability Board (FSB) toolkit: A recently published toolkit from the FSB that provides tools to manage risks associated with outsourcing and third-party service relationships to both firms and regulators around the world.
New practices to promote more effective cybersecurity
The changes mandated by new regulations have broad implications for financial services businesses and the technology providers who support them. Among other things, they incur new obligations around risk governance and management, incident notification, regular operational resilience testing, and pre-contractual screening for third-party service providers.
These requirements take companies out of the on-premises mindset by which they have traditionally managed cybersecurity. Now they need to expand the horizon of the threat landscape beyond the network perimeter and consider that an attack can originate from vectors far beyond their traditional security purview. Conversely, they must assume zero trust for any entity inside or outside the perimeter—validating each user and device at every turn and providing the least amount of access required to fulfill a task.
New cybersecurity practices are also required. For example, DORA mandates Threat-led Penetration Testing (TLPT), which involves deploying a team of ethical hackers to simulate sophisticated real-world attacks on critical systems using the tactics, techniques, and procedures of known threat actors. The findings and insights are then shared with regulatory bodies and stakeholders.
During penetration testing, a distinction is made between testing in the cloud (for example, testing the security of resources deployed by an organization on its own tenant), and testing of the cloud (such as testing the underlying shared cloud fabric and services operated by the provider.) Our Microsoft Cloud Penetration Testing Rules of Engagement already allow customers to extensively test their security in the cloud. Testing security of the cloud is continuously done by Microsoft internal teams, as part of our third-party Pen Test and Security Assessments, and by security researchers through the Microsoft Bug Bounty Programs.
How Microsoft further helps to enable end-to-end cyber resilience
An important element of a highly effective cyber security strategy is to minimize the number of independent security vendors that are used by financial services firms. Having too many security suppliers makes it harder to maintain oversight, and limits the ability to correlate suspicious events. By reducing the number of vendors, firms can foster key benefits such as consolidated signal processing and faster incident reporting, which under DORA, must happen in four hours or less for critical incidents.
Fortunately, the maturation of cybersecurity technology has enabled Microsoft to build a comprehensive suite of solutions that collectively enable seamless, end-to-end enterprise cyber defense—at a level that is arguably greater than the sum of its individually excellent parts. The cornerstones for financial services include:
- Microsoft Sentinel: A cloud-native security information and event management (SIEM) system that enables real-time analysis, detection, and response to security threats—facilitating compliance with incident reporting requirements.
- Microsoft Defender: An extended detection and response (XDR) security platform that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications.
- Microsoft Defender Threat Intelligence: A platform that streamlines threat hunting, incident response, and threat intelligence analyst workflows—making it easier for security teams to neutralize cyberthreats such as ransomware.
- Microsoft Purview Insider Risk Management: A compliance solution to help detect, investigate, and act on malicious and inadvertent activities.
These and related cybersecurity solutions are enhanced by Microsoft’s ongoing investments in ensuring that Microsoft Azure delivers a highly secure cloud foundation, with multilayered security controls and unique threat intelligence.
Employing generative AI to advance cybersecurity in financial services
As much as generative AI has delivered value to financial services and other industry sectors, it has also been a boon to cyber attackers. From small-scale criminal actors to nation-state organizations, AI is increasingly being employed in cyberattacks against financial services businesses.
Among many other things, generative AI is being used to build and continuously modify malware tailored to specific vulnerabilities in financial services, create new phishing and social engineering attacks featuring fake identities and multimedia messages, and power automated attack execution.
Fortunately, generative AI is an equally powerful tool for cyber defense. The first and most immediately effective step that firms can make is to evaluate Microsoft Copilot for Security—the first generative AI security product designed to defend businesses at machine speed and scale. It combines the most advanced GPT models from OpenAI with a Microsoft-developed security model, powered by Microsoft’s global threat intelligence and expertise.
Designed to work seamlessly with a firm’s financial systems and the Microsoft enterprise cybersecurity suite, Copilot for Security offers numerous benefits to streamline and accelerate security operations. For example, it can help manage anomalies and threats, respond rapidly to minimize the impacts of attacks, automate time-intensive routine tasks such as creating security alerts, and much more.
Importantly, Copilot for Security also helps solve the talent challenge by empowering analysts to become more effective threat hunters and responders without specialized technical training.
Learn more
Cybersecurity will only become more essential in enabling financial services innovation and success through technology. Microsoft and our global partners are ready to help every company identify and implement a modern protection strategy that will address their unique needs, today and in the years ahead.
Here are some useful resources to help you in your cybersecurity journey:
- To learn more about how Microsoft empowers financial services companies to achieve more, visit our website.
- For a set of actionable steps to improve operational resilience in financial services with the Microsoft Cloud, see our earlier blog post, “6 steps to improve operational resilience in financial services with the Microsoft Cloud.”
- To stay updated on Microsoft’s security progress, see the Microsoft Security Blog.
- To learn more about Microsoft’s commitment to the advancement of ethical AI, see the Microsoft responsible AI standard.
- Discover more information on how Microsoft addresses threat and vulnerability management.
- To review Microsoft’s annual penetration testing reports, visit our Service Trust Portal.
1 United States Senate RPC, The SolarWinds Cyberattack, January 29, 2021.