When it comes to cybersecurity, financial institutions are uniquely challenged as they are often a target for hackers. My customers rightly worry about exposing their business and the broader financial system to a security breach. Some are reticent to adopt new technology that will help them stay competitive because of these fears. Yet I don’t believe that financial institutions need to choose between innovation and security. Existing financial processes can be applied to cybersecurity risk management, and cloud technology can help them stay ahead of banking innovation and improve their security. I have five recommendations, outlined below, designed to help financial institutions more effectively manage their risk from cybersecurity incidents.
A key finding in the eleventh edition of the Deloitte Insights Global Risk Management Survey, which reports on risk management trends in the financial services industry, found that “sixty-seven percent of respondents [at financial institutions] named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than any other risk.” I’m not surprised that cybersecurity risk has elevated in importance, but for an industry that also must contend with credit, liquidity, and regulatory risk, this finding is a notable trend. In addition, the survey found “the number of cyberattacks against financial institutions is estimated to be four times greater than against companies in other industries.”
The report provides a good overview of how financial institutions are thinking about risk. In response to a data point the survey uncovered, “Only about one-half of respondents felt their institutions were extremely or very effective in managing this [cybersecurity] risk,” I have the following five recommendations financial institutions can take to help them more effectively manage cybersecurity risk:
- Expand your view of cyber risk to include real-world implications.
- Calculate your economic capital.
- Look at fraud and cyber risk in aggregate.
- Go deeper and wider on the cloud.
- Keep learning.
#1: Expand your view of cyber risk
Stories of security breaches at large corporations, financial and otherwise, have raised the profile of cybersecurity risk across all sectors of life. Everyone from the board of directors on down have witnessed the reputational damage done to respected bands that suffer a large security breach. Beyond the headlines are real-world implications that may not be initially obvious but are still critical. Companies may lose existing customers or see a decline in new customer acquisition. Organizations are sometimes required to shut down systems while they recover from an incident, including physical properties like ATMs. And if intellectual property is stolen, new products may be delayed or scrapped entirely, impacting future earnings. Think broadly about how a cybersecurity event could impact your financial institution, so you better understand what’s at stake. Then prioritize security resources to protect the most valuable parts of the business.
#2: Calculate your economic capital
According to the survey, most financial institutions calculate economic capital for their financial risks, but only 16 percent calculate how much capital will be needed to support cybersecurity risk. As you identify the potential implications of an attack, it will become clear that some could be quite costly to the business, in real terms and in unrealized revenue. An accurate calculation of the economic capital required to recover will help you better prepare and keep your board of directors well informed. For more information on how to talk to your board of directors about security, watch Security is everyone’s business in our CISO Spotlight Series.
#3: Look at fraud and cyber risk in aggregate
The world of cyber and financial criminals increasingly overlaps. Fraudsters have borrowed tactics from the hacker world to gain access to accounts without stepping foot in a physical bank branch. Networks of bad actors, from both the cyber world and the financial fraud world, work together to share data and tools. Preventing these crimes requires collaboration on the defensive side. Anti-fraud and cybersecurity professionals each have valuable backgrounds and tools to investigate and respond to these threats. However, if they are working in silos, they may miss important connections. Institute policies and process, such as cross training and holistic incident tracking, that ensure anti-fraud and cybersecurity professionals are sharing insights and learning from each other. And if you have deep executive support and funding, consider building what some people refer to as a “fraud fusion center,” which brings together anti-fraud and cybersecurity teams to merge this divide.
#4: Go deeper and wider on the cloud
In my work with financial institutions, I often consult with teams that are conflicted about migrating more services to the cloud. My experience is reflected in the Deloitte survey, which found that only 48 percent of survey respondents reported using cloud computing. In many instances, an IT team may be ready to take advantage of cloud computing power, while the security team is concerned about exposing the organization to more risk. I recently spoke to a security team who was struggling to get an IT team on board. Cloud service providers (CSPs), like Microsoft Azure, can help organizations take advantage of emerging technologies, such as machine learning, without the massive investment required to build a team and infrastructure in-house.
The same is true of security. The cloud can help reduce your risk. Azure and other big cloud providers have very strict physical security in their datacenters, such as requiring extensive background checks of everyone who works there, and the use of biometrics for access. At Microsoft, we regularly patch and update our software and hardware, which reduces vulnerabilities. You can also take advantage of the benefits of scale. CSPs can hire the best security professionals, who stay up to date on global security regulations and monitor the current threat environment. CSPs have the systems and analytics to synthesize data across all their services and endpoints to rapidly uncover threats and block them before they impact other customers. Read the Azure Security blog series for more details on how Azure can improve your security.
#5: Keep learning
It’s important to develop a process for staying up to date on emerging technology trends, such as machine learning, quantum computing, and blockchain. Your adversaries are doing their research and will experiment with new technologies as they become available. Understand the latest thinking and try to get out ahead of it. Research can help inspire ideas and spark innovative thinking within your team.