INTRODUCTION
“It’s not a matter of if, but when.” One often hears this quote in the context of cyber risk—and while it could be seen as negative, more importantly, it speaks to the importance of agility and preparation.
The banking and financial services industry, with troves of sensitive information and assets worth billions of dollars, has long been a primary target of cyber criminals. In a recent survey, Contrast Security found that 60% of global financial institutions (FIs) with assets worth $5 billion and above experienced multiple cyberattacks in 2022.
Accelerated digitization efforts, cloud adoption, hybrid working environment, growing interconnectedness of people, processes, organizations, risks, and other factors are increasing the cyber risk exposure of banks, insurers, and investment companies exponentially. Cyber criminals are also becoming highly organized and sophisticated with advanced, AI-based technologies to help them launch cyber attacks effortlessly.
Given the daunting cyber risk landscape, effectively managing and mitigating IT and cyber risks has become the biggest challenge for banks and financial services companies. There is a heightened sense of urgency across organizations to reimagine their cyber risk and resilience programs to enable them to get and stay ahead of cyber risks, improve agility to tackle future cyber threats, and scale the program as they scale their operations.
This eBook includes best practices and recommendations for the banking and financial services industry to upgrade their cyber risk strategy to make it more future-ready and resilient. It also explores some of the ongoing regulatory developments worldwide aimed at providing direction and guidance to organizations.
By the end of this eBook, you will have a good understanding of the current cyber risk and regulatory trends in the financial sector and the critical role played by technology-based software solutions in supporting effective cyber risk strategy.
Did you know?
- Ransomware attacks on the financial vertical tripled between August 2021 and July 2022. (Barracuda)
- The financial sector experienced the second highest volume of data breaches in 2022. (Flashpoint)
- As of December 9, 2022, finance and insurance entities worldwide experienced 566 data breaches, amounting to more than 254 million leaked records. (Flashpoint)
- For the finance/banking sector, the average weekly cyber attacks per organization stood at 1,131 in 2022, marking a 52% increase compared to 2021. (Check Point Research)
What are Regulators Doing to Address Cyber Risks?
Banking and financial services institutions are under constant pressure to comply with several regulations and standards, such as PCI DSS, Gramm-Leach-Bliley Act, SOC2, BSA, etc.
With the explosion in cyber crime incidents in recent years, financial regulators around the world have become laser-focused on issuing targeted regulations and offering practical guidance to help organizations navigate the digital space.
The US saw some significant regulatory activity in early 2023. The White House released the National Cybersecurity Strategy, closely followed by the Securities and Exchange Commission (SEC) proposing new cybersecurity rules for securities market participants. In its announcement, the SEC noted, “The interconnectedness of Market Entities increases the risk that a significant cybersecurity incident can simultaneously impact multiple Market Entities causing systemic harm to the U.S. securities markets.”
In Europe, regulators are focusing on strengthening the “digital operational resilience” of the financial services sector. In 2022, the European Council adopted the Digital Operational Resilience Act (DORA) to bolster the IT security of financial entities such as banks, insurance companies, and investment firms.
“DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats,” the announcement reads.
Likewise, in the UK, the “Operational resilience: Impact tolerances for important business services” policy came into effect in March 2022. The supervisory authorities, the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA), are now focusing on the critical third parties to the UK financial sector. In the discussion paper (DP) 3/22, the regulators have laid out potential measures to strengthen the resilience of critical third parties (CTPs) services to the UK financial sector.
This is just the beginning. These ongoing efforts by financial authorities are the groundwork for future regulatory updates and roadmaps. As the cyber threat landscape intensifies, the volume and complexity of IT and cyber regulations, frameworks, and standards will only increase, making IT and cyber compliance a highly demanding business function. To keep up, organizations have already started to gradually pivot towards automated compliance – adopting autonomous, automated solutions that eliminate the need for human intervention.
7 Essentials for Future-Proofing Cyber Risk Strategy
Preparedness is key. CISOs and cyber risk leaders at financial sector organizations are under immense pressure to act now and transform the cyber risk function to prepare for the existing, emerging, and evolving cyber risks. Rudimentary and outdated cyber risk management programs are untenable to keep up with the ever-evolving cyber threat landscape.
Below are the critical considerations for banking and financial services organizations to amp up their cyber risk strategy and strengthen cyber resilience. It goes without saying that technology is at the heart of these best practices.
- Implement an Integrated StrategyImplementing an integrated cyber risk program is a business imperative today as it helps to gain contextual risk information. By providing comprehensive visibility into IT and cyber risks, threats, vulnerabilities, controls, assets, etc., across business units and departments, an integrated approach enables banks and financial services companies to identify risks, issues, and gaps early on and take necessary steps to proactively mitigate the risks.
- Deploy a Continuous, Always-On Approach Given the multitude of cyber risks and the rate at which they are evolving, a minor lapse in effective identification and mitigation can have devastating consequences. The proliferation of advanced technologies, such as artificial intelligence, machine learning, robotic process automation (RPA), and others, holds the promise of enabling an automated and continuous approach to cyber risk management. Whether it is monitoring the cyber risks, threats, and vulnerabilities, assessing the effectiveness of controls, or capturing updates in IT regulations, frameworks, and standards, technology-based software solutions can significantly enhance the capabilities of security teams, enabling them to drive a more agile, accurate, and autonomous cyber risk management program.
- Quantify Risks For an effective cyber risk strategy, it is critical to ensure that everyone has a consistent understanding of the cyber risk exposure and appetite. The onus falls on the cyber risk leader (CISO/CIO/CSO) to convey to the board, leadership, and executive committees the cyber risk posture and critical risks that need immediate attention, and strategy for cybersecurity investments.
Cyber risk quantification, i.e., expressing cyber risk exposure in monetary terms, can help cyber risk leaders explain these cyber-related concerns in a manner easily understood by all. Quantifying the risk exposure in dollar/financial values helps to easily compare it against the risk appetite, calculate and understand the return on cybersecurity investments, and make risk-aware business decisions. - Harmonize and De-Duplicate Controls and Regulations Unsurprisingly, banking and financial services organizations are among the most heavily regulated entities. They need to ensure and demonstrate compliance with a plethora of local, state, and federal regulations, laws, frameworks, standards, and more.
The challenges are compounded by the heightened regulatory focus and frequent updates. In its Cost of Compliance 2022 report, Thomson Reuters observed that financial services firms across 190 countries saw an average of 246 regulatory alerts every business day in 2021, or 64,152 alerts annually -- marking the second-highest annual volume of regulatory alerts since 2008.
The regulatory requirements pertaining to these various mandates often overlap, resulting in duplication of controls. As a best practice, organizations need to harmonize and de-duplicate these controls to improve efficiency by “testing once and complying with many.”
Technology-based software solutions simplify the process by enabling organizations to easily map controls with assets, risks, processes, policies, and regulations, which helps to gain comprehensive visibility and eliminate redundancies and duplication - Create an Incident Response Playbook Simulating different scenarios and creating a playbook is critical for improving organizational readiness. Knowing how to respond and what corrective action to take goes a long way to strengthen preparedness, provide assurance, and reduce the severity of impact. It’s important to understand what role each employee has in incident response, the sequence and timing of decisions, and the accountabilities – When do you shut down your operations? When do you have to notify the regulator? When do you bring in an outside counsel or an external firm? Who will commence internal investigations, and when?
One should not wait for these decisions to be made right in the middle of a firefight. - Identify Risks Across the Extended Ecosystem Today, organizations do not exist in isolation. They exist and operate as an ecosystem of third-party vendors, technology providers, partners, and the like. In the financial sector organizations, we see a growing reliance on a vast network of vendors for core banking software, cloud, payment processing, and other services. Any cyber-related incident or issue, such as cyber-attacks, IT downtime, cloud outages, etc., at the vendor’s end can disrupt an organization’s business operations.
Also, if vendor processes are non-compliant with applicable global or regional regulations, the organization may face the risk of non-compliance charges. So, it is essential to factor in third-party risks for a complete picture of the overall cyber risk and compliance posture - Build a Cyber Risk-Aware Culture An organization is only as strong as its weakest link. Ensuring a strong cybersecurity posture is not the responsibility of a single person or team but of every employee across the organizational hierarchy.
While setting up controls is necessary to comply with regulations and ensure that there are no loose ends, it is the responsibility of the decision-makers to also set the tone from the top by encouraging cyber risk awareness, conducting employee training to educate them about the latest cyber risk trends, and establishing open communication channels for employees to report any issue or concern.
A cyber risk-aware culture – when employees know their roles, responsibilities, and accountabilities in combatting the risks and are comfortable reporting or communicating them – helps to reinforce a proactive approach to cyber risk management.
Power Your Cyber Risk Program with MetricStream
MetricStream CyberGRC enables banking and financial services organizations to actively manage cyber risk and compliance requirements through a comprehensive IT and cyber risk and compliance framework aligned with recognized security standards and industry best practices. It offers a suite of purpose-built software products that provide 360-degree visibility into the cyber governance, risk, and compliance posture and helps you make better-informed decisions.
MetricStream CyberGRC supports security and compliance teams with unique capabilities, including:
- A Single Source of Truth with a centralized risk repository that helps link assets, risks, controls, regulations, processes, functions, and more on a many-to-many basis.
- Control Harmonization across multiple regulatory requirements that eliminate duplication of controls and strengthen compliance.
- Continuous Control Monitoring that enables autonomous and automated testing and monitoring of cloud security controls.
- Advanced Cyber Risk Quantification that helps express cyber risk exposure in monetary terms.
- AI/ML-Based Intelligent Issue Management for quick and efficient identification and remediation of issues.
To learn more about MetricStream CyberGRC, click here.
“It’s not a matter of if, but when.” One often hears this quote in the context of cyber risk—and while it could be seen as negative, more importantly, it speaks to the importance of agility and preparation.
The banking and financial services industry, with troves of sensitive information and assets worth billions of dollars, has long been a primary target of cyber criminals. In a recent survey, Contrast Security found that 60% of global financial institutions (FIs) with assets worth $5 billion and above experienced multiple cyberattacks in 2022.
Accelerated digitization efforts, cloud adoption, hybrid working environment, growing interconnectedness of people, processes, organizations, risks, and other factors are increasing the cyber risk exposure of banks, insurers, and investment companies exponentially. Cyber criminals are also becoming highly organized and sophisticated with advanced, AI-based technologies to help them launch cyber attacks effortlessly.
Given the daunting cyber risk landscape, effectively managing and mitigating IT and cyber risks has become the biggest challenge for banks and financial services companies. There is a heightened sense of urgency across organizations to reimagine their cyber risk and resilience programs to enable them to get and stay ahead of cyber risks, improve agility to tackle future cyber threats, and scale the program as they scale their operations.
This eBook includes best practices and recommendations for the banking and financial services industry to upgrade their cyber risk strategy to make it more future-ready and resilient. It also explores some of the ongoing regulatory developments worldwide aimed at providing direction and guidance to organizations.
By the end of this eBook, you will have a good understanding of the current cyber risk and regulatory trends in the financial sector and the critical role played by technology-based software solutions in supporting effective cyber risk strategy.
Did you know?
- Ransomware attacks on the financial vertical tripled between August 2021 and July 2022. (Barracuda)
- The financial sector experienced the second highest volume of data breaches in 2022. (Flashpoint)
- As of December 9, 2022, finance and insurance entities worldwide experienced 566 data breaches, amounting to more than 254 million leaked records. (Flashpoint)
- For the finance/banking sector, the average weekly cyber attacks per organization stood at 1,131 in 2022, marking a 52% increase compared to 2021. (Check Point Research)
Banking and financial services institutions are under constant pressure to comply with several regulations and standards, such as PCI DSS, Gramm-Leach-Bliley Act, SOC2, BSA, etc.
With the explosion in cyber crime incidents in recent years, financial regulators around the world have become laser-focused on issuing targeted regulations and offering practical guidance to help organizations navigate the digital space.
The US saw some significant regulatory activity in early 2023. The White House released the National Cybersecurity Strategy, closely followed by the Securities and Exchange Commission (SEC) proposing new cybersecurity rules for securities market participants. In its announcement, the SEC noted, “The interconnectedness of Market Entities increases the risk that a significant cybersecurity incident can simultaneously impact multiple Market Entities causing systemic harm to the U.S. securities markets.”
In Europe, regulators are focusing on strengthening the “digital operational resilience” of the financial services sector. In 2022, the European Council adopted the Digital Operational Resilience Act (DORA) to bolster the IT security of financial entities such as banks, insurance companies, and investment firms.
“DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats,” the announcement reads.
Likewise, in the UK, the “Operational resilience: Impact tolerances for important business services” policy came into effect in March 2022. The supervisory authorities, the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA), are now focusing on the critical third parties to the UK financial sector. In the discussion paper (DP) 3/22, the regulators have laid out potential measures to strengthen the resilience of critical third parties (CTPs) services to the UK financial sector.
This is just the beginning. These ongoing efforts by financial authorities are the groundwork for future regulatory updates and roadmaps. As the cyber threat landscape intensifies, the volume and complexity of IT and cyber regulations, frameworks, and standards will only increase, making IT and cyber compliance a highly demanding business function. To keep up, organizations have already started to gradually pivot towards automated compliance – adopting autonomous, automated solutions that eliminate the need for human intervention.
Preparedness is key. CISOs and cyber risk leaders at financial sector organizations are under immense pressure to act now and transform the cyber risk function to prepare for the existing, emerging, and evolving cyber risks. Rudimentary and outdated cyber risk management programs are untenable to keep up with the ever-evolving cyber threat landscape.
Below are the critical considerations for banking and financial services organizations to amp up their cyber risk strategy and strengthen cyber resilience. It goes without saying that technology is at the heart of these best practices.
- Implement an Integrated StrategyImplementing an integrated cyber risk program is a business imperative today as it helps to gain contextual risk information. By providing comprehensive visibility into IT and cyber risks, threats, vulnerabilities, controls, assets, etc., across business units and departments, an integrated approach enables banks and financial services companies to identify risks, issues, and gaps early on and take necessary steps to proactively mitigate the risks.
- Deploy a Continuous, Always-On Approach Given the multitude of cyber risks and the rate at which they are evolving, a minor lapse in effective identification and mitigation can have devastating consequences. The proliferation of advanced technologies, such as artificial intelligence, machine learning, robotic process automation (RPA), and others, holds the promise of enabling an automated and continuous approach to cyber risk management. Whether it is monitoring the cyber risks, threats, and vulnerabilities, assessing the effectiveness of controls, or capturing updates in IT regulations, frameworks, and standards, technology-based software solutions can significantly enhance the capabilities of security teams, enabling them to drive a more agile, accurate, and autonomous cyber risk management program.
- Quantify Risks For an effective cyber risk strategy, it is critical to ensure that everyone has a consistent understanding of the cyber risk exposure and appetite. The onus falls on the cyber risk leader (CISO/CIO/CSO) to convey to the board, leadership, and executive committees the cyber risk posture and critical risks that need immediate attention, and strategy for cybersecurity investments.
Cyber risk quantification, i.e., expressing cyber risk exposure in monetary terms, can help cyber risk leaders explain these cyber-related concerns in a manner easily understood by all. Quantifying the risk exposure in dollar/financial values helps to easily compare it against the risk appetite, calculate and understand the return on cybersecurity investments, and make risk-aware business decisions. - Harmonize and De-Duplicate Controls and Regulations Unsurprisingly, banking and financial services organizations are among the most heavily regulated entities. They need to ensure and demonstrate compliance with a plethora of local, state, and federal regulations, laws, frameworks, standards, and more.
The challenges are compounded by the heightened regulatory focus and frequent updates. In its Cost of Compliance 2022 report, Thomson Reuters observed that financial services firms across 190 countries saw an average of 246 regulatory alerts every business day in 2021, or 64,152 alerts annually -- marking the second-highest annual volume of regulatory alerts since 2008.
The regulatory requirements pertaining to these various mandates often overlap, resulting in duplication of controls. As a best practice, organizations need to harmonize and de-duplicate these controls to improve efficiency by “testing once and complying with many.”
Technology-based software solutions simplify the process by enabling organizations to easily map controls with assets, risks, processes, policies, and regulations, which helps to gain comprehensive visibility and eliminate redundancies and duplication - Create an Incident Response Playbook Simulating different scenarios and creating a playbook is critical for improving organizational readiness. Knowing how to respond and what corrective action to take goes a long way to strengthen preparedness, provide assurance, and reduce the severity of impact. It’s important to understand what role each employee has in incident response, the sequence and timing of decisions, and the accountabilities – When do you shut down your operations? When do you have to notify the regulator? When do you bring in an outside counsel or an external firm? Who will commence internal investigations, and when?
One should not wait for these decisions to be made right in the middle of a firefight. - Identify Risks Across the Extended Ecosystem Today, organizations do not exist in isolation. They exist and operate as an ecosystem of third-party vendors, technology providers, partners, and the like. In the financial sector organizations, we see a growing reliance on a vast network of vendors for core banking software, cloud, payment processing, and other services. Any cyber-related incident or issue, such as cyber-attacks, IT downtime, cloud outages, etc., at the vendor’s end can disrupt an organization’s business operations.
Also, if vendor processes are non-compliant with applicable global or regional regulations, the organization may face the risk of non-compliance charges. So, it is essential to factor in third-party risks for a complete picture of the overall cyber risk and compliance posture - Build a Cyber Risk-Aware Culture An organization is only as strong as its weakest link. Ensuring a strong cybersecurity posture is not the responsibility of a single person or team but of every employee across the organizational hierarchy.
While setting up controls is necessary to comply with regulations and ensure that there are no loose ends, it is the responsibility of the decision-makers to also set the tone from the top by encouraging cyber risk awareness, conducting employee training to educate them about the latest cyber risk trends, and establishing open communication channels for employees to report any issue or concern.
A cyber risk-aware culture – when employees know their roles, responsibilities, and accountabilities in combatting the risks and are comfortable reporting or communicating them – helps to reinforce a proactive approach to cyber risk management.
MetricStream CyberGRC enables banking and financial services organizations to actively manage cyber risk and compliance requirements through a comprehensive IT and cyber risk and compliance framework aligned with recognized security standards and industry best practices. It offers a suite of purpose-built software products that provide 360-degree visibility into the cyber governance, risk, and compliance posture and helps you make better-informed decisions.
MetricStream CyberGRC supports security and compliance teams with unique capabilities, including:
- A Single Source of Truth with a centralized risk repository that helps link assets, risks, controls, regulations, processes, functions, and more on a many-to-many basis.
- Control Harmonization across multiple regulatory requirements that eliminate duplication of controls and strengthen compliance.
- Continuous Control Monitoring that enables autonomous and automated testing and monitoring of cloud security controls.
- Advanced Cyber Risk Quantification that helps express cyber risk exposure in monetary terms.
- AI/ML-Based Intelligent Issue Management for quick and efficient identification and remediation of issues.
To learn more about MetricStream CyberGRC, click here.
