The financial services industry faces unique cybersecurity challenges. Since institutions in this sector hold a wealth of sensitive personal and financial information, they are frequent targets of cybercriminals. While regulations aim to reduce the risk by establishing standards, compliance can prove an additional hurdle.
Operating in the financial services industry is inherently fraught with cybersecurity peril. However, understanding these risks and how to tackle them head-on can provide essential protection and safeguard sensitive data.
Cyber Risks in Financial Services
Regulatory Noncompliance
Regulations strive to reduce the risk of breaches through standardized requirements. Unfortunately, compliance alone will not make your financial business secure. Generally, establishing a robust cybersecurity program will help you achieve compliance, while additionally protecting your business. Focusing exclusively on compliance can leave gaps for threat actors to exploit, however, financial services companies must be aware of relevant regulations to avoid costly penalties.
The following are particularly pertinent:
- Gramm-Leach-Bliley Act (GLBA): This requires institutions that offer financial services or products to safeguard sensitive information and explain their information-sharing practices.
- Financial Industry Regulatory Authority (FINRA): FINRA is a nonprofit authorized by the government to oversee broker-dealers based in the United States. It establishes and enforces rules pertaining to virtually every facet of the industry, such as advertising, conflicts of interest, continuing education, social media, and more. Its cybersecurity requirements include implementing a supervisory system and reporting relevant incidents promptly.
- New York State Department of Financial Services (NYSDFS) – 23 NYCRR 500: New York State requires financial services institutions to implement a robust cybersecurity program, including a risk assessment, a defensive infrastructure, comprehensive detection and mitigation, appropriate policies, regular penetration testing and vulnerability assessments, encryption of nonpublic information, and more.
Hacks
The financial sector is under constant attack, with nearly 70% of financial institutions around the world experiencing one. While comprehensive cybersecurity programs have thwarted countless attempts, the Carnegie Endowment for International Peace reports dozens of notable incidents in 2020 alone. These include malware, ransomware, phishing attacks, DDoS attacks, and full-scale data breaches.
Notable hacks from recent years include:
- 2017 Equifax Data Breach: The multinational credit reporting agency, experienced a breach spanning May through July 2017. Names, Social Security numbers, addresses, birth dates, and some driver’s license numbers were compromised. The hack used a third-party software exploit. While patched, Equifax hadn’t implemented the update. In total, sensitive information from more than 143 million Americans was exposed.
- 2019 Capital One Data Breach: In March 2019, a hacker reportedly gained access to 100 million customer accounts, 140,000 Social Security numbers, and 1 million Canadian Social Security numbers by exploiting a misconfigured firewall.
Insider Attacks
While attacks by external threat actors may get more attention, insider attacks are not uncommon. Verizon’s “Data Breach Investigations Report 2020” states 35% of attacks on the financial sector are perpetrated by internal threat actors. Cases have included employees selling personal identifying information, stealing from clients’ bank accounts, committing wire fraud, creating client accounts without their consent, and more.
Recent cases professionals should be aware of include:
- SunTrust Bank Breach: In 2018, a bank employee allegedly worked with an outside threat actor to steal contact lists and compromise 1.5 million client accounts. Fortunately, the information was limited to names, contact information, and certain account balances.
- Morgan Stanley Breach: Over a period of several years culminating in 2015, a former wealth management adviser allegedly stole confidential information pertaining to more than 700,000 accounts, and then stored names, addresses, account values, and other personal information on a server at his home.
Cybersafe Will Help
The team at Cybersafe Solutions has extensive experience working with businesses in the financial services industry. We’ll provide you with the essential services and solutions to safeguard your sensitive data and achieve compliance. From the risk assessments and continuous security monitoring necessary to achieve compliance and protect your systems to the employee training critical to reducing the likelihood of successful phishing attacks, Cybersafe’s expert team will bolster your defenses on multiple fronts. Contact us today to discuss how you can improve your company’s cybersecurity posture.
