All about assessing financial services firms to manage their cyber security. Helping to identify and mitigate relevant risks efficiently and improving the capability to respond and recover from incidents
Cyber risks pose a constant threat to financial services. Financial service businesses are constantly investing in attack protections to protect the vast amounts of data from reputation, regulatory and/or legal implications.
Private equity firms, hedge funds, wealth management firms require constant checks on their controls to ensure minimal attack surface. The financial sector businesses store and process sensitive information such as banking accounts, personal details, futures and investments details, clients' data, proprietary products,tools, algorithms, trading information. All this information is at risk at all times from both external and internal threat actors.
Cybersecurity threats occur on a daily basis. Effective cyber security reduces the risk of cyber attacks and protects against the unauthorised exploitation of systems, networks and technologies.
Technological advances have made banking faster and innovative by improving products to consumers. Similar to financial risk management, technical risk management plays a key role in avoiding major disasters. If not kept secure, or monitored and acted upon, cyber security attack can bring business operations to complete stop in no time. There is a wealth of information online detailing about how data breaches are hitting reputation along with authorities/ICO fines. Most businesses in this sector highlight cyber weaknesses in the following three areas - People, third party management and protecting their assets.
Major findings from FCA conducted multi-firm review on wholesale banks and asset management around the end of last year. Most of the firms reviewed relied on risk and controls assessment (RCA) without getting involved in in-depth technical exercises to assess the accuracy, scale and nature of risks. The main findings raised valid questions around the following challenges:
How well Board and Senior Management's decision making is impacted by the understanding of cyber risk profile?
Are firms taking a proactive approach towards cyber security to ensure it's an organisation-wide priority?
How effective is second line (CISO, CXOs) in identifying and managing cyber risks?
Have firms drawn connections between cyber and conduct risk?
A supply chain is a chain of dependencies in goods or services. Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system threat. A supply chain can be compromised in various ways, for example, through the exploitation of third-party data stores or software providers.
The loss of client information can have a devastating impact on a sector that has confidentiality at the heart of its business. Firms storing sensitive information, third party data, transactional records are likely to be at a higher risk of data breach than a local high street firm. Therefore, it goes without doubt that secure information storage and processing practices would help minimise the attack surface.
Insider threats are counted amongst the most significant cyber-risks in the financial services sector. Businesses tackling this issue regularly validate their controls around logical access controls, spear-phishing, threat intelligence and regular penetration testing. In addition to technical controls, staff awareness and understanding through training helps build security-conscious culture.
Gone are the days when senior management can sign the contracts to buy new products after a quick sales demo. Nowadays buyers need to be aware of connections between the cyber profile of their organisation and the product offerings. What matters is how these products stack up in your environment and more products mean added data complexities, leading to potential risks. Even in the mature security teams, technical evaluation of new security products to be purchased is missing from the decision making process. We perform technical product evaluations to help you make more informed decisions on what products are better suited in your environment.
Many times, businesses perform their risk and control self-assessment (RCSA) to identify information security risks. FCA reviews have outlined how risk and compliance professionals, and lack of cyber-expertise is a challenge. An accurate risk assessment of an asset starts with technical risk assessment providing ground reality with proof of supplemental data.
This section refers to specific project based experiences in this sector. These were conducted at retail and investment banks, private equity firms, wealth management institutions, M&A due diligence and Tier 2 businesses.
Financial services are among the most attractive targets for cyber attackers, security researchers reveal, with phishing and credential stuffing among the top threats. A broad range of cyber threats are facing the global finance industry, which represents a one-stop shop for attackers
Britain’s financial industry suffered a 1,000% increase in cyber related events in 2018, including more targeted hack attacks a cyber security specialist has revealed. Nearly half of firms do not upgrade or retire old IT systems in time.
