The Trump administration recently published a revised National Cyber Strategy, which identifies banking and finance as one of seven key areas where the White House will strive to reduce cybersecurity risks. The administration’s work with the financial industry will build upon months of recommendations from private and public organizations on how to protect America’s most attractive sector for cyberattacks.
“The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas,” including banking and finance, the strategy states.
Earlier this year, the Council of Economic Advisers estimated that malicious cyberactivity cost the U.S. economy between $57 billion and $109 billion in 2016. The financial services industry proved an particularly attractive target for hackers that year. “It was attacked 65 percent more than the average organization across all industries, and according to IBM, 200 million financial services records were breached in 2016, a 900 percent increase from 2015,” reports Security magazine.
For financial services firms, public and private entities have instituted requirements to mitigate the damage from cyberattacks. The federal government also requires cyber disclosures from the banking industry. Banks and certain financial institutions must undergo reviews of “their safeguards for protecting the security, confidentiality, and integrity of consumer information, which include disclosure requirements in the event of a breach,” states the Council of Economic Advisors.
Meanwhile, a financial services consortium — composed of Bank of America, JPMorgan Chase, Wells Fargo and American Express — set up TruSight, a company that provides risk assessments of third-party suppliers and partners, including cybersecurity vendors.
Cyberattacks Pose Extra Dangers for Financial Institutions
Cyberdefenses for financial services firms have been top of mind for the industry since the Equifax breach in 2017. In that breach, “more than 147 million people in the U.S. had personal and financial data stolen ranging from Social Security and driver’s license numbers to credit card information and birth dates,” notes SecurityInfoWatch.com.
Experts warn that banks not only suffer direct financial losses due to successful cyberattacks, but also suffer indirect losses. In an interview with The Wall Street Journal at the end of last year, CrowdStrike CEO George Kurtz warned of the danger to banks of shutting down during a cyberattack.
“When you can’t trade, when you are under attack, there is a loss of confidence in that particular institution. Some of these institutions, if they’re out of business or they’re not operational, it’s a massive ripple,” Kurtz said.
In the same interview, Barclays Group Security Division CIO Elena Kvochko prescribed a holistic approach to cybersecurity for banks.
“No matter how you structure your technology teams, what’s important is to be able to have a holistic perspective across your business lines and product lines, to be able to see there is an anomaly or an incident happening in one part of the organization, you’re able to connect it to potentially other related events that are happening,” Kvochko said.
Implementing a new process could require three months to a year before it becomes a habit — and thus part of the security culture — within an institution, Kvochko added.
Deloitte Survey Imparts Lessons Learned for Banking Firms
Earlier this year, the Financial Services Information Sharing and Analysis Center, in conjunction with Deloitte’s Cyber Risk Services practice, surveyed the CISOs of 51 financial services institutions. Published in May, Deloitte’s analysis of the survey data found that cyber-risk management budgets range from 5 percent to 20 percent of the total IT budget, with a mean of about 12 percent.
Cybersecurity spending and staffing among the firms broke down as follows:
- 21%, cybermonitoring and operations
- 15%, endpoint and network security
- 12%, cybersecurity governance
- 12%, cyber-resilience
- 11%, identity and access management
- 11%, application and data protection
- 9%, vendor security management
- 7%, physical security
- 1%, other
Deloitte also derives some lessons learned from the survey, advising financial services institutions to:
- Proactively engage the board
- Engage the entire organization in cybersecurity
- Provide multiple lines of defense
- Alter the mix of a CISO’s responsibilities