Financial services organizations have always been conscious of the lurking cyber threat. Most are fortunate and can successfully defend against the (seemingly) never-ending and ever-increasing volume of attacks. However, some senior leaders are now citing cybersecurity as their greatest concern due to the prevalence of nation-state attacks and the scale of potential rewards for cyber-criminals if they are successful.
In an article published in the Financial Times earlier this month, the CEO of the world’s largest sovereign wealth fund (Norway’s $1.2trn oil fund) stated that he is “worried more about cyber than he is about markets.”
Regulators are increasingly worried too, and the FCA and PRA have issued recent policies to strengthen firms’ resilience against attacks. This includes supply chains, which form an increasingly important part of the financial services system; in fact, regulators have already set out plans to directly oversee and strengthen the resilience of critical third parties, such as major cloud providers.
The advice is clear; hope for the best but prepare for the worst. Under new regulations, firms and their suppliers need to prepare for when (not if) a cyber-attack happens. So what steps should firms take to be as prepared as possible for an attack?
- Firstly, check the effectiveness of your cyber controls. It sounds like a basic step, but there is often a gap between the controls a firm sets out in policy and what happens in day-to-day operations. For example, identity and access management controls should be tightly linked to joiners, movers and leavers to ensure they are up-to-date with the latest employee movements. Cyber-criminals will always look for weak links in the chain, and if you have basic control failures or controls that your employees are circumnavigating, it creates opportunities for the hacker.
- The next step is ensuring cybersecurity is considered in the design stage of any new project rather than retrospectively added later. New projects often spin up new technologies quickly to pilot new ways of working. This creates an opportunity for hackers to exploit environments that might not be as secure. It’s also important to ensure that you work with your third-party suppliers on projects securely and that their cyber controls are as robust as yours. A recent infamous example is where nation-state attackers used a compromised SolarWinds update to access US government data.
- Training your employees in basic cyber awareness is a good way to bolster your defenses. Hackers sometimes leave tell-tale signs that an attack is imminent, such as unusual access to systems. If your employees know what to look out for and take pride in looking after your customers’ data, they can be your best defense. Criminals will usually try sophisticated phishing campaigns to get access to employee system credentials that are useful during an attack later on.
- Beware of the inside job. A worrying number of cyber-attacks are conducted by those already inside the organization. A robust insider threat framework will help you identify the policies, controls and monitoring you need to stop this from happening. A comprehensive framework will allow organizations to link physical and digital controls. For example, an employee accessing an office late at night using their access pass at the turnstile and downloading a large volume of data should be flagged as suspicious activity if it’s not their usual work pattern.
- Sadly, it is now more a case of when, not if, your systems will be attacked, so it is important to have good monitoring systems in place. This means keeping your monitoring up-to-date, often partnering with a Security Operations Centre (SOC) provider for 24/7 cover and having a plan for what you will do in the event of an attack, both technically and from a management and communications point of view.
- Finally, you should simulate your response to a cyber-attack. Our work with boards and senior executives has demonstrated that those who rehearse their response, typically to differing scenarios each year, perrform far better should an actual attack happen. A rehearsal will help you to iron out any gaps in your procedures and understand how you work together as a team under pressure.
Just in case the worst does happen, you will want to consider cyber insurance, but read the terms carefully as there are often limitations to cover or stipulations about how you’re expected to conduct the response to an attack.
The reality is that while good leaders have worried about cyber threats for many years, the challenges and risks remain and now more than ever, they must not let up their guard.