Information Management Chaos, Part II: Cybersecurity. The Hard Part.

April 01, 2015
Robert Cruz

(Following-up on the Financial Services Info Chaos post from last week )

This part – The Hard Part – is a double click into one of the topics raised last week – Cyber Security. For FinServ, this is the Hard Part because of the frequency and severe consequences that compromised information can inflict upon hypersensitive financial markets. It is the Hard Part as, for many firms, information security has existed as a specialized domain, and consequently, led to siloed-investments to protect specific processes or systems – not necessarily to protect information that might carry the highest value or risk as it flows through the firm. It is the Hard Part as many small- and medium-sized firms have lacked either the internal expertise and/or resources to adequately address information security threats. And, it is the Hard Part as – across all industries – few organizations feel well prepared to address the consequences of data breaches.

But 2014 – The Year of Data Breach – changed the game. In fact,

  • 72% of FINRA firms rank cybersecurity threats in their top 3 concerns / risks in a recent study conducted by FINRA;
  • According to the Breach Level Index Report, Financial Services firms had 205,175,846 data records compromised, up from 2013. The average records lost per breach was up sharply from just 112,000 records in 2013;
  • In its Global State of Information Security report, PwC noted that the percentage of firms reporting cybersecurity losses of $10M-$19M increased 141% in 2014.

Financial regulators and industry groups have also taken notice, issuing a variety of Cyber Security Initiatives to guide financial institutions in sharpening information security practices. This includes:

  • The Federal Financial Institutions Examination Council (FFIEC) that has started a cybersecurity assessment pilot program, which will examine more than 500 community banking institutions. On March 30, FFIEC released 2 alerts, the first on compromised credentials, the other covering the threat of destructive malware.
  • The National Association of Insurance Commissioners (NAIC) has coordinated two drafts which will provide comprehensive policy for oversight of insurance regarding cybersecurity:  the first - Principles for Effective Cybersecurity Insurance Regulatory Guidance - will help state insurance departments identify uniform standards, promote accountability, and provide access to essential information. The second draft document: the Annual Statement Supplement for Cybersecurity policies, directly addresses topics relevant to Property and Casualty Insurance.
  • The Securities Industry Financial Markets Association (SIFMA), representing the US securities industry, recently launched its Cybersecurity Center.
  • Financial Services – Information Sharing and Analysis Center (FS-ISAC) provides a resource for cyber and physical threat intelligence analysis and sharing, offering on-going cybersecurity training.

Most recently, FINRA and the SEC have released comprehensive cybersecurity reports to establish guidelines and on-going audit standards to assess the adequacy of each firm’s cybersecurity plan. It noted that firms should establish a Cybersecurity Governance Framework to support decision making based on risk, along with practices to:

  • Ensure active senior management, and as appropriate, board-level engagement with cybersecurity issues;
  • Identify frameworks and standards to address cybersecurity;
  • Using metrics and thresholds to inform governance processes;
  • Dedicating resources to achieve the desired risk posture, and
  • Performing cybersecurity risk assessments.

The FINRA report concludes with further analysis of the technical controls, incident response planning, staff training, and vendor management requirements that firms should implement as components of their cybersecurity efforts.

Implications

The reports are a clear indicator that regulators are taking cybersecurity very seriously  - no doubt including additional regulatory activity and stepped up enforcement actions into the future given the potential implications of data breach and client expectations for data security and privacy. Frameworks referenced by FINRA can help firm to create shared risk-based approaches to prioritize investments in core information security protection to block known threats, advanced target attack protection technologies to detect the emerging category of malicious attacks, automated incident response approaches to reduce the time to contain threats, along with archiving, supervisory, and data loss prevention technologies to ensure that information is securely under management.

Ultimately, the regulatory focus on cybersecurity as an element of firm-wide information risk management and governance practices will help to reduce information chaos and enable a heightened state of security readiness within Financial Services.