In the current uncertain economic climate, many leaders are being asked to cut costs, and despite rising corporate concerns regarding cybersecurity, Chief Information Security Officers (CISOs) are not immune to shrinking budgets and resources. Many CISOs are consolidating their cybersecurity vendors1, while cybersecurity incidents are simultaneously on the rise, with 88% of CISOs2 stating their organization has experienced a cyber incident in the past 12 months.
The financial services sector in particular has seen an increase in the frequency and sophistication3 of cyber attacks, where each year seems to reveal more active threat actors than the last. While navigating this landscape as a CISO is already a demanding task, financial services companies are also facing additional information security challenges ― what are they, and how can CISOs ensure their organizations are prepared to face them?
In many established financial institutions, legacy technology still underpins core banking and financial operations4. The costs of updating this critical, longstanding technology are immense, both financially and in terms of productivity. The time it takes to integrate a new system and to train employees to use it causes some banks to hesitate in making the switch. However, the costs of not updating outdated systems are even greater, as legacy technology often struggles to support mass digitization and lacks the proper safeguards to protect an organization from evolving and sophisticated cyber attacks5.
The urgent need for established financial institutions to go digital stems from the attempt to remain competitive with fintech companies and neo-banks, who offer more appealing services to younger generations. To adapt to these shifting consumer needs, financial institutions have turned to third-party software tools that help build new products around existing services, such as rewards programs and mortgage brokerage services6, when organizations cannot develop the in-house technology quickly enough. Increased use of third-party technology puts financial institutions at risk from any security vulnerabilities or cybersecurity-related incidents these external companies experience on top of their own.
The Eurasia Group7 has identified geopolitical risks with countries known for their cybersecurity capabilities as three of their top five risks for 2023. This is a threat to financial services institutions in particular because geopolitical threat actors are more likely to target critical infrastructure, including financial services institutions, to cause disruption by introducing or exploiting systemic risk, or simply to fund illicit activities. The digital expansion of financial institutions has also significantly increased attack surfaces, creating more entry points and introducing new vulnerabilities. Threat actors may even use a poorly secured network for their personal services, entangling a company in their agenda without the company even knowing8.
Perhaps the most significant challenge financial services CISOs will face comes from several regulators releasing new guidelines this year, and the potential for little to no standardization surrounding what each will require from multinational financial institutions. This includes concerns with the adoption of cloud-based technologies from the United States Treasury Department9, that now “recommends further evaluation from Treasury and the broader financial regulatory community to continue to determine the financial risks associated with a limited number of providers offering cloud services.” A few other notable examples include:
NYDFS10: The New York Department of Financial Services (NYDFS) proposed changes to its Part 500 Cybersecurity Rules that will go into effect 180 days after they are approved, covering new notification requirements, cybersecurity audits, and cybersecurity board member expertise.
SEC11: The Securities and Exchange Commission (SEC) brought forward a new rule which would require public companies in the United States disclose the cybersecurity expertise on their boards, as well as management’s role in cybersecurity policy, procedure, and strategy.
DORA12: The Digital Operations Resilience Act (DORA) came into effect on January 17, 2023, requiring that all financial services companies in the European Union comply with stringent guidelines in less than two years. This follows the Operational Resilience requirements released in the United Kingdom in 2021, which many pan-European organizations also have to grapple with.
On top of these intricacies, organizations also face financial, legal, and reputational consequences for noncompliance, with recently updated regulations carrying harsher repercussions for not meeting standards.
How Can CISOs Prepare?
It has long been understood that cybersecurity cannot be managed in a silo, resulting in massive scope increases for CISOs and a need to integrate even more closely with the wider enterprise. CISOs must therefore continue to determine better communication strategies between themselves and the rest of the C-suite and board. Not only is board cybersecurity expertise required within many new regulations, but it also makes it easier to quickly respond to a cybersecurity incident when leadership is informed and knows their part in the response plan. When CISOs understand the vital role communications plays in cybersecurity crisis preparedness and incident response, they can effectively help test response plans with the C-suite.
CISOs can further mitigate the impacts of cybersecurity challenges with a focus on cyber resilience. By conducting thorough risk assessments across critical services, implementing impactful policies, procedures, and controls, and exercising due diligence with thorough testing on third-party technology, financial institutions can appropriately manage the additional cyber risk they possess, including when working with external vendors. Readiness assessments are also a key responsibility of CISOs. Organizations can use these assessments to ensure that they meet new regulations, and to gain an understanding the most impactful enhancements available to them, which drives optimal levels of cyber resilience.
CISOs should also review Threat Led Penetration Testing (TLPT) requirements that are emerging around the world13. TLPT can be leveraged to safely identify and remediate gaps in resilience from a more practical standpoint. The mandate to conduct these tests under the watchful eye of the regulator is well established, from CBEST14 in the United Kingdom and TIBER15 across the EU, to iCAST16 in Hong Kong.
The G7 released its Fundamental Elements for Threat-Led Penetration Testing17 in February 2023, indicating that the increased focus on TLPT will continue, with more jurisdictions adopting the approach every year. Even jurisdictions without defined approaches for regulator-driven TLPT are beginning to observe tests undertaken in other jurisdictions who do conduct such tests, and are reviewing the associated remediation plans that emerge as a result. CISOs can prepare for such engagements by ensuring these tests are a regular part of their cybersecurity programs, enhancing the resilience of their organizations against real world threat actors that underscore the geopolitical threats they face.
Cybersecurity threats are always present and constantly evolving, making the job of a CISO seem daunting, particularly with the added challenges of operating in the high stakes, highly regulated financial sector. However, a holistic view encompassing the technical, regulatory, and communications aspects of cybersecurity can enhance an organization’s ability to quickly recover from an incident, absorbing impacts with minimal disruption when an event inevitably occurs.
1James Rundle, “Economic Uncertainty Weighs on Cyber Chiefs,” The Wall Street Journal (January 13, 2023), https://www.wsj.com/articles/economic-uncertainty-weighs-on-cyber-chiefs-11673562985.
2“CISO: Communications Redefined – Navigating the Journey from Control Room to Board Room,” FTI Consulting (October 13, 2022), https://fticommunications.com/ciso-communications-redefined.
3“Financial Services Sector,” Cybersecurity and Infrastructure Security Agency (CISA), https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/financial-services-sector.
4“How Modernizing IT Can Help Banks Compete With Fintechs,” Payments Journal (February 7, 2023), https://www.paymentsjournal.com/how-modernizing-it-can-help-banks-compete-with-fintechs/.
5Nóra Bézi, “Slow by design — The burden of legacy infrastructure in the banking sector,” FinTech Weekly (August 26, 2022), https://www.fintechweekly.com/magazine/articles/slow-by-design-the-burden-of-legacy-infrastructure-in-the-banking-sector.
6“Third Party Providers,” Federal Deposit Insurance Corporation, Division of Depositor and Consumer Protection, https://www.fdic.gov/regulations/resources/director/presentations/tpp.pdf.
7“Eurasia Group’s Top Risks for 2023,” Eurasia Group (January 3, 2023), https://www.eurasiagroup.net/issues/top-risks-2023.
8Brian Boetig, “The National Security Questions No Organization Wants to Face,” FTI Consulting (February 7, 2023) https://www.fticonsulting.com/insights/fti-journal/national-security-question-no-organization-wants-face.
9“New Treasury Report Assesses Opportunities, Challenges Facing Financial Sector Cloud-Based Technology Adoption,” The United States Department of the Treasury (February 8, 2023), https://home.treasury.gov/news/press-releases/jy1252.
10“NYDFS Proposes Significant Changes to Its Cybersecurity Rules,” Debevoise & Plimpton (August 1, 2022), https://www.debevoise.com/insights/publications/2022/08/nydfs-proposes-significant-changes.
11Dr. Keri Pearlson and Chris Hetner, “Is Your Board Prepared for New Cybersecurity Regulations?,” Harvard Business Review (November 11, 2022), https://hbr.org/2022/11/is-your-board-prepared-for-new-cybersecurity-regulations.
12David Dunn and Ian Duncan, “What You May Not Know About DORA — But Should”, FTI Consulting (August 29, 2022), https://www.fticonsulting.com/insights/fti-journal/what-you-may-not-know-about-dora-but-should.
13“A Framework for Threat-Led Penetration Testing in the Financial Services Industry,” Global Financial Markets Association (December 202), https://www.gfma.org/wp-content/uploads/2020/12/gfma-penetration-testing-guidance-for-regulators-and-financial-firms-version-2-december-2020.pdf.
14“CBEST Threat Intelligence-Led Assessments,” Bank of England, https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector/cbest-threat-intelligence-led-assessments-implementation-guide.
15“What is TIBER-EU?,” European Central Bank, https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html.
16“HKMA launches Cybersecurity Fortification Initiative 2.0,” Hong Kong Monetary Authority (November 3, 2020), https://www.hkma.gov.hk/eng/news-and-media/press-releases/2020/11/20201103-4/.
17“G7 Fundamental Elements for Threat-LED Penetration Testing,” Gov.UK (February 3, 2023), https://www.gov.uk/government/publications/g7-fundamental-elements-for-threat-led-penetration-testing.
This is a guest article from Simon Onyons and Adriana Villasenor.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2023 FTI Consulting, Inc. All rights reserved. fticonsulting.com