Cyber Risk Management Strategies for Financial Services

Every financial service institution should have a cyber risk management developed and locked in place. Even the most safeguarded organisations will experience a cyber incident at some point. How an institution reacts to these incidents depends on the preparedness of the cyber risk management strategies in place.

But how are FSIs counteracting an evolving threatscape? To start, the costs of cybercrime affect financial services deeply, making it all the more imperative to safeguard their organisations.

Cost of Cybercrime

Cybercrime is costly, but it fluctuates from industry to industry. Institutions with higher valued data are more likely to spend more in building and maintaining their cybersecurity perimeter. Additionally, expenses associated with the aftermath of cyber incidents, breaches, and attacks also vary based on the severity of the threat vectors.

Ponemon Institute’s 2015 Cost of cyber crime study demonstrated the high costs associated with cybercrime among various American industries. In particular, financial services spend $28.3 million on average on cybercrime – up from its $19.4 million six-year average. In fact, financial services spend the most out of every other industry when it comes to cybercrime.

Unfortunately, it seems these costs are only going to rise. FedScoop reports that bank regulators warn of growing cyber risk for the financial sector. Comptroller of the Currency Thomas J. Curry urges FSIs to heighten attention and maintain continuous vigilance when it comes to cyber risk management.

Top Cyber Risk Management Concerns for FSIs

So, what is on the top of FSIs’ cyber risk management list of concerns? Deloitte University Press analyzed how security leaders at financial services firms are closing the gaps in cyber risk management. These leaders’ top concerns include regulatory and compliance, cyber risk exposures, the user experience for internal employees and external customers, and balancing budgets with workforce globalisation.

Then there are the challenges of managing the onslaught of a quickened pace of attacks in conjunction with the increasing sophistication of attack techniques and threat actors.

Deloitte’s findings saw that only 42 percent of survey respondents felt that their organisation was “extremely effective” or “very effective” in managing cyber exposures. However, what the majority of FSI respondents shared in common is that money was no object when it came to cyber resiliency.

What Does it Mean to be Cyber Resilient?

In order to be cyber resilient, different teams within FSIs must be on the same page. At the root of cybersecurity isn’t an isolated IT issue, but an issue for the entire brand. PWC defines cyber resiliency as a comprehensive, well-crafted cyber risk management programme. The management tied to this programme is also held accountable for the programme’s performance and results, including oversight, shortcomings, failures, and successes.

Successful and effective cyber risk management programs are an ongoing conversation for FSIs. This conversation takes place in many forms and among many people. From the c-suite to employees to partners to customers, the success of a cyber risk management program hinges on its level of engagement. As a result, having a cyber risk management program in place enables FSIs to:

• Keep pace with the changing threatscape
• Avoid potential financial damage from security breaches
• Protect the overall brand from reputational damage
• Maintain a trusted partnership with customers
• Gain a competitive advantage over more vulnerable competitors

Cyber Risk Management: 5 Pillars in Training Your Team

With a plan in place, how do FSIs get cyber risk management participants to collaborate? There are a number of resources for FSIs to use when building their cybersecurity policies and risk management programmes.

FSIs can be proactive against cyber threats by creating a cyber risk management program built on these 5 pillars:

1. Nurture Cyber Talent Development: Organisations are very much like people. The more healthy practices are introduced, the healthier the overall being. The same logic applies as to who makes up an organisation’s cyber talent. Recruiters should take extra care in recruiting and onboarding the right tech talent for financial services. And it doesn’t stop after onboarding. It is just as imperative to train and nurture these professionals for higher retention rates.

2. Create Cyber Protocols: An FSI’s cyber protocol should be made available to all of the programme’s participants. This protocol should also contain an accountability model that outlines responsibilities for the outcomes of various cybersecurity incidents.

3. Host cyber awareness programmes: Annual, bi-annual, and even quarterly cyber awareness programmes can be held for employees, partners, and even customers. Cyber awareness programmes are an opportunity to educate attendees on emerging threat vectors, recent security incidents, and how their organisation is safeguarding data.

4. Test Your Team: The only way to ensure a programme is working is by testing them. There are multiple ways to do this beyond training quizzes. Did they read the protocol about responding to phishing emails? Try sending out a “phishing” email by constructing a suspicious email line. Track the email to see who opens the email and who follows up with your security team.

5. Keep Expanding the Conversation: The only way to keep the momentum of a cyber risk management programme is to expand the conversation to key players. The cybersecurity environment is rapidly changing. Don’t leave this conversation isolated to an FSI’s board room. Extend it to the necessary partners, vendors, and customers to ensure everyone is on the same page.

Why the Majority of Fortune 100 Financial Services Trust Mimeo

From the moment of upload, every file on Mimeo’s platform is encrypted while in flight and at rest. In addition to a fully PCI compliant payment option, Mimeo takes proactive data safeguards to ensure your security. Read why leading financial services trust Mimeo with their critical data.