As more of their business goes digital, financial services firms are struggling to get on the forefront of cyber security, while dealing with both increased regulatory scrutiny of digital security measures and shrinking security budgets due to cyber fatigue at the top of the house.
Complicating these challenges for many financial services firms is the gap that often exists between business leaders and their IT function in terms of a coherent, organization-wide cyber security strategy designed to anticipate, identify and respond to ever-evolving cyber security risks.
Technology security experts within organizations are tightly focused on cyber defense from a technology perspective but typically lack a 360-degree view of what may also be needed from the people and processes perspectives to heighten cyber security. While historically boards and executives approved rising tech budgets, they are now demanding answers to fully understand where the funding has gone and questioning whether the spend has actually reduced the firm’s overall cyber risk.
“Without guidance from the top and business engagement on priorities and risks, the IT function can be unclear about where the business overall needs to spend money,” says Bia Bedri, a partner specializing in banking and capital markets cyber security for KPMG in the UK.
IT teams are looking at controls, technology and platforms without clarity or input from the business leaders on what’s key to the overall business. If financial institutions hope to make real progress that uses their budgets, resources and time efficiently, they will require a more strategic approach. Executives and boards need to be better engaged and understand their responsibility with regards to cyber security.
Becoming a resilient, cyber-smart organization will require financial firms to ensure that their people, processes and technology are all strategically focused on cyber risk and appropriate solutions.
The cyber security dilemma is at least as challenging for insurers, as they are typically ‘less mature’ than banks today in developing cyber security capabilities. The fact that they have more ground to cover on cyber security has not escaped the scrutiny of regulators in places like the US and the UK, where they are increasingly turning their attention to this sector.
All things considered, today’s financial organizations remain stuck in a ‘reactive mode’ when it comes to data attacks or security breaches and they need to take a far more proactive approach aimed at anticipating and preparing for potential attacks before they occur. Rather than analysis of the post-breach impact, they must develop a response and assessment that prepares them for future scenarios.
External threats such as financial crime, ransomware, DDoS attacks and customer data theft, combined with internal threats that include fraud and rogue trading, are forcing financial institutions to dramatically sharpen their focus on the need for comprehensive new cyber security strategies.
For example, KPMG helped one global organization, following a costly trading incident, to develop a strategy that involved rethinking its entire approach to information security. As the bank faced a significant ‘identity access management’ problem, KPMG’s cyber security specialists helped the bank develop a remediation plan to transform its information security across the organization and implement the program by designing, building and embedding new controls that covered data and business systems in more than 30 countries, while meeting all business and regulatory requirements. The bank reduced risk significantly, optimized many of its processes and enhanced its reputation as an industry leader on cyber security.
How can financial institutions pursue a more strategic approach to cyber security that goes beyond throwing money at technology, to instead create a 360-degree view encompassing people, processes and technology?
CROs and CIOs should collaborate closely to gain a clearer understanding of who owns what, when it comes to cyber security policy. They must recognize that it’s no longer simply ‘an IT problem’ but one in which the CRO and the board all need to be involved. Working together, they can start by identifying their top 10 cyber risks and explore the complicated processes and technologies that need to be addressed, and the costs involved.
Ultimately, concern and awareness about cyber security should be ingrained in every business and addressed from a cultural perspective. There is a fine line between simply ‘reacting and adopting’ technology and ‘thinking ahead’ strategically in order to create a secure business environment amid tremendous ongoing changes.