Cybersecurity in Financial Services

POINT OF VIEW
CYBERSECURITY IN
FINANCIAL SERVICES
Financial services institutions
are globally challenged to
keep pace with changing and
covert cybersecurity threats
while relying on traditional
response strategies such as
compliance driven controls and
siloed solutions. This approach
has resulted in cyber attacks
becoming more frequent and
widespread. The likelihood
and potential impact of such
attacks has subsequently made
cybercrime a business risk on
most executive boards’ agendas
with a clear mandate to manage
the same across all levels of
the organisation.
This paper discusses the top
challenges faced by financial
services institutions and presents
CSC’s point of view on how to
prepare and defend against an
increasingly sophisticated,
well-funded and persistent
threat environment.
The financial services industry forms the backbone of today’s globalised monetary
and economic environment and is therefore highly regulated. The prospect of
direct access to money with a capitalisation expected to exceed $143 trillion1
worldwide in 2014 has resulted in the financial services industry becoming a prime
target for cybercrime – such as financial fraud, identity theft, unauthorised access
or loss of data and denial of service attacks.
Hackers and organised criminal groups with potential government funding have
been constantly developing and improving techniques to circumvent information
security controls and safeguards, in order to commit fraud, financial theft and other
cybercrimes with advanced capabilities to execute persistent and targeted attacks.
Today’s organisations enable multi-country operations through centralised shared
services and regional hubs and are dependent on partner ecosystems to provide
cost effective, efficient and customer focused business services. As a consequence,
modern banking systems have evolved across legislative borders with increased
interconnection and complexity. This evolution has led to complex regulatory
requirements, greater exposure to internal and external cybersecurity threats, and
intensified concerns around data security and privacy across virtual borders.
This paper highlights the cybersecurity challenges faced by the financial services
industry due to the changing nature of threats and business and provides a view
on mitigation strategies in order to strengthen the security posture.
CHALLENGE 1 – REGULATORY COMPLIANCE
ACROSS GEOGRAPHIES
The financial services industry is highly regulated with a variety of sometimes
contradicting regulatory requirements on country and state levels. Consequentially,
organisations are challenged with multiple views on compliance obligations with
a large overlap and inconsistencies between mandates. As a result excessive
controls and silo-based solutions are leading to an increase in cost and complexity.
Significant security breaches at Target, KB Kookmin Card, Montana Department
of Public Health and JPMorgan Chase, etc., illustrate that being compliant is not
necessarily a guarantee that all risks are adequately managed and mitigated.
Our point of view is that information security should be risk based with compliance
being a significant driver but not the sole focus. It is essential to identify and
monitor compliance, however, it is equally important to prepare the organisation
to respond to previously unknown threats in a timely manner. This is achieved by
Market Line Report, Report Linker http://www.reportlinker.com/ci02418/Banking.html
1
1
CYBERSECURITY IN FINANCIAL SERVICES – POINT OF VIEW
building sufficient flexibility into the organisation’s risk and control framework to
ensure continuous monitoring and identification of new and emerging threats via a
comprehensive information security risk management framework.
Furthermore, financial services organisations should develop an overarching global
compliance framework by identifying all the applicable requirements followed by
an elimination of overlapping obligations. Subsequently, requirements should be
mapped to the operating environment and country specific regulations.
To further reduce the cost of compliance, testing and reporting on the
effectiveness of controls should be centralised where feasible to ensure
consistency. This further enables the organisation to provide a compliance status
for multiple regulatory bodies by facilitating the mapping of controls to country
specific regulations.
CHALLENGE 2 – DATA SECURITY,
PRIVACY PROTECTION AND CROSS BORDER
DATA TRANSFER
Many organisations do not identify and clearly classify data based on sensitivity
and criticality and therefore lack an understanding of which information matters
most. Financial services institutions traditionally focus on the deployment
of multiple point solutions (e.g. data leak prevention, access logging, rights
management and encryption tools) to manage intentional or unintentional data
loss, however, they lack an organisational wide integrated approach to adequately
protect data on risk-based decisions.
Yet another challenge is the difficulty in aligning the organisation’s operating
model and supporting environment to meet regulatory requirements. For example,
managing privacy protection in the context of cross border data transfer as a
consequence of shared services and centralised processing facilities.
Concerns over privacy of sensitive information have resulted in countries adopting
specific national and regional jurisdictional mandates across the globe with an
increasing number of countries introducing mandatory disclosure of data breaches.
Our point of view is that financial services institutions should have a holistic view
on data security requirements managed by a comprehensive data governance
framework which includes roles and responsibilities, geographic compliance
requirements, inventory and reporting on assets, data classification and handling,
and technical solutions like data leak prevention.
One key element of a solid data governance framework is the identification of data
flow inside and outside the organisation and mapping those to the organisational
control environment. Furthermore, a risk assessment should be conducted to
identify control gaps and an implementation roadmap developed to mitigate risks
outside the organisation’s risk appetite.
The above initiatives should be complemented by a global security incident
response plan with local notification and reporting. Mandatory disclosure of a data
breach requires a comprehensive analysis of incidents to determine whether a
breach has occurred. Organisations therefore require either sophisticated internal
or readily available external forensics capabilities provided by a trusted partner.
2
CYBERSECURITY IN FINANCIAL SERVICES – POINT OF VIEW
CHALLENGE 3 – MANAGING INFORMATION
SECURITY REQUIREMENTS BEYOND THE
ENTERPRISE’S BOUNDARIES
Partnerships, outsourcing and offshoring have become the reality and accepted
business practice in the financial services industry to enable cost effective, efficient
and customer focused business services.
Traditional models used to outsource non-essential internal functions, like the
maintenance of IT equipment, whereas recent models reach significantly further
into the supply chain. Most financial services institutions have started to actively
consume cloud services and engage a variety of business partners to provide
material business functions such as claims management and insurance brokerage.
These trends introduce complex data sharing requirements and new information
security challenges which need to be proactively managed to ensure that the
services meet business objectives and information is protected throughout its
lifecycle from its collection to its destruction.
Our point of view is that financial services institutions should implement a
comprehensive vendor risk management framework to ensure that vendor risks
are adequately managed, taking into consideration the sensitivity of information,
criticality of the business activity and possibility of outsourcing and offshoring.
The importance of adequate vendor risk management is also represented in a
variety of regulatory requirements such as the Australian Prudential Standard CPS
231 for Outsourcing.
A comprehensive vendor risk management framework includes, but is not limited
to, roles and responsibilities that are clearly defined and understood throughout
the organisation, as well as periodic vendor risk and due diligence assessments, to
ensure due care and reduce risk and legal liability. It further ensures that minimum
information security requirements, service level agreements and standard terms
and condition are defined and contractually agreed on in legally binding contracts
with the right to monitor and audit.
CHALLENGE 4 – BUSINESS CONTINUITY (BC)
AND DISASTER RECOVERY (DR)
The shift from traditional brick and mortar based business models to fully
digitalised customer focused distribution channels has resulted in customers
and prospects expecting exceptional experience on a 24x7 basis. Furthermore,
service level agreements may impose financial penalties in the event the financial
institution breaches the contractual agreement with its customers.
To support the business in its objectives a close to zero tolerance in regards
to downtime and data loss has to be accomplished by highly interconnected
centralised shared services and banking systems.
Our point of view is that financial services institutions should acknowledge that
BC and DR are key business requirements and therefore need to be managed
throughout the organisation. This should be accomplished by establishing an
understanding of what impact service outages have on business objectives and
subsequently translated those impacts into adequate recovery time and recovery
point objectives for internal and third party provided services. In addition business
units need to prepare contingency plans including alternative work practices and
processes to support the business during a disaster.
It is essential to periodically test DR and BC plans to ensure that involved parties
are aware of their responsibilities and to identify opportunities to improve and
3
CYBERSECURITY IN FINANCIAL SERVICES – POINT OF VIEW
enhance the plans. Furthermore, a vendor risk management framework should
ensure that vendors can provide agreed service and are equally prepared to
handle a disaster. It is also advised that alternative suppliers for critical services are
identified in case of a complete failure of the primary service provider.
Lastly, the globalisation of travel and the world economy requires modern
organisations to proactively monitor events around the world and prepare a
Pandemic Plan as a worst case scenario. As communication with clients and
business partners is a critical element of every DR and BC planning, organisations
should consider using social media as highly available communication channel.
CHALLENGE 5 – MANAGING CYBER RISK FROM
EMERGING AND ADVANCED THREATS
Cybersecurity is a dynamic problem of velocity, volume and value, in that the
threat agent is unknown, covert and laced with skills and arms (funds and
channels) looking for the weakest link to exploit. On top of this, cybercrime is
widespread and aggressive and poses a major threat to economic and national
security, however many financial services institutions do not share information
about threats or cooperate externally.
Our point of view is that financial services institutions should consider a risk based
approach to cybersecurity with actionable threat intelligence by collaborating
internally and externally. The risk based approach consists of two parts. Firstly,
organisations need to identify risk at a point in time and then undertake periodic
reviews to identify changes in the threat landscape, threat actors, the likelihood of
threat and any associated impact.
Secondly, organisations should undertake continuous risk assessment by
introducing a monitoring process for unknown threats. Increasing the source of
information using threat indicator behaviour monitoring with notification and
analytical capabilities, will enhance an organisation’s defence.
While the first part is traditional, known and done periodically, the second part
is more complex. Continuous risk monitoring requires financial institutions to
leverage internal and external threat intelligence, add proactive components of
honeypots and malware analysis and collaborate with other financial institutions
for sharing threat intelligence to construct a risk based holistic approach
to cybersecurity.
The benefits of a risk-based approach allow the identification of value and risk
related to the significance of data and the weakest link, i.e. point of vulnerability. It
helps prioritise efforts and focus on the weakest link to patch, gives visibility into
the threat environment and enables better and informed information protection.
Authored by Christian Haider, CSC Cybersecurity, senior security consultant, and
Chandra Prakash Suryawanshi, CSC Cybersecurity, associate partner, business
strategy, CSC Cybersecurity Consulting.
www.csc.com/cybersecurity
4
Worldwide CSC Headquarters
The Americas
3170 Fairview Park Drive
Falls Church, Virginia 22042
United States
+1.703.876.1000
Europe, Middle East, Africa
Royal Pavilion
Wellesley Road
Aldershot, Hampshire
GU11 1PZ
United Kingdom
+44(0)1252.534000
Australia
Level 6/Tower B
26 Talavera Road
Macquarie Park,
NSW 2113
Sydney, Australia
+61(0)2.9034.3000
Asia
20 Anson Road #11-01
Twenty Anson
Singapore 079912
Republic of Singapore
+65.6221.9095
About CSC
The mission of CSC is to be a global leader in providing technology-enabled business
solutions and services.
With the broadest range of capabilities, CSC offers clients the solutions they need to
manage complexity, focus on core businesses, collaborate with partners and clients and
improve operations.
CSC makes a special point of understanding its clients and provides experts with realworld experience to work with them. CSC leads with an informed point of view while still
offering client choice.
For more than 50 years, clients in industries and governments worldwide have trusted
CSC with their business process and information systems outsourcing, systems integration and consulting needs.
The company trades on the New York Stock Exchange under the symbol “CSC.”
© 2015 Computer Sciences Corporation. All rights reserved.