New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an...

Internal Audit, Risk, Business & Technology Consulting

Cybersecurity in the Financial Services Industry

New Cyber Challenges Require New StrategiesWhere we are now — and where we are going

Cybersecurity in the Financial Services Industry · 1protiviti.com

Over the last decade, the financial services industry has undergone a radical transformation

from trying to manage an aging and costly infrastructure to fully embracing digital transformation.

Companies are now investing in new technologies that will enable their businesses to respond

to new competitors and changing client needs. This shift, however, has put the industry’s

cybersecurity in the spotlight, given both the damage that can be inflicted by an intrusion

and heightened public and regulatory expectations regarding security and privacy.

In order to assess the current state and direction of

cybersecurity at organizations around the world,

Protiviti co-sponsored a global survey of 1,300

C-suite executives and their direct reports, which

was supplemented with in-depth interviews with 18

CISOs and cybersecurity experts and input from an

From this research, we have extracted the data for the

300 financial services executives who participated,

representing a wide range of institution types and

regions. In this paper, we focus on how financial

services firms are progressing in their implementation

of the NIST Cybersecurity Framework,2 trends and

advisory board of executives from a range of industries.

The survey, The Cybersecurity Imperative, paints a

detailed picture of how senior business leaders are

thinking about threats and implementing security

best practices.1

projections regarding threats and countertactics, and

ways in which cybersecurity is supported by policies,

organizational structure and interactions with other

functions. We conclude with recommendations firms

can use to help strengthen their cybersecurity practices.

Introduction

Institution Type Headquarters Location

Commerical/retail bank

Full-serviceinstitution

Investmentmanagement

Paymentsfirm/cardissuer

Insurance

US/Canada

Latin America

EU/UK

Asia Pacific

5%

25%31%

9%33%

27%

25%25%

20%

1 The Cybersecurity Imperative: Managing cyber risks in a world of rapid digital change, ESI ThoughtLab, October 2018. For more information, visit: www.protiviti.com/cyberstudy.2 For more information, visit: www.nist.gov/cyberframework.

2 · Protiviti

20% 40% 60% 80% 100%

Implementation of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides a standard checklist of 23 recommended activities grouped into five

categories which organizations can use to develop their cybersecurity strategy. In our survey, we asked respondents

to evaluate their progress in each of these activities according to the following scale:

CYBERSECURITY MATURITY LEVEL DESCRIPTION

No action

Beginning Starting to think about the activity

Developing Planning and support building

Maturing Seeing progress and benefits

Advanced Ahead of most peers and seeing significant benefits

As part of our analysis, we also aggregated the maturity

levels of each company across the 23 NIST cybersecurity

activities and categorized firms overall as Cybersecurity

“Beginners,” “Intermediates” or “Leaders” based on

the total of their maturity level scores. This analysis

shows that financial services organizations are

somewhat ahead of other companies in cybersecurity

maturity, with a larger percentage of leaders and a

smaller percentage of beginners.

Maturity of Cybersecurity Function

Non-financial services companies

Financial services companies

0%

32%

26%

49%

50%

19%

24%

Beginners Intermediates Leaders


Identification

The financial services industry is doing best in areas

involving risk, with one-third of survey respondents

characterizing their progress as maturing or advanced

for these activities. However, the fact that only one in six

financial services firms is “maturing” or “advanced” for

governance is concerning for two reasons: First, given the

level of regulation under which the industry operates, one

would expect more progress to have been made in this

area. Second, weak governance undermines confidence in

the cybersecurity function’s overall operations. (It should

be noted that enterprises outside of financial services

have even further to go, with only 10 percent having

maturing or advanced cybersecurity governance.)

ACTIVITY MATURING OR ADVANCED (%)

Risk assessmentIdentify the cybersecurity risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals. 33%

Risk management strategyEstablish priorities, constraints, risk tolerances and assumptions for managing operational risk. 33%

Supply chain risk managementEstablish priorities, constraints, risk tolerances and assumptions for managing supply chain risk, as well as establishing and implementing processes to identify, assess and manage these risks. 32%

Asset managementIdentify the data, data flows, devices, personnel and systems that could affect cybersecurity. 23%

Business environmentUnderstand and prioritize the organization’s objectives, stakeholders and activities. 23%

Organizational rolesSet roles and responsibilities for the entire workforce and third-party stakeholders. 23%

GovernanceUnderstand the policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk and operational requirements. 16%

4 · Protiviti

Detection

Financial services firms are making solid progress in

establishing continuous security monitoring — and

compare favorably to non-financial services firms,

where only 35 percent of companies have reached

these levels. But there is still significant progress to

be made in the other three activities, which far few

organizations are performing. Each of these three

developing areas will be greatly affected by emerging

technologies (discussed in the Tools and Technologies

section below), suggesting the possibility that the

industry may see rapid gains here in the coming years.

Indeed, firms that are cybersecurity leaders have already

begun. For example, 40 percent of leaders have maturing

or advanced capabilities for detecting anomalies and

events (compared with 1 percent of beginners).


Continuous security monitoringMonitor information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures. 42%

Detection processesMaintain and test detection processes and procedures to ensure awareness of anomalous events. 27%

Predictive analyticsForecast future cyberattacks by analyzing high volumes of data using AI and other advanced technologies. 25%

Anomalies and eventsDetect anomalous activity and understand the potential impact of events. 17%


10% 20% 40%30% 50%

The cybersecurity paradox

Our survey uncovered an interesting and, at first glance, counterintuitive finding: The more advanced a financial services firm’s cybersecurity efforts, the more cyber breaches it suffers. This is likely because firms with more mature cybersecurity functions have better detection measure in place, with those in the earlier stages simply unaware of intrusions that are taking place. While 42 percent of financial services firms overall have maturing or advanced continuous security monitoring, only 3 percent of firms categorized as cybersecurity beginners do, compared with 86 percent of cybersecurity leaders.

More than 1,000 customer records with personally identifiable

information lost or stolen 31%22%6%

Three or more breaches requiring emergency response plan deployment

42%36%21%

Beginners Intermediates Leaders

0%

Cybersecurity incidents in the last fiscal year

We’ve all seen breaches in recent years where companies got the response process wrong and seriously damaged their reputations. The GDPR 72-hour rule is also requiring firms to up their game in this area. – Scott Laliberte, Managing Director, Security and Privacy, Protiviti

6 · Protiviti

Protection

Protection is the cybersecurity area where most

organizations, regardless of industry, initially focus

their cybersecurity efforts. In the financial services

industry, this is reflected in the significant percentage

of firms that are maturing or advanced in identity

management and access control, data security, and

information protection processes and procedures.

But the other three elements of protection need

strengthening, with the state of awareness and

training of particular concern given the cybersecurity

risk posed by untrained general staff (see sidebar on

following page).


Identity management and access controlLimit access to physical and logical assets and associated facilities to authorized users, processes and devices. 40%

Data securityManage data in line with risk strategy to protect the confidentiality, integrity and availability of information, and the privacy rights of data subjects. 39%

Information protection processes and proceduresMaintain security policies, processes and procedures for protecting information systems and assets. 37%

Protective technologyManage technical security solutions according to policies, procedures and agreements to ensure the security and resilience of systems and assets. 25%

Awareness and training3

Train personnel and partners in cybersecurity awareness and to perform cybersecurity duties in line with policies, procedures and agreements. 20%

MaintenancePerform maintenance and repairs of industrial control and information system components according to policies and procedures. 18%

3 For more information, read “Highlighting Recent Cyber-Related Financial Losses, the SEC Urges Public Companies to Revisit Internal Accounting Controls,” The Protiviti View, Nov. 5, 2018, https://blog.protiviti.com/2018/11/05/highlighting-recent-cyber-related-financial-losses-the-sec-urges-public-companies-to-revisit-internal-accounting-controls/.


Increasingly, organizations are recognizing the people element in effecting change and the “make it or break it” significance of culture, collaboration and communication to the success of everything, from business innovation and digital initiatives to cybersecurity. A growing number of organizations are embarking on transformational efforts of some sort, leveraging new technologies to evolve their business and engage customers in new ways. The importance of maintaining security throughout these transformations has never been greater. By recognizing that security challenges are business challenges and engaging business users throughout the process – from planning and design through implementation – organizations can avoid the pain suffered by others and become citable examples of success instead. – Andrew Retrum, Managing Director, Security and Privacy, Protiviti

Employees are the weakest link

Cybersecurity professionals have long argued that cybersecurity needs to be seen as “everyone’s job” and an integral part of company culture. That message seems to have taken hold: When asked to name their greatest internal cybersecurity risk, financial services executives, like those in other industries, are more likely to name untrained general staff than any other source. However, while awareness of this problem is high, combatting the issue remains very much a work in progress, as just 20 percent of firms have maturing or advanced cybersecurity awareness and training activities in place. Accelerating investment in awareness and training in this area is likely to bring firms a noticeable return.

20% 40% 60% 80% 100%

20%

29%

Untrained general staff

Malicious insiders

Privileged insiders

Contractors

40%

81%

0%

Internal threats posing significant risk

8 · Protiviti

Response

In analysis and ongoing improvements, the financial

services industry is faring significantly better than other

industries (which average 36 percent and 22 percent

at the maturing and advanced levels, respectively, for

these activities). The priority for the financial services

industry needs to be strengthening its response

planning, as improvement in this central function

is likely to lay the groundwork for improvement in

other response areas.


AnalysisAnalyze incidents to ensure effective response and support recovery. 46%

Ongoing improvementsImprove organizational response by incorporating lessons learned from current and previous cybersecurity activities. 30%

CommunicationsCoordinate response with internal and external stakeholders, such as law enforcement agencies. 23%

Response planningMaintain and execute processes and procedures to ensure response detected cybersecurity incidents. 23%

MitigationAct to prevent expansion of an event, mitigate its effects and resolve the incident. 16%


Recovery

Among the five pillars of the NIST Framework, recovery

has the most room for improvement. Cybersecurity

leaders and others in the C-suite have long recognized

that in today’s environment, suffering a cybersecurity

breach is inevitable. A firm’s recovery capabilities will

be tested—and may well determine the long-term

impact of the breach on the business.


CommunicationsCoordinate restoration efforts — including public relations and reputation management — both internally and externally with internet service providers (ISPs). 29%

Ongoing improvementsIncorporate lessons learned into future recovery planning and processes. 27%

Recovery planningMaintain and execute recovery plans — during or after a cybersecurity incident — to ensure restoration of affected systems or assets. 22%

An organization’s preparedness to reduce the impact and proliferation of an event is key. Accordingly, the company should focus on the adequacy of its playbook for responding, recovering and resuming normal business operations after an incident has occurred. The playbook should also include responses to customers and employees to minimize reputation damage that could occur in the wake of a breach. – Adam Hamm, Managing Director, Risk and Compliance, Protiviti

10 · Protiviti

Emerging Threats and Countertactics

The evolving nature of cyberattacks

As the financial services industry’s digital transformation

continues, cyberattacks are expected to evolve accordingly.

Today, the threat of direct attacks on system endpoints,

such as malware, ransomware and Trojan horses —

dominates the cybersecurity landscape.

Over the next two years, however, as endpoint

protection continues to advance, financial services

organizations expect new vulnerabilities to emerge

from greater connectivity and system complexity.

From a cybersecurity perspective, technological advances

are a double-edged sword, providing greater capabilities

and control but also creating new channels for intrusion.

Reflecting this, when asked which internal and external

trends were affecting cybersecurity risks and how they

are managed, financial services executives emphasized

new technologies, such as artificial intelligence and

blockchain, and technologically driven factors like open

platforms and interconnectivity, over business factors

like M&A and expanded supply chain (see chart on

following page).

The emphasis on technological factors when assessing

the cybersecurity landscape is not surprising. But

financial services firms should remember that business

combinations, lengthening supply chains and global

operations significantly expand an organization’s attack

area while introducing an array of control challenges.

ATTACKS WITH THE LARGEST IMPACT

TODAY TOMORROW

1. Malware/spyware 1. Attacks through mobile apps

2. Phishing/spoofing/social engineering 2. Web application attacks

3. Attacks through mobile apps 3. Attacks through embedded systems

4. Ransomware 4. DoS/DDoS

5. Trojan horses/viruses/worms 5. Phishing/spoofing/social engineering


Tools and Technologies

If financial services firms have a heighted awareness of

the threats posed by technologies like blockchain and

sensors, it may be because the industry has increasingly

employed these tools in their cybersecurity arsenal;

only multi-factor authentication and biometrics — now

essentially table stakes — are more widely adopted (see

chart on following page).

Financial services firms that are cybersecurity

leaders, intermediates and beginners tend to employ

the most common technologies with the same level

of frequency. There is, however, another set of tools

that cybersecurity leaders and intermediates use but

that beginners have yet to adopt. Firms that are early

in their cybersecurity development should consider

expanding their cybersecurity arsenal accordingly.

10% 20% 30% 40% 60%50% 70%

17%M&A, joint ventures and partnerships

15%Third-party supply chains

Global operations 18%

Digital transformation 20%

28%Digitally-enabled products, services and interfaces

Interconnectivity/mobile technologies 44%

Use of open platforms/APIs/cloud 56%

Rise of new technologies 59%

0%

Trends affecting cybersecurity risks and management

Technological factors

Business factors

12 · Protiviti

10% 20% 40%30% 50% 60% 70%

Third-party information security practices 9%

40%

Cloud access security brokers6%41%

Quantitative risk assessment models such as Factor Analysis

of Information Risk (FAIR) 22%40%

Leaders and Intermediates Beginners

…while others are favored by those with more experience

Network traffic analysis8%41%

16%46%

Endpoint protection software

26%51%Endpoint detection, response

or protection software

0%

20% 40% 60% 80% 100%

56%Internet of Things/sensors

41%Artificial intelligence/machine learning

Secured browsers 57%

Blockchain 76%

82%Multi-factor authentication/biometrics

0%

Some technologies are used by many…


Our survey findings suggest, however, that the financial

services industry is primed for a significant expansion

of the cybersecurity toolset: The three approaches that

are least used today — user behavior analytics, smart

grid technologies and deception technology — are

among those that financial services firms say they are

most likely to adopt over the next two years.

Financial services firms are challenged to simultaneously make their systems more nimble, more permeable (easily accessed and integrated), more customer-centric, more stable and more secure in response to rising consumer expectations and increased competition from fintech and insuretech firms. – Ed Page, Managing Director, Technology Consulting, Protiviti

10% 20% 40%30% 50% 60% 70%

Quantitative risk assessment models36%34%

Deception technology11%55%

Smart grid technologies6%31%

Quantum computing24%26%

Plan to adopt over the next two years

In use today

0%

New technologies on the horizon

4%62%

User behavior analytics

14 · Protiviti

Quantitative methods bring far-reaching benefits

While other technologies and methods will see a larger jump in adoption over the next two years, the percentage of financial services firms now using quantitative methods for cybersecurity risk analysis, combined with those that plan to adopt them in the next two years, will make it a cybersecurity mainstay by 2020. This is likely to be a significant development in the maturation of the industry’s approach to cyber risk, because quantitative methods involve not just new technology but also a new mindset in how the cybersecurity challenge is approached. That mindset brings significant benefits across the cybersecurity function.

10% 20% 40%30% 50% 60% 70%0%

One or no security breaches last year requiring deployment of the

emergency response plan 14%12%35%

Five or fewer unpatched system or application vulnerabilities last year

12%24%36%

Five or fewer data loss prevention incidents last year

12%21%30%

Five or fewer critical open security vulnerabilities in

customer-facing products 19%31%44%

Less than 10 percent chance of suffering more than $1M in

cyberattack losses next year 23%48%66%

Discovered incidents in an average of less than one day last year

21%21%56%

Cybersecurity fines or penalties last year of less than $100K

29%24%49%

Using quantitative models today

Plan to use quantitative models by 2020

No plans to use quantitative models

Effects of quantitative risk measurement methods


Supporting Cybersecurity Across the Organization

An organization’s cybersecurity function, of course, does

not exist in a vacuum, but is affected by an organization’s

governance, controls and structure. At many of these

points, financial services firms are further ahead than

companies outside the sector — suggesting a stronger

“tone from the top” and coordination within the C-suite.

However, when looked at in absolute terms, financial

services firms still have room for improvement.

Financial services organizations lag significantly

behind firms outside the sector in one notable area:

having an independent audit function regularly

review the company’s risk appetite statement and

incorporate gaps into the audit strategy. Given that

most financial services firms have well-developed

audit functions, this should be a straightforward

shortcoming to address.

SUPPORT PROCESS FINANCIAL SERVICES

NON-FINANCIAL SERVICES

My company has appointed an executive with sole responsibility for ensuring information security. 46% 38%

Our HR department has a budget for recruiting, training and developing employees to improve cybersecurity. 39% 41%

The independent audit function regularly reviews our company’s risk appetite statement and incorporates gaps into the audit strategy. 34% 43%

My company has a cyber risk appetite statement approved by the board. 27% 18%

My company has appointed a data protection officer to oversee data privacy compliance. 24% 19%

The cyber risk appetite statement is part of our company’s enterprisewide risk statement. 18% 16%

The independent audit function regularly reviews our company’s risk appetite statement. 15% 12%

My company uses a third-party forensics provider. 13% 7%

16 · Protiviti

Recommendations

The way in which digital technology has permeated the business of the financial services industry means that

firms must guard their cyber assets with the same level of sophistication and care that they employ with more

traditional assets. Our survey suggests that the industry has a solid foundation from which to do so. Nonetheless,

there are clear action steps that can be taken to strengthen the cybersecurity function. We suggest starting with

the following:

01Financial services firms are doing well leveraging their risk assessment and management capabilities when it comes to identification processes, but there is noticeable room for improvement in the areas of governance and integrating the audit and cybersecurity functions at key points.

02Firms earlier in their cybersecurity journey should consider adopting some of the wider range of technologies adopted by more mature firms. All firms should examine both their infrastructure and the capabilities of their personnel to ensure that they are able to adapt to the next generation of cybersecurity threats and to adopt emerging technologies and methods for countering those threats.

03Firms that are not yet using, or have not yet made plans to use, quantitative methods for cybersecurity risk assessment should consider doing so. Approaching cybersecurity with a quantitative mindset brings a range of benefits that extend beyond better prioritization and risk-based decision-making.

04When considering how various trends might affect cybersecurity strategy, firms should not underestimate business trends. While there are several reasons why technological developments may dominate the discussion, business factors may cause equally significant shifts in vulnerabilities given the role digital now plays as a business platform.

05Financial services firms need to ensure that they are balancing their cybersecurity efforts across all five pillars of the NIST framework. Every cybersecurity function must deal with limited budgets and workforce; the legacy impulse to emphasize protection can result in critical shortcomings elsewhere. Further, it is critical to closely examine all elements of each pillar so that strength in some areas does not obscure weaknesses in others.


ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Scott [email protected]

Ed [email protected]

Andrew [email protected]

Adam [email protected]

Thomas [email protected]

CONTACTS

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-1118-103128 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

THE AMERICAS UNITED STATESAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort Lauderdale

HoustonKansas CityLos AngelesMilwaukeeMinneapolisNew YorkOrlandoPhiladelphiaPhoenixPittsburghPortlandRichmond

SacramentoSalt Lake City San FranciscoSan JoseSeattleStamfordSt. LouisTampaWashington, D.C.WinchesterWoodbridge

ARGENTINA*Buenos Aires

BRAZIL*Rio de Janeiro Sao Paulo

CANADAKitchener-Waterloo Toronto

CHILE*Santiago

COLOMBIA*Bogota

MEXICO*Mexico City

PERU*Lima

VENEZUELA*Caracas

EUROPE & MIDDLE EAST

FRANCEParis

GERMANYFrankfurtMunich

ITALYMilanRomeTurin

NETHERLANDSAmsterdam

UNITED KINGDOMBirminghamBristolLeedsLondonManchesterMilton KeynesSwindon

BAHRAIN*Manama

KUWAIT*Kuwait City

OMAN*Muscat

QATAR*Doha

SAUDI ARABIA*Riyadh

UNITED ARAB EMIRATES*Abu DhabiDubai

ASIA-PACIFIC AUSTRALIABrisbaneCanberraMelbourneSydney

CHINABeijingHong KongShanghaiShenzhen

INDIA*BengaluruHyderabadKolkataMumbaiNew Delhi

JAPANOsaka Tokyo

SINGAPORESingapore

*MEMBER FIRM

© 2

018

Proti

viti

Inc.

An

Equa

l Opp

ortu

nity

Em

ploy

er M

/F/D

isab

ility

/Vet

eran

s. P

RO-0

918

New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an...

Documents

Transcript of New Cyber Challenges Require New Strategies...The cybersecurity paradox Our survey uncovered an...