Use this button to switch between dark and light mode.

Defending Against Cybersecurity Risks to Financial Services Companies

August 09, 2022

Every business is a potential target of cyberattacks, but banks and financial services companies are squarely in the crosshairs of cybercriminals because the industry presents bad actors with huge possible revenue prizes.

Research by BCG found that financial services firms are 300 times more likely to be a victim of a cyberattack than other organizations and an Accenture report found that the average cost of cybercrime for financial services is 40% higher than all other sectors.

Unfortunately, the problem is growing rapidly and exponentially. The banking industry experienced a stunning 1,318% increase in ransomware attacks in 2021, according to Security Magazine.

“As the financial system relies more heavily on fintech, the risk that significant cybersecurity incidents targeting financial institutions increases substantially,” according to the Cybersecurity Risks in Banking practice note from  Practical Guidance. “Cyberattacks and hacks can prevent individual financial institutions from delivering products and services, undermine consumer confidence in banks and financial services companies, and impact U.S. financial stability due to the inter-connectedness of the financial system.”

Of course, no industry invests more time and money on cybersecurity risk management than banking and financial services. Those efforts tend to start with a focus on mastering an understanding of offensive threats, which involves reviewing and analyzing threats via social engineering, denial of service attacks, viruses, spyware/adware/cookies, and spamming.

“After an organization has taken the proper steps to understand offensive threats to their cybersecurity, the next task you will need to perform to safeguard your websites and IT departments from malicious attacks is to consider defensive tactics and prevention methods,” said Annmarie Giblin, data privacy and security partner at Hinshaw & Culbertson, who concentrates her practice on the legal issues surrounding cyber, privacy and insurance.

Giblin is the author of “IT Systems and Websites Checklist (Preventing Attacks),” a special report published by LexisNexis® Regulatory Compliance for its Cybersecurity Module. The module provides guidance on an organization’s cybersecurity requirements to safeguard their daily operations, assisting in the development of an organization’s compliance framework, addressing risks and rectifying non-compliance.

In the report, Giblin advises five key defensive tactics and prevention methods:

Protect Integrity of System

To protect system integrity, you must consider system physical security as well as technical security. Make sure that you follow proper steps to review and analyze both the physical and technical security perimeters of your information systems.

Control Human Access to System

Controlling which people have access to the system is a key step in preventing malicious attacks. This involves implementing authentication policies, password controls and browser usage limitations, and limiting information obtained from or shared to social media sites.

Analyze Legal Resources to Known Attacks or Threats

You should review remedial provisions of any applicable laws in order to properly assess legally required responses to known attacks our threats. This includes all federal legislation (e.g., CAN-SPAM, Gramm-Leach-Billey Act, HITECH, etc.) and state laws applicable to data breaches and data security.

Analyze Compliance Status

Another key action item is to review and analyze the status of your organization’s compliance with security requirements under state, federal and/or non-U.S. law as applicable. This includes the review of compliance with security requirements under commercial agreements or trade association rules as well.

Implement Security Protections in Legal Services

Be sure that all consultants, contractors and other vendors that work within an organization have a clear understanding of security procedures that are contractually mandated. For example, you should: implement a contractual requirement that if work is done for hire, deliverables will become the sole property of the company once work has been completed and that all relevant information and data must be returned to the organization; develop a document tracking system for documents leaving your control with service vendors during their performance; obtain appropriate representation and warranties from vendors regarding compliance with all legal and commercial requirements; and consider requiring certain vendors who will have access to the organization’s system and data to maintain a cyber insurance policy.

“It’s important to engage with IT staff throughout the implementation of each of these five methods as you develop policies and procedures,” advises Giblin. “Conduct regular employee training on cybersecurity best practices, common scams and procedures, and how to report and mitigate incidents or IT mistakes. Moreover, keep a document trail of these trainings in case the organization needs to show proof for compliance purposes, and include all procedures in employee handbooks for related disciplinary procedures for employees who regularly ignore such rules and trainings.”

To help support the activities required to maintain a strong cybersecurity compliance framework, some organizations use Governance, Risk and Compliance (GRC) or Enterprise Risk Management (ERM) software. These platforms help businesses mitigate risk by defining, implementing and monitoring company-wide compliance strategies. The capabilities of GRC or ERM software can be augmented with LexisNexis Regulatory Compliance.

LexisNexis Regulatory Compliance combines regulatory content with technology to empower you to take control of your compliance obligations in the face of ongoing change. The tool allows corporate compliance professionals to assess their company’s obligations based on the current legislative framework, then delivers that information in easy-to-apply business language drafted by leading attorney-authors. Streamline your compliance management with checklists, decision trees and policy templates available from LexisNexis Regulatory Compliance.

Request a free demo of LexisNexis Regulatory Compliance here.