06:00 AM
Increasing Cyberthreats Pose Massive Challenge for Financial Firms
Challenge: The frequency and intensity of cyber attacks on financial institutions has increased exponentially in the past 12 months. In addition, the financial losses from cyber attacks have reached into the billions. Financial services organizations need to increase cyber vigilance, share threat information, and work to detect breaches more quickly.
Wall Street & Technology's Capital Markets Outlook 2015
Here are 10 topics that will be a focus for financial institutions in 2015 and beyond:
- Technology Innovation Returns to Financial Services
- Global Banks Need to Demonstrate RDA Progress in 2015
- Where Should You Spend Your IT Budget in 2015?
- Financial Firms to Struggle With Growing Social Infrastructure in 2015
- As Market Matures, Fintech Startup Winners Will Emerge in 2015
- Universities Increasing Programs for Data Scientists
- Next Year, Aim for Communication & Clarity of Cloud Apps
- E-Trading Disruptors Seek Untapped Liquidity in Corporate Bonds
- Swap Markets Debate Anonymous Trading in SEFs
- Market Structure Change Is Coming (Jan. 7)
- Cyber Security: Battling Increasing Threats (Jan. 8)
Why it’s important: Data security has always been an important topic for financial services. Protecting a client's data, or information used to make investment or trading decisions, is the highest priority. If a client can’t trust a financial firm with its information, the company will be out of business. Today, however, the threat from cyber attacks is increasing, and the hackers are more organized, well funded, and sometimes sponsored by other nations.
Global IT security spending will increase almost 8% to nearly $77 billion in 2015. – Gartner
Where the industry is now: In fact, data security has been one of Wall Street & Technology’s top Outlook topics for five of the past seven years. No other topic -- low latency/HFT, cloud, big data, social networking, risk management, or analytics -- has appeared in WS&T’s annual Capital Markets Outlook feature so many times.
That said, the cyberthreat facing financial institutions is greater today than it has been at any time in the past. Banks report being probed for weaknesses continuously. "Continuously" may sound ominous, and it is. Banks are fending off attacks or detecting probes looking for weaknesses almost every minute of every day.
In 2014, data security and combating cyber attacks moved from a technology and CISO (Chief Information Security Officer) topic to an executive and board-level issue. Why? Simply put, the volume, scale, and financial losses due to attacks skyrocketed. Here are a few data points about the increasing severity of data breaches:
- Cost per attack: According to the Ponemon Institute, the cost of successful cyber attacks increased to $20.8 million per financial services company in 2014.
- JPMorgan hack: JPMorgan was hacked in June but didn’t detect the attack until August, resulting in the exposure of the personal information of 76 million households and 7 million small business customers.
- Larger attacks: The hackers who stole data from JPMorgan also zeroed in on 13 other financial players, including Citigroup, HSBC, E*Trade Financial, Fidelity Investments, Regions Financial, and Automatic Data Processing (ADP).
- 500 million records: In the 12 months prior to October of this year, 500 million financial records have been stolen by hackers, according to the FBI. Approximately 35% of the data thefts were from website breaches, and 22% were from cyber espionage, said the FBI.
- Targeting target: The retailer Target reported a mega data breach in December 2013. In all, data on 40 million credit cards and information on 70 million customers was stolen, costing the company $1.5 billion.
Focus in 2015: As the number of cyberthreats continues to increase, it has become apparent that the largest losses come from attacks that were not quickly detected. For instance, FireEye, a cyber security provider apparently notified Target of the breach on November 30 and December 2, 2013, but Target missed the notifications and didn’t react to the infiltration until the US Department of Justice contacted the retailer in mid December of that year. Home Depot, which has had 56 million cards compromised, was infiltrated over five months before the home improvement retailer discovered the breach.
Financial firms also need to do a better job of sharing security threat information. Just as law enforcement agencies now share crime information, banks, exchanges, regulators, and law enforcement also are now sharing threat data. FS-ISAC, the Financial Services Information Sharing and Analysis Center, is the global financial industry’s information sharing resource. FS-ISAC is owned by its bank members but partners with government regulators and law enforcement.
Finally, regulators and law enforcement agencies are worried about the changing nature of cyber attacks. Increasingly, attacks seem to be looking for weaknesses in the nation’s critical infrastructure instead of attacking purely for monetary gain. For instance, an attack that disabled a stock exchange’s trading systems could wreak havoc in the markets. Similarly, compromising an Automated Clearing House (ACH) network would have immediate implications for businesses and individuals who could not process payments.
Regulatory outlook: Regulators, including the Securities and Exchange Commission (SEC), the Federal Financial Institutions Examination Council (FFIEC), the US Treasury Department, and The New York Department of Financial Services have all announced guidelines for cyber security exams or increased cyberthreat sharing programs. The FFIEC completed a review of 500 banks in the summer of 2014. The US Treasury created the Cyber Intelligence Group, which shares cyber security information with the financial sector. The SEC says its cyber security and resiliency exams will be part of the regulator's normal evaluations. The New York Department of Financial Services’ announced exams will be tougher than federal regulators'. For example, the New York exam requires banks to submit documentation showing the qualification of their CISOs.
Price tag: According to a PricewaterhouseCoopers study, the average financial loss to a hack in any industry is $2.7 million. With the increase in losses, Gartner reports that global IT security spending will increase almost 8% to nearly $77 billion in 2015. Financial services organizations, on average, drastically raised their cyber budgets in 2014, and many analysts are expecting increases in 2015, although not as large a percentage as during the past 12 months.
Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio