In this contributor article, David Copland, Vice President at Duff & Phelps’ Kinetic Partners division, discusses cyber security and whether financial firms are acting fast enough to defend themselves from potential attacks.
The cyber security regulations and guidelines promoted by the Securities and Futures Commission (SFC) of Hong Kong and the U.S. Securities and Exchange Commission (SEC) so far seem to have had only a minor effect on the activity of banks, asset managers and hedge funds, as all are yet to actively address the issue. Indeed, a study conducted by Risk Based Security, a leading information technology solutions provider, revealed that there were 904 million records exposed and 1,922 data breaches reported within the first nine months of 2014. This figure has since grown, and several high-profile breaches at companies including Sony and Target highlight why companies should take action before similar breaches become a reality for their organisation.
Many firms fail to take preventative action in this area, as the majority have never experienced a significant cyber security breach themselves. However, as the potential for a cyber-attack is now inexorably higher, it is vital that companies keep their employees trained and informed. The majority of cyber losses occur at a fairly low-tech level, with the authentication of computer user accounts a particularly vulnerable area for companies’ cyber security. Fixed security questions for password resets on web-based applications represent a particularly weak link, with answers relating to pet names and the like uncovered with relative ease. By strengthening basic security controls like these, companies could significantly limit the risk of cyber attacks. It is also vital that companies ensure their firewalls, anti-virus and site advisor programmes are regularly updated.
It is vital that companies ensure their firewalls, anti-virus and site advisor programmes are regularly updated.
However, it is unwise to rely on such basic protection alone, and firms should prioritise their investment in security measures and technologies that will help to reduce the risk of attack. The costs of adequate cyber defence and infrastructure are next to nothing when one considers the extent of damage that could result from indifference to such security measures. Inaction would not only trigger warnings or fines from the regulator, but could more severely harm the business through loss or theft of information. Should the security breach then be made public, this could cause irreversible damage to a company’s reputation.
Subsequently it is important that CEOs, COOs and senior management are made aware of potential cyber threats and their consequences. A service attack can quickly overwhelm your IT network by consuming all of its capacity, thus rendering all your IT assets effectively unusable and paralysing business activity. Meanwhile, cyber espionage works by scanning your network to unearth sensitive data and transfering it to the public domain. Incidents like these tripled during 2014, damaging reputations and future business opportunities. Internal theft must also be considered, since this activity can be similarly severe, especially in cases where information on intellectual property is stolen via USB or email and once again revealed to the public.
The multiplicity of these threats leaves firms assuming that complex defence technology solutions are required. However, there are numerous quick preventative measures that defend against 99% of network security threats, such as a review or update of the configuration status of your operating system, your security software and the enforcement of security procedures. In order to address the remaining 1% of truly dangerous threats, various security principles and solutions can be implemented, including stronger authentication methods, data loss prevention software, more robust data encryption techniques and dedicated intrusion detection systems.
Ill-informed firms risk overspending
The SFC published a circular that supported the SEC’s alerts on cyber security, highlighting that registered entities desperately need to address the matters flagged by the regulators for priority review. As the number of cyber threats continues to grow, failure to do so is a dangerous strategy. It is not enough to simply defend against yesterday’s attacks. Businesses now need to shift their focus to the proactive identification and management of security threats and vulnerabilities that relate to their particular business. Ill-informed firms risk overspending – often in the wrong areas – leaving both their finances and security destabilised, since certain facets of their company remain exposed to cyber crime. As such, firms must implement and enforce appropriate security procedures and policies, as well as the right security technology, to mitigate these threats in a financially reasonable manner.
Drawing on industry guidance by the National Institute of Standards & Technology (NIST) and the Office of Compliance Inspections and Examinations (OCIE) in the U.S., financial services firms can assess a business’s biggest security threats by implementing a comprehensive gap analysis and subsequently applying a risk-based approach to identify the key cyber security threats. This involves performing an IT threat and vulnerability pair risk analysis, already enforced by the Monetary Authority of Singapore (MAS). This means that firms are able to defend their key assets online whilst building a thorough business security strategy that satisfies the regulators.
It is certainly advisable that business expenditure should increase across the cyber risk management field. Adopting a risk-based security strategy, including a comprehensive security gap analysis, whilst adhering to international standards, remains the best solution for firms looking to successfully strengthen their cyber security. Above all, it is in a business’s best interest to place themselves in a position where they can better protect their clients, their trading data, and their portfolio information assets.