Using technology might have boosted financial services firms’ efficiency, but the reliance on digital solutions has also opened them up to attacks from malicious outsiders.
From Travelex being forced to shut down its services for almost a month because of a ransomware attack and the Capital One breach compromising over 106 million accounts, the last 12 months provide several examples of how cybersecurity concerns should be at the top of mind for financial executives. As a matter of fact, a recent study suggest that 84% of business executives considered hackers one of their biggest concerns.
However, the threats are far from over. “Financial firms will be facing new threat vectors in 2020 which have evolved due to advances in technology, as well as many of the same threats from the last few years,” E.J. Yerzak, director of the cyber IT group at CSS, the RegTech company, told RegTech Analyst.
There are several cybersecurity risks business should look out for in 2020. For starters, financial firms are always at risk of being compromised because of their own employees. “Phishing and social engineering threats continue to top the list – primarily because people are still clicking links that they shouldn’t and divulging information which they shouldn’t,” said Yerzak.
He added, “[As] long as humans will be working for financial firms, social engineering will continue to be the number one risk. Hacking is often an opportunistic crime and hackers have learned that they do not need to spend significant time attempting to bypass firewalls and intrusion detection systems when they can simply ask employees to hand over the keys.”
These dangers have only grown with the rise of new technologies such as deepfakes. “Hackers will be looking to extort money from financial firms by claiming to have videos of C-suite executives saying or doing things they did not actually say or do and, in some cases, the hackers will actually have convincing fake videos,” explained Yerzak. “In addition, advances in AI may enable hackers to use snippets of one’s voice to mimic one’s voice patterns enough to socially engineer one’s contacts, clients, or financial professionals over the phone.” Understandably then that 75% of cybersecurity professionals are weary of deepfakes.
This risk is only amplified due to many cybersecurity departments being too busy to put out fires that they forget to properly train their employees on how to avoid falling for the hackers’ attempt to gain access into their systems. Additionally, Yerzak pointed out that bring-your-devices-to-work schemes and the different systems different parts of a company might have, especially if it has gone through a merger, create a perfect opportunity for outsiders to take advantage.
“This becomes a particular problem in 2020 because a number of global cybersecurity regulations, from the GDPR to the CCPA, impose significant penalties and data breach reporting obligations upon firms,” said Yerzak.
While cybersecurity is one of the hardest risks to manage for financial leaders, Yerzak stated that businesses can overcome this type of risks by doing continuous cybersecurity risk assessments to ensure the company stays abreast of any new risks. He also advised that financial services firms should make sure to properly train their staff about the digital risks. Yerzak also advised firms to conduct vulnerability scanning and penetration testing periodically, implement multi-factor authentication wherever feasible and combine it with a password manager or password vault.
Yet, social engineering and phasing attacks are not the only risks facing financial services firms. “The biggest cybersecurity threats for financial services firms in 2020 are the data loss and conduct risks presented by collaboration platforms like Zoom, Microsoft Teams, and Cisco Webex,” said Marc Gilman, general counsel and VP of compliance at Theta Lake, the RegTech startup.
“FINRA highlighted digital communications, including collaboration tools, as a key issue in its 2020 Risk Monitoring and Examination Priorities Letter. [Other] regulators are focusing on it as well. The record-keeping, supervision and conduct risks inherent in digital communications platforms are relevant across the regulatory spectrum including Regulation Best Interest, cybersecurity, technology governance and beyond.”
But why is this risk so big? “The rich features sets of collaboration tools facilitate quicker, easier communication, however for financial services firms they pose corresponding information exfiltration and leakage risks,” said Gilman.
“Collaboration tools allow financial professionals to display prospectuses over webcams, conduct whiteboarding sessions to share account information, transfer sensitive customer information over file shares, and engage in ono-to-one and one-to-many chats. Collaboration applications pose serious risks as enterprise subscriber adoption is increasing by 57% year-over-year, and firms are using these tools to allow financial advisors to communicate directly with clients and prospects. Rapid growth coupled with an increased risk surface means that firms must focus on compliance in 2020.”
Luckily, Gilman believed financial services can address that risk by utilising collaboration compliance platforms, such as the one provided by Theta Lake. “Sophisticated tools go beyond basic transcription searches employing machine learning and natural language processing to analyse content and surface risks at scale,” he said. These RegTech tools permit efficient and consistent analysis of risks like leakage of PII and customer data while also identifying where employees are making investment recommendations or are engaged in conduct requiring supervision under Reg BI or FINRA rules.”
Copyright © 2018 RegTech Analyst