Ransomware hacks are becoming an unfortunate fact of life for organisations in both the private and the public sphere. Virginie O’Shea, research director of Aite Group’s Institutional Securities and Investments division,and Alissa Knight, senior analyst for the firm’s new cybersecurity practice, discuss the tools and strategies financial institutions are implementing to protect themselves from today’s growing cyber threats, the challenges they face with regards to finding the right senior talent, as well as the increased scrutiny firms can expect from regulators to prove they are taking these threats seriously.
Cyber threats have evolved since 20 years ago, when the principal aim was website defacement. Back then, organisations were more vulnerable around the perimeter and hackers would focus on attacking web servers. Today, organisations tend to have a harder exterior. It is much more difficult to penetrate the external defences and so hackers have changed their objectives to focus on capturing data via ransomware.
Data is the new currency, and hackers are looking to monetise the data they are able to steal – an identity is worth $50-$75 on the black market. Hackers are targeting data like personally identifiable information (PII), payment card information, and protected healthcare information via ransomware and other tactics. Hacking has become a multibillion-dollar industry.
CCPs, CSDs, exchanges, PR firms, broker dealers are all key targets
From the capital markets perspective, there is a lot of concern that criminals are targeting exchanges, central counterparties (CCPs), and central securities depositories (CSDs) – the centralised market infrastructures, where they can do the most damage. By successfully hacking one of these organisations, hackers could take a whole market down, leading to many unprofitable business hours.
With regards to stealing information, insider trading has always been a problem within the financial services industry. Hacking is just another way of getting information ahead of the market.
PR firms can also be targeted for IPO information before it hits the wires. And sell-side firms must be concerned about the compromising of proprietary trading algorithms, which would be devastating for a broker dealer. Beyond the threat posed by criminals, industrial espionage, whereby state actors or competitors steal trade secrets for their own advantage, is also a real problem.
Firms look to improve IT risk frameworks
Financial institutions and their Chief Information Security Officers (CISOs) are focusing on improving their IT risk management frameworks. Cyber security should be like an onion – with multiple layers around the core that needs protecting. Throwing money at the problem, or jumping on the latest new technology fad, however, is not enough. Often CEOs or CISOs demand new investment in things like artificial intelligence (AI) or machine learning (ML), because they are hearing a lot of buzz about it, but they do this without any real strategy. It is important to know what exactly they are trying to protect and then build their defences like the layers of an onion around it.
In 2019, firms are starting to wrap their security programs within a formal management system. The International Organization for Standardization (ISO) provides an information security management system for IT risk, called ISO 27001. This security framework features 144 security controls firms can use to measure themselves against industry standards. It does not tell firms what controls they need or what technology to buy, but it gives CISOs an idea what security control categories to implement, monitor and continuously manage over time. (Read more here)
Finding suitably qualified senior engineers can be a challenge. There is a global talent shortage in the cyber security space, and to address that shortage, some organisations are increasingly looking to vendors to provide solutions to remove humans from the equation and automate what have previously been manual processes.
AI technology plays a major role, but must be deployed strategically
AI and ML are being implemented into many solutions to reduce the noise created by security controls. Distributed ledger technology will also be big in the coming years. With data being the new currency, organisations realise they need to protect it, track where it moves and make sure that certain data does not leave the organisation.
Managing data at rest (inactive data stored in databases, data warehouses, spread sheets etc), in transit encryptions, and security orchestration and response will all be big trends in 2019 and 2020, as will breach and attack simulation (BAS) solutions, which identify vulnerabilities in the network and exploit those vulnerabilities to prove they are real. False positives are a real problem in organisations today. BAS solutions can help firms prioritise which vulnerabilities should be remediated first and eliminate the false positives, by proving to the organisation that identified vulnerabilities are indeed exploitable.
The SEC recently established a chief risk officer role under the COO to strengthen cyber risk management (Read press release). Financial institutions will come under increasing pressure from regulators to prove they are also investing in this area and that they have robust systems and processes in place. Regulators are particularly concerned that financial institutions should become better at sharing information about threats in a timely manner.
With the advent of the EU’s General Data Protection Regulation (GDPR) and similar regulations in various US states, we will see more regulations mandating the protection of PII and regarding the protection of credit card information in the future. As has become evident with GDPR, they will likely come with stiff penalties for firms that violate privacy rules.
Many firms currently have poor cyber hygiene practices and there needs to be more discussion about this within firms. Smaller players in particular are far behind the larger players, but all firms need to foster a greater degree of responsibility and governance in cyber security.
Alissa Knight is a senior analyst with Aite Group’s cybersecurity practice. Ms. Knight covers cybersecurity in financial services and healthcare, serving as a thought leader and trusted advisor to financial institutions, established technology vendors, startups, and venture capital firms. She provides actionable recommendations to clients by producing research papers, speaking at conferences, interacting with clients, and leading consulting engagements as a purveyor of research and advisory services on the contemporary IT risk management topics that matter most.
Ms. Knight’s most recent research has been in the cybersecurity of point-of-sale systems, data loss prevention, artificial intelligence, IT risk management frameworks, and identity access management.
Most recently, Ms. Knight was the group managing partner of Brier & Thorn, where she was responsible for U.S., Europe, and Asia operations, and headed its connected car cybersecurity practice. She has worked in cybersecurity for over 18 years as a penetration tester and incident responder, is a published author, and has started and sold two previous cybersecurity startups before launching her own venture capital fund.
Ms. Knight is currently attending Temple University’s Fox School of Business in pursuit of a degree in Economics.
Virginie O’Shea is a research director with Aite Group, heading up the Institutional Securities & Investments practice and covering data management, collateral management, legal entity onboarding, and post-trade technology. She brings to the firm more than 13 years of experience in tracking financial technology developments in the capital markets sector, with a particular focus on regulatory developments and standards.
Ms. O’Shea has spoken at industry conferences including Sibos, TradeTech, FISD events, and ISIPS, and is actively engaged in a number of post-trade industry standards groups.
Most recently, Ms. O’Shea was managing editor of A-Team Group’s flagship publication,A-Team Insight, where she covered financial technology from the front to back office, including trading technology, market data, low latency, risk management, regulatory impacts on IT, and reference data. During her time at the firm, she was heavily involved in planning risk and data management events and creating multimedia offerings, including podcasts, webinars, and video interviews. Prior to this, Ms. O’Shea was group editor of Investor Services Journal and Alternatives magazine, focused on the asset servicing and buy-side communities. Before that, she was editor of STP Magazine and online service stpzone.com, where she focused on financial technology in the capital markets.
Ms. O’Shea holds a Master’s degree in English Literature from the University of Edinburgh.