The past year provided many lessons about how risky the digital world continues to be. The 2016 Data Breach QuickView Report from Risk Based Security stated that there were 4,149 publicly disclosed data breaches worldwide last year, exposing 4.2 billion records. That’s just the breaches that were made public; the total figure could be much higher.
The financial industry’s SWIFT (Society for Worldwide Interbank Financial Telecommunication) transaction system became infamous after hackers stole a Bangladeshi bank’s SWIFT code and used it to make a series of transaction requests, stealing $81 million. This was the most egregious example in the industry, but there are many more that point to the need for stronger cybersecurity measures.
Another big player last year in the cybercrime world was ransomware. In the first quarter of 2016 alone, there was an average of more than 4,000 attacks per day, according to Deloitte. That was a 300 percent increase from the 1,000 ransomware attacks per day the prior year. In fact, ransomware is now considered the top cybersecurity threat to the financial industry.
In a recent SANS Institute survey, 54 percent of responding financial services firms said they consider ransomware to be the biggest threat to their business. And more than 32 percent of financial firms said ransomware attacks have resulted in losses of between $100,000 and $500,000.
Cybersecurity, or the lack thereof, has become a headline issue, threatening financial institutions’ reputations and bottom lines. It is such a high-stakes game, in fact, that regulators are expected to take on a growing role going forward.
A New Push for Cybersecurity Laws and Regulations
There has already been significant action on the cybersecurity legislative front recently. In October of last year, the Group of Seven industrial powers (Canada, France, Germany, Italy, Japan, the United Kingdom, and the United States) agreed on guidelines to protect the global financial sector from cyberattacks. That followed various cross-border bank thefts at the hands of hackers.
The European Union has approved cybersecurity rules that force businesses to strengthen their defenses. It requires banking, energy, and major tech companies to report attacks, and it requires EU nations to cooperate on network security matters.
The EU’s General Data Protection Regulation (GDPR) has serious implications for any organization that processes the personal data of people residing in the EU, regardless of the company’s location. The financial sector must pay particular attention to this regulation because it processes a huge amount of personal data on a daily basis. Those that do not comply or that try but fall short of the GDPR’s stringent privacy rules face fines of up to €20m or four percent of the company’s global annual turnover.
Australia has a thriving IT industry, and the country has developed a national strategy through which government and the private sector are working together to address cybersecurity. Last year, it issued a white paper describing major risks and initiatives on this front.
U.S. states haven't waited for the federal government to act. At least 28 states last year considered or introduced cybersecurity legislation, according to the National Conference of State Legislatures. Most of these laws and bills address national infrastructure and governmental agencies. But some of them specifically target the interests of organizations, including financial services organizations.
For example, a new law in Colorado calls for the creation of a state cybersecurity council to provide policy guidance to the governor. One of the three cybersecurity bills signed into law in California last year makes it a crime for a person to knowingly introduce ransomware into any computer, computer system, or computer network. Utah has enacted civil penalties for hackers. And Washington State has established the Washington Cybercrime Act.
Diligence and Perseverance
Like these other proactive entities, the financial services industry can take part in the conversation with legislators and regulators who are forming new laws and regulations. Banks that may have historically only concentrated on compliance and aren’t involved in new cybersecurity discussions may want to start voicing their opinions and lending a hand in these efforts now, before cybersecurity regulatory decisions are cemented.
By the same token, regulators can get consultation from cybersecurity experts to ensure that they fully understand cybersecurity risks and the real capabilities of corresponding technical controls, as well as any possible unintended consequences of regulations written with too broad, or too narrow, a scope.
Both regulators addressing new cybersecurity risks and financial institutions participating in these conversations should make sure that they have at the table individuals who are well-trained and certified in all relevant cybersecurity topics. This will ground the conversation around the technical realities of the risks they are addressing, as well as the technical controls currently available to mitigate those risks.
In addition, financial service providers would do well to keep in mind that there is a lag time for legislation of three to four years due to the drawn-out lawmaking process. However, cybercriminals don’t experience this lag time, which means providers need to take a proactive approach, and surpass mere compliance with cybersecurity regulations. To make their organizations as secure as possible from the myriad cyberthreats, they must become as innovative and fast-paced in their efforts to safeguard their networks as are the cybercriminals attacking them.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.