Cybercrime within the financial services sector is evolving at the speed of innovation, sometimes outpacing the progress of cybersecurity. Cybercriminals often have the advantage as they are highly motivated and not bound by the many required compliance and regulatory mandates faced by financial institutions. In the fight against cybercriminals, threat intelligence can be a useful ally, enriching the process of audit and assessment, and providing proof of security controls enforcement that is required for security and compliance.
New cyber incident reporting rules issued by the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) in November 2021 turn up the heat on U.S. banks in terms of quantifying and qualifying a compelling “security incident” or breach. The new rules require financial institutions to report a significant breach within 36 hours instead of the previous 72 hours. Financial institutions do retain some flexibility in the broadness of notification and greater analysis time on determination of an incident, but must inform its customers as soon as possible.
Recently the White House signed the Cyber Incident Reporting for Critical Infrastructure Act into law in March 2022. Among many changes, this law requires that some cybersecurity incidents must be reported to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Ransomware payments must be reported within 24 hours.
These changes can drive some positive trends regarding how businesses manage and analyze their digital threat surface, as well as how they reduce the noise and distill the mountains of intelligence associated with profiling their enterprise for security.
Simultaneously, a flood of new data protection laws and regulations is continuously being introduced, evolving, and updated by a variety of different jurisdictions, all at a dizzying pace. The usual suspects, such as the European Union’s General Data Protection Regulation, the California Consumer Protection Act, alongside multiple national regulations in countries like Canada and Australia, are always being updated and refined.
For global companies in the financial services sector, constantly changing regulations make it increasingly difficult to stay on top of compliance requirements, maintain a strong security posture, and minimize risk.
Proactive vulnerability and gap analysis is key in helping companies meet the reduced timeframes for notification of a breach. Accelerated prioritization of security gaps can play a major role in helping to identify potential security incidents faster, or they can help identify a targeted attack before it takes place. Many cybersecurity regulations and compliance standards now also include vulnerability prioritization in their requirements. The easiest way to achieve and fulfill the vulnerability prioritization requirement is to proactively understand one’s enterprise assets to the point where security hot spots – or gaps – are revealed at a faster rate. If that awareness can be driven by the need to demonstrate alignment with a 36-hour breach reporting window, then it can have a positive effect on driving the needed change across the market.
One thing is for certain: the cyber attacks keep coming and they have a devastating impact on the businesses that are impacted. Since 2013, more than 14 billion global data records have been lost. In 2021 alone, more than 40.4 billion global records were exposed by cyber adversaries. The scope and value of personal financial data available online increases every day, it becomes a more enticing target for cybercriminals.
One lingering cybersecurity issue in the financial sector is the constant presence of aging and unsupported operating systems and software. As far back as 2019 one of the leading causes of data breaches in modern payment systems was – as it still appears to be – the failure to meet the critical requirement of properly prioritizing and addressing system gaps and vulnerabilities.
On top of the prevalence of antiquated software, the financial services sector (like most industries) also faces a lack of resources – both human and technological – to conduct external threat monitoring across systems and perform appropriate incident response.
Material risk-based cyber threat intelligence (CTI) can help financial companies remain in compliance while exploring up-to-date cyber threat protection and can help organizations find, respond to, and remediate cyberattacks before significant damage is done, while accelerating compliance and risk posture.
CTI can assist an organization in the following ways:
- Extending visibility – find and uncover all approaching external threats to data.
- Reducing liability – identifying threats that directly impact an organization and its compliance posture.
- Addressing resources – by using automated response and remediation.
The shortened window to identify an incident will no doubt endeavor to speed up the identification of an attack before it can proliferate across the enterprise and its integrated partners. It could also push banks to invest more time and possibly resources on how they measure their business process, their use of data, and find any of the gaps that could make those assets vulnerable. If the shortened notification drives banks to develop solutions that can identify security gaps faster, this could make its way into other industries and perhaps other regulations where similar themes are developing around analyzing and understanding the threat-scape faster.