Financial services companies contribute £130 billion per year to the UK economy. A huge bucket of revenue, but one that is increasingly threatened by cybercriminals. A November 2020 survey revealed that 62% of financial service providers suffered a breach in the twelve months previous, with the Cabinet Office estimating close to £2.5 billion in financial services revenue lost due to security breaches every year.
The financial services industry is an enticing prospect for attackers, and it’s easy to see why. Typically, firms hold vast swathes of customer money and sensitive data. Moreover, the documents they process regarding ongoing deals can be invaluable to competitors or enable share purchases based on ‘insider’ information. Additionally, A Varonis research report indicates that the average employee in the financial sector can access a staggering 11 million files. Almost two-thirds of FS companies additionally have over a thousand sensitive files available to every single employee – without restrictions.
The combination of highly valuable data and widespread access shows clear motivation for attackers and has led to major sector breaches in the recent past. In 2017, London-registered Deloitte suffered a breach after an attacker gained access to an administrator account that sources said required no multi-factor authentication. The bank of Ireland, meanwhile, was fined €1.6m in 2020 for a series of historical breaches.
With the mass shift to home working in the UK, the risks are continuing to rise. Since the increase in remote work, 40% of UK financial services firms say they’ve noticed a rise in cyberattacks. The hurried adoption of new technologies, lack of onsite IT support, and poor security practices are all likely to have contributed to this rise.
While there is no easy fix for the security challenges financial services firms face, they should, at a minimum, ensure they can confidently answer the following questions if and when they may be asked:
How are you protecting your firm’s data?
Firms must have a robust data protection policy in place for both customer and internal information. Financial services companies should have features like email encryption, multi-factor authentication, and conditional access in place, but a wider security strategy, that acts as a company-wide guide, is vital.
What is your response strategy for a customer information breach?
As well as preventative measures, employees should know how to respond in a worst-case scenario. They should assume a breach will happen at some point and be able to refer to specific incident response protocols in order to quarantine, report, and respond to threats.
Regardless of the seniority of the employee, they should know who to contact if data is lost, who is responsible for informing clients, and when and how they should take remedial action. A widespread understanding of breach protocol will ultimately lead to less damage and a smoother recovery.
Do you have a robust cyber insurance policy?
A cyber attack not only damages reputation – it could come with fines, litigation costs, settlements, investigation costs, and more. Firms should have a good quality cybersecurity liability insurance that clearly outlines the situations it covers. If you follow the recommended security philosophy that a breach is inevitable, it only makes sense to know your insurance plan inside out.
Can you prove regulatory compliance?
Regulatory compliance is naturally essential for the financial industry, and firms should abide by the Financial Services and Markets Act (FSMA) and the Information Commissioners Office (ICO). They may also have to answer to other bodies and institutions such as the DCA, PRA, and FPC, depending on their activities.
FS firms should be able to prove that they’re compliant with associated regulations – being able to do so makes customer data more secure and strengthens your reputation and reliability.
When was your last penetration test?
Though having strong answers to the questions above is sure to increase security and resilience, there’s still only so much businesses can do alone. Those in the financial industry should be invested in undergoing regular penetration tests to check the strength of their security and subsequently find and fix any weak areas.
The financial services sector has historically a key victim of cybercrime, and the shift to a remote workforce is only making the sector a bigger target. Now, more than ever, financial companies must have robust data protection strategies, breach protocols, cyber insurance policies, and regulatory compliance.