Financial institutions are in the unenviable position of being exposed to the full spectrum of cyber-threat actors, from amateur hackers like “script kiddies” who use off-the-shelf applications to vandalize websites, to “professional” hacktivists protesting against a symbol of capitalism, to organized crime looking to target “virtual” vaults, to state actors interested in disrupting a competing economy. Because the Internet lacks boundaries, geographical distance is no protection with any of the above bad actors who may be based across the globe, allowing malice to spread at previously unprecedented speed (NotPetya being an obvious example).
To show how easy it is for a bad actor to gain access to critical information, the Willis Towers Watson Financial Institutions team hosted security expert Jamie Woodruff, frequently described as Europe’s “number one ethical hacker,” as part of their roundtable series. Jamie gave various demonstrations, taking control of people’s mobile phones and showing members of the audience their recent credit card spending.
The critical takeaway from Woodruff’s demonstrations was that cyber risk goes well beyond tricks or scaremongering. These were examples of real threats that are being used against people and companies every day.
The average cost of a data breach is now nearly $4 million, up 6.4% from the prior year, according to IBM and Ponemon Institute’s 13th Annual Cost of a Data Breach study. Data breaches now represent a notable capital exposure for boards of directors. Financial institutions generally incur a higher annual cost of cyber-crime than any other industry: $16.5 million on average, according to another Ponemon Institute report. And this doesn’t include the potential regulatory fines — although we have yet to see the extent to which they will be imposed.
Luckily, cybersecurity at most financial institutions is relatively mature compared to other sectors, but that’s because the exposure is much broader. As a result, hackers are targeting the supply chain, which represents the soft underbelly of hardened targets, including law firms, building infrastructure suppliers and accountancy software suppliers (in the case of NotPetya). Similarly, as the technology has become more secure, the human user has become a key target.
But it’s a tech issue (isn’t it?)…
As technologies are increasingly hardened through patching and segregation, the human user becomes the softest point of entry, either through negligence or malicious intent.
Through his demonstrations, Woodruff also highlighted the shift from leveraging technical exploits to cultural vulnerabilities often referred to as social engineering and provided several examples where he managed to access secure buildings, infrastructure and sensitive data. Increases in social engineering fraud are consistent with our own experience and are born out statistically in our claims data as well (see our recent blog post on social engineering fraud against financial institutions).
Employee education and awareness training is clearly a fundamental method of reducing this risk and is as important as having up-to-date antivirus software installed on your systems. However, social engineering protections need to be taken further. Effectively guarding against social engineering requires understanding an organization’s culture — both at a macro and micro level — in order to identify root causes and indicative traits of cyber risk and be able to implement more innovative, bespoke measures to address unique needs.
New solutions such as our Cyber Risk Culture Survey were created through decades of cultural data analysis to provide a clear, quantified understanding. Not only does this provide a current understanding of cultural and associated cyber risk but also wider value to operations, HR and other key departments. It also provides evidence to understand the return on investment from controls and campaigns being implemented.
The risk is also manageable
Although cyber risk may seem novel, the wider enterprise risk management (ERM) framework already in place is as relevant to cyber as other risks. There are, of course, nuances to cyber risk (for example, a fire or earthquake can’t affect multiple offices concurrently across the globe) but it should still be considered through the lens of ERM.
This, in turn, will educate senior management and the board for whom the breadth and depth of cybersecurity is a key concern. Whether an established financial services organization or a Fintech start-up, the board should have a clear and holistic view of cyber risk mitigation and transfer.
Such a view enables stakeholders to communicate cyber risk in a language familiar to risk owners and the board, while supporting the decision-making process necessary to allocate resources efficiently, reducing risk and incorporating mitigation into the wider ERM framework.