Sarah Harvey, Author at KirkpatrickPrice

Malicious hackers often have one thing in mind: stealing sensitive data for financial gain. So, what better industry to target than the financial services industry? There’s ample money, systems likely riddled with unknown vulnerabilities, and employees that just aren’t aware of how pervasive today’s cyber threats really are. Because the financial services industry is fueled by large amounts of sensitive data, organizations need to be cognizant of all of the cybersecurity challenges they’re up against. Why? Because at the end of the day, there’s two types of financial services organizations: those that have already been breached and those that will be breached.

What Cybersecurity Challenges Does the Financial Services Industry Face?

There’s a plethora of cybersecurity challenges that the financial services industry faces on a day-to-day basis. However, we believe that these top four cybersecurity challenges must be made a priority when securing your business.

1. Meeting Regulatory and Compliance Requirements

The financial services industry is heavily regulated by federal and state agencies, but they also must comply with a number of other international regulations that can often be complicated to understand. In fact, over the last two years, the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23 went into effect, the US Securities and Exchange Commission (SEC) issued interpretive cybersecurity guidance, the National Cybersecurity Center of Excellence (NCCoE) released the NIST Cybersecurity Practice Guides SP 1800-5, SP 1800-9, and SP 1800-18, and 24 US states passed bills or resolutions related to cybersecurity – all impacting the financial services industry. This is not to mention that international legislations like the European Union’s GPDR, China’s The Cybersecurity Law, Singapore’s Cyber Security Agency of Singapore, and Brazil’s Resolution No. 4,658 were created. Given that those in the financial services industry often deal with a mix of domestic and international clientele, meeting regulatory and compliance requirements is non-negotiable, and organizations must perform their due diligence to ensure that they are in compliance.

2. Third-Party Relationships

Many financial services organizations rely on third-party vendors to carry out some of their business functions. This means that the sensitive data – such as names, email addresses, phone numbers, Social Security Numbers, credit and debit card numbers, and bank account information – that is given to a vendor may not have the same safeguards that you have in place. Because of this, managing vendor risk is a critical challenge the financial services industry faces. What would happen if a third-party mailing service inaccurately packaged envelopes, leaving your clients’ bank account numbers visible from the address window? How would your clients be impacted if a third-party vendor exposed their credit score numbers? Would your organization recover?

3. Insider Threats

Like most other industries, the threat of internal personnel causing a data breach or security incident is one of the top challenges those in the financial services industry face. Whether through malicious intent or an unintentional error, if your employees are not vetted and trained properly, it’s likely they’ll cause a data breach. Do your employees know how to identify a phishing email? How sure are you that they wouldn’t fall for a social engineering attempt?

4. Technology Advancements

As technology continues to develop and we move more towards a cashless society, it’s critical that those in the financial services industry consider the challenges of securing things like mobile and web applications. Whether it’s using PayPal, Venmo, CashApp, Apple Pay, or checking your account balance online, using mobile and web applications has become second-nature to users, but they’re easily compromised by malicious hackers. Are you sure that your organization’s mobile application is secure? Could a hacker infiltrate your web application and cause a data breach?

What’s worked in the past when it comes to your organization’s cybersecurity hygiene may not be what’s needed to stay abreast of the cybersecurity challenges you’re facing today. Contact us today to learn more about how KirkpatrickPrice can help you overcome these top challenges for the financial services industry.

More Assurance Resources

Cybersecurity Expectations for Financial Institutions

Key Takeaways from the SEC’s Cybersecurity Guidance

What NY CRR 500 Means for Vendor Compliance Management

How Can Penetration Testing Protect Your Assets?

The growing cyber threats across the globe are a sobering reminder that no matter where you’re located, hackers will find a way to exploit your business – or worse, an entire city. Cities all over the US, including major metropolitan areas like Atlanta, San Francisco, and Dallas, have all experienced some type of data breach or security incident, heightening the urgency for cities to place more of an emphasis on their cybersecurity initiatives. While municipal governments are faced with improving education, decreasing poverty levels, and improving their city’s economy, cybersecurity can easily get put on the back burner. However, the reality of advancing cybersecurity threats has people around the world asking, where are the most cyber-secure cities? Which cities are taking cybersecurity the most seriously?

How to Make a Cyber-Secure City

When it comes to being a cyber-secure city, there’s a few key components that come into play:

Financial Investment: Investing in cybersecurity is not cheap. In fact, many cities – especially smaller cities – are often targeted by malicious hackers because they don’t have the funds to invest in or create a robust information security program. Considering this, cities where large venture capitalist and investors are likely to reside helps fuel cybersecurity awareness and establish strong cybersecurity programs.
Research and Development: The threat landscape is ever-changing and malicious hackers continue to be creative and cunning. Cities that are cyber-secure will be hubs for research and development of new cybersecurity best practices and initiatives to combat these increasing threats.
Cybersecurity Personnel: There’s nearly a 2 million deficit in cybersecurity professionals around the world. Cyber-secure cities will be those that can attract cybersecurity professionals by providing ample housing, funding, and competitive job opportunities.

Best Cities for Cyber Security in 2019

1. New York City, New York

New York City is a well-known hub for the financial services and banking industry, but there’s so much more to the city than Wall Street. In October of last year, the New York City Economic Development Corporation (NYCEDC) recognized this and put plans into action to establish Cyber NYC, an initiative dedicated to growing New York City’s cybersecurity workforce, helping companies drive innovation and business development, and building networks and community spaces. Made up of six unique efforts, Cyber NYC helps position New York City as a cyber-secure city because of its focus on financial investments to grow cybersecurity awareness, research and development of cybersecurity attacks and best practices, and booming economy that will attract cybersecurity professionals.

2. Silicon Valley, California

While Silicon Valley has established itself as the tech start-up capital of the world, it also has all of the key components to make it one of the most cyber-secure cities. Not only have some of the world’s most advanced technologies grown out of Silicon Valley, there’s ample venture capitalists, entrepreneurs, researchers and developers, and a burgeoning economy to attract cybersecurity professionals. In addition to this, the state of California recently introduced the California Consumer Privacy Act (CCPA), giving consumers in California more control over how their personal data is used. California’s focus on ensuring the privacy and security of consumers’ data in conjunction with the growing technology industry located in Silicon Valley helps position itself as a cyber-secure city.

3. Boston, Massachusetts

Though not quite up to the same caliber as New York City and Silicon Valley, Boston is quickly positioning itself as one of the United States’ most cyber-secure cities. With both Harvard and MIT located within the city, there’s no shortage of cybersecurity research and development, financial investors, or cybersecurity professionals.

4. Tel Aviv, Israel

Given Israel’s geographic location, advancing security threats, growing start-up scene, and reliance on military intelligence, there’s no wonder why Tel Aviv is one of the most cyber-secure cities. In fact, Tel Aviv and its innovative businesses have positioned themselves as leaders in the cybersecurity industry – the founders of Cyber NYC even went so far as to chose Israeli partners to establish their Global Cyber Center innovation hub.

5. London, United Kingdom

London’s cybersecurity initiatives are some of the most robust of their kind in Europe. Similar to Cyber NYC, London’s cybersecurity startup accelerator, Cyber London, or CyLon, is dedicated to helping businesses develop information security technology and products, furthering the city’s focus on cybersecurity. London is also home to some of the world’s most prestigious universities and research facilities, making it an attractive hub for cybersecurity professionals. All in all, London is an up-and-coming cyber-secure city.

Whether located in the United States or across the globe, cyber-secure cities are continuing to develop at a rapid pace. Want to learn more about the latest cybersecurity initiatives or how KirkpatrickPrice can keep your organization’s data secure against advancing threats? Contact us today.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

With GDPR, CCPA, PIPEDA, HIPAA, and the numerous other state-level data privacy laws going into effect, it is understandable why many organizations don’t know where to start with their breach notification processes. In fact, even if your organization is compliant with these laws and regulations, knowing what to do when a breach happens can be tricky. In this webinar, our Director of Regulatory Compliance, Mark Hinely, explains who needs to be notified of a breach, when they need to be notified, and why breach notification is important. Watch now to learn about the following key takeaways:

Why breach notification is unavoidable
How breach notification can be simplified
How breach notification can be good for brand management

The Importance of Understanding Breach Notification Requirements

Unfortunately, data beaches are an incredibly common experience. This is why understanding the who, when, and why of breach notification best practices is essential. The likelihood that your organization will experience a data breach is only a matter of when, not if, it’ll happen, so it’s critical that you’re prepared and have an effective, actionable process in place to know what to do when it happens.

High-Profile Breach Notification Laws vs. US Breach Notification Laws

High-profile breach notification laws, such as GDPR, CCPA, PIPEDA, and HIPAA, all have specific requirements for notifying the public of breaches, but many of their requirements are similar or even overlap. On the other hand, the US has more than 50 specific state breach notification laws, all of which are much different than the high-profile breach notification laws. For example, more states are moving towards specific notification timelines (i.e. Colorado gives 30 days and Arizona gives 45 days) compared to more generic timelines, like those of CCPA and PIPEDA. States are also requiring more data elements like resident names, biometric data, military information, and IP addresses during the breach notification process. Finally, many states are enforcing sector-specific notification requirements, such as New York who recently implemented NY CRR 500, which requires breach notification laws for the financial industry; South Carolina who has breach notification requirements for insurers; and Virginia who has breach notification requirements for tax preparers.

Ready to learn more about how your organization can improve your breach notification processes? Want to find out how breach notification can actually be good for business? Watch the full webinar now. To learn more about how KirkpatrickPrice can help you develop your breach notification process, contact us today.

For additional information about the developments of breach notification laws, visit the National Conference of State Legislatures.

Social Security numbers, credit information, account balances, PINs, cardholder data, mailing addresses, email addresses – it’s all available to financial institutions. Malicious attackers targeting financial institutions isn’t a new threat. In 1984, someone stole a credit file password from Sears for TRW Information Systems and posted it on an electronic bulletin board. This password gave access to a credit file containing names, addresses, birth dates, credit limits, and Social Security numbers of 90 million people, plus that information could be used to get credit card numbers.

As these types of organizations rely more and more on technology, they become bigger targets for malicious attackers. How can financial institutions protect themselves from cyber threats? What are the risk management and cybersecurity expectations for financial institutions?

Cybersecurity Expectations in the US

In March 2017, the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23 went into effect, establishing new cybersecurity requirements for financial services companies. It states, “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.” NY CRR 500 requires that financial services companies (covered entities) develop a cybersecurity program that protects the confidentiality, integrity, and availability of sensitive customer information and information technology systems.

In February 2018, the US Securities and Exchange Commission (SEC) issued interpretive cybersecurity guidance, which builds upon the Division of Corporation Finance’s guidance from 2011, for public companies to follow when dealing with cybersecurity incidents and risks. The guidance says, “…the investing public and the US economy depend on the security and reliability of information and communications technology, systems, and networks… Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”

In September 2018, the National Cybersecurity Center of Excellence (NCCoE) released the NIST Cybersecurity Practice Guides SP 1800-5, SP 1800-9, and SP 1800-18, with a specific use case for the financial services sector.

The cybersecurity expectations for financial institutions only continues to grow. In 2018, 24 states passed bills or resolutions related to cybersecurity. The legislative activity includes funding initiatives, public disclosure policies, promoting workforce training, and implementing improved cybersecurity practices. Outside of the US, we’ve seen the European Union implement GDPR, China implement The Cybersecurity Law, Singapore establish the Cyber Security Agency of Singapore, the Brazilian National Monetary Council issued Resolution No. 4,658, among other legislations impacting cybersecurity expectations for financial institutions.

Best Practices for Cybersecurity Strategies

In the US alone, the majority of the cybersecurity guidance that’s been issued have similar recommendations: implement a cybersecurity policy, a formal risk assessment, and a formal way to manage third-party risk.

The need for financial institutions to create and maintain a cybersecurity policy based on the findings from a risk assessment is an integral part to cybersecurity. Among other elements like business continuity, asset inventory, and physical security, this cybersecurity policy must include information about relationships with vendor and third-party service providers.
Through a formalized risk assessment, organizations can determine what types of cyber risks face them and how dangerous those risks are. This intel gives organizations the ability prioritize risk and create a more effect cybersecurity strategy.
One way to manage third-party risk is to develop and implement a third-party service provider security policy, which should include identification of vendors, risk assessment of vendors, the minimum cybersecurity requirements to be met by vendors, the due diligence process used to evaluate the competency of cybersecurity practices of vendors, periodic assessment of vendors based on the risk they present, periodic assessment of vendors to ensure the continued competency of their cybersecurity practices, access control management, the use of encryption for information in transit and at rest, and incident response procedures.

Real Threats to Financial Institutions

When Equifax reported its data breach that compromised millions of US consumers, the breach immediately became a headline. Breaches like this, but not as massive or has high-profile, occur all the time among financial institutions.

In 2014, JPMorgan Chase was the victim of a hack that left half of all US households compromised, one of the largest thefts of consumer data in US financial institution history.
In 2017, Petya hit the property arm of France’s biggest bank, BNP Paribas.
In 2018, the SEC charged Voya Financial Advisors (VFA) with failure in cybersecurity policies and procedures that led to a hack which compromised 5,600 customers’ personal data.
In 2019, a third party exposed a Dow Jones database on a public server, with no password, that contained 2.4 million records of “risky businesses and individuals.”

When breaches occur at financial institutions, the average cost per capita is $207. Banking Trojan botnets, Denial of Service attacks, skimming campaigns, malicious insiders – the threats aren’t stopping. What is your organization doing to protect yourself and meet the cybersecurity expectations for financial institutions? Contact us today to learn more.

More Assurance Resources

Key Takeaways from the SEC’s Cybersecurity Guidance

What NY CRR 500 Means for Vendor Compliance Management

How Can Penetration Testing Protect Your Assets?

It’s no secret that cyber threats are advancing at an alarming rate.

Whether it’s through social engineering, malware, zero-day attacks, or DDoS attacks, every organization – no matter their size or industry – is at risk. While enterprise-level organizations are more likely to have the resources needed to mitigate these advancing threats, small businesses and startups alike must recognize that they are equally as likely to face a data breach or security incident.

Who’s At-Risk for Cyber Attacks?

No matter which industry you’re in, there’s sensitive assets to be stolen.

Protected health information, payment card data, Social Security Numbers, dates of birth, phone numbers, email addresses, confirmation numbers, travel reward numbers – malicious hackers want it all, and they won’t discriminate based on what industry you’re in or the size of your company. But because we often see data breaches of enterprise-level organizations in headlines, it can be easy to think that small and medium size businesses aren’t targets for cyberattacks.

This couldn’t be further from the truth.

In fact, according to the Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses report, 61% of small and medium businesses experienced a cyber attack in the past year.

Are Cyber Threats the Same for All Businesses?

While the assets that startups and small businesses hold can be significantly different than enterprise-level businesses, many of the cyber threats remain the same.

For example, whether a company has five employees or 500, the threat of an employee causing a data breach is still one of the top concerns businesses have to mitigate. Similarly, things like weak passwords, ineffective mobile device policies, vulnerable POS systems, and misunderstanding cybersecurity threats can cause all types of businesses to fall victim to a data breach or security incident.

A startup and a Fortune 500 company could both have the most robust information security programs in the world, but if just one of their employees falls for a phishing scam, ransomware could compromise the entire organization.

To put it simply: no organization is truly safe from cyber threats.

In 2013, the Target data breach impacted 40 million customers because malicious hackers were able to compromise their POS system with malware by stealing credentials from a third-party vendor. This exposed payment card data and later caused Target to pay a $18.5 million settlement.

It’s easy to see why one of the largest retailers in America would be targeted by malicious hackers, but smaller retailers are just as vulnerable. In fact, considering that many small businesses utilize third-party vendors, the risk of experiencing a data breach or security incident significantly increases.

The Ponemon Institute reports that in 2018, 43% of data breaches were caused by third-party mistakes and 37% were caused by external, malicious hackers. Like many other enterprises, Target was able to recover from their data breach because they had the resources to do so; many small businesses would likely not be as fortunate, which is why it’s imperative to recognize that you’re a target for cyber attacks no matter the size of your business.

When it comes to thinking about cybersecurity and the steps your organization needs to take to stay protected against the threat landscape, you need to consider the sensitive assets you hold that malicious hackers are after, not the size of your company. Are you sure you’re doing everything you can to stay secure?

At KirkpatrickPrice, we’re here to help to help you regardless of the size of your company. Contact us today to speak to one of our Information Security Specialists to learn how KirkpatrickPrice can partner with you to strengthen your security posture and help you prepare against cyber threats.