For banking and financial companies, the cybersecurity threat landscape is significant — “easy money” for the cyber criminal. In a recent research note, the financial services industry was identified as the biggest target by cyber criminals, across 26 different industries. In addition, according to United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI), cybersecurity threats to the financial sector have been identified as the most common form of cyber criminal activities across our electronic infrastructure.
Contrary to popular belief, the financial services industry in the US is far more aware and better prepared for cyber attacks. However, financial institutions and banks operate on a global scale and an overseas financial partner amplifies their risk and compliance exposure (e.g., notification and other requirements of the GDPR, and states, counties, cities in the US). In addition, the financial services industry relies on third-party vendors to manage their IT systems, and provide management and product assistance. This is a significant problem since small financial sector vendor so not have the resources nor budget to address their own cybersecurity/data breach exposure. In the past, third parties and the parent company relied on a cybersecurity “self-certification”, but it has proven to be inconsistent and unreliable. Currently, vendor IT assessment and compliance efforts are driven by US (states, Counties, cities) and foreign laws/rules/regulations; but, in the long-run, financial companies need to be more cognizant and proactive in driving vendor testing and compliance efforts.
In this regard, see the Securities and Exchange Commission (SEC) report at https://www.sec.gov/news/press-release/2018-213, where Voya Financial Advisors Inc. (Des Moines, IA), was charged and fined $1 million for maintaining deficient cybersecurity procedures in relation to its vendors.