Cybercrime hasn’t changed this, but it has ramped up the speed and the consequences. Firms should balance being open with being secure. As attacks increase and regulators take closer notice, the pressure to act mounts. By recognizing that hackers will find vulnerabilities, leaders can improve the way they design and deliver services, manage risks, and train their teams.
We don’t “like” this. Social engineering has long been a favorite method for fraudsters, and criminals continue to adapt. Look for phishing to migrate more aggressively toward social media to lure gullible users to download and run malware. Other new techniques could emerge, possibly modeled on hacking tools that cyberintruders stole from the US National Security Agency (NSA).
The threat within. Cybercrime isn’t just a networking problem. It includes a rise in crime from internal sources such as insider trading, theft, and cybervandalism. And it’s not just full-timers. When firms onboard contractors and temporary workers, they may be handing over more than just a security badge. Expect a greater focus on internal risk analysis, both to protect against nefarious behavior and to identify workers who may have been unknowingly compromised.
More with less. A talent shortage in cybersecurity is likely to spur financial companies to find efficiency through the adoption of artificial intelligence, which can quickly comb mountains of data to identify patterns of wrongdoing. Firms are also likely to free up employees for cybersecurity by enlisting robotic process automation (RPA) to do repetitive tasks. But this can also introduce new vulnerabilities, and firms will focus more on protecting these new tools.
Not if, but when. There are two kinds of financial services firms: those that have faced a cyberattack and those that will. For one thing, that means building defenses that are comprehensive and resilient. Good “cybersecurity hygiene” also means employee training and regular reviews of authentication and security controls. To promote resilience, run cyberintrusion drills. Prepare for how you’ll respond, just as you do for other disasters. This will help you limit damage and speed recovery.
From the crown down. A cybersecurity strategy needs the full involvement and support from the C-suite and board. Senior leaders don’t always fully understand some of the risks the firm has taken on, whether explicit or implicit—but you should. Make sure that your business plan has a cybersecurity component. It’s not complete without one.
More than a tech problem. Constructing a tech firewall is just the first line of defense. The second is weaving strong cybersecurity controls into the entire risk management structure. So, prioritize data based on its sensitivity, quickly identifying and eliminating any vulnerabilities. Start by assuming that your users are already compromised. This will force you to build systems with privacy and protection in mind from the start. Treat cyberprotection like the business risk issue it is.
“Cybersecurity has to be something that’s ingrained into the way people think about new business opportunities and capabilities. It can’t be just something that the technology guys are going to fix.”
Our teams in asset and wealth management, banking and capital markets, and insurance are helping our clients tackle the biggest issues facing the financial services industry. With professionals across tax, assurance, and advisory practices, we can help you find ways to thrive even in a period of uncertainty. Whether you're preparing for regulatory changes, putting FinTech/InsurTech to work, or rethinking your human capital strategy, we work together with you to resolve complex issues, identify opportunities, and deliver value to your business.
Cyber & Privacy Innovation Institute Leader, PwC US
Global Growth Strategy, US Financial Services Practice, PwC US
Leader, Financial Services Institute, PwC US