Criminals target financial firms because that’s where the money is. Cybercrime hasn’t changed this, but it has ramped up the speed and the consequences. Firms should balance being open with being secure. As attacks increase and regulators take closer notice, the pressure to act mounts. By recognizing that hackers will find vulnerabilities, leaders can improve the way they design and deliver services, manage risks, and train their teams.
Bad to worse. Cyberattacks against financial services and other sectors have grown in number, size, and sophistication. Hackers have struck at the heart of US finance, with revelations in 2017 of significant breaches at the Securities and Exchange Commission and elsewhere. Fraud incidents, both online and offline, have increased by more than 130% during the past year, resulting in significant monetary and reputational losses for financial institutions. Meanwhile, cyberextortionists did more damage, as Petya and WannaCry ransomware blocked access to hundreds of thousands of computers around the world. Playing defense is harder than ever.
Target-rich environment. The number and range of vulnerabilities is growing as companies outsource internal processes, shift computing to the cloud, and connect to customers through more channels. While financial firms certainly benefit from digital networking, this also enlarges their “attack surface” exposed to hacking. With more than 8 billion connected “things” in 2017, there are now more networked endpoints in the world than there are people.
The state steps in. Failures in cybersecurity have prompted data privacy legislation in more than 40 US states. In 2017, New York State regulators passed new rules requiring institutions to create detailed programs to protect consumer data and ensure employees are trained to identify threats.
We don’t “like” this. Social engineering has long been a favorite method for fraudsters, and criminals continue to adapt. Look for phishing to migrate more aggressively toward social media to lure gullible users to download and run malware. Other new techniques could emerge, possibly modeled on hacking tools that cyberintruders stole from the US National Security Agency (NSA).
The threat within. Cybercrime isn’t just a networking problem. It includes a rise in crime from internal sources such as insider trading, theft, and cybervandalism. And it’s not just full-timers. When firms onboard contractors and temporary workers, they may be handing over more than just a security badge. Expect a greater focus on internal risk analysis, both to protect against nefarious behavior and to identify workers who may have been unknowingly compromised.
More with less. A talent shortage in cybersecurity is likely to spur financial companies to find efficiency through the adoption of artificial intelligence, which can quickly comb mountains of data to identify patterns of wrongdoing. Firms are also likely to free up employees for cybersecurity by enlisting robotic process automation (RPA) to do repetitive tasks. But this can also introduce new vulnerabilities, and firms will focus more on protecting these new tools in 2018.
Not if, but when. There are two kinds of financial services firms: those that have faced a cyberattack and those that will. For one thing, that means building defenses that are comprehensive and resilient. Good “cybersecurity hygiene” also means employee training and regular reviews of authentication and security controls. To promote resilience, run cyberintrusion drills. Prepare for how you’ll respond, just as you do for other disasters. This will help you limit damage and speed recovery.
From the crown down. A cybersecurity strategy needs the full involvement and support from the C-suite and board. Senior leaders don’t always fully understand some of the risks the firm has taken on, whether explicit or implicit—but you should. Make sure that your business plan has a cybersecurity component. It’s not complete without one.
More than a tech problem. Constructing a tech firewall is just the first line of defense. The second is weaving strong cybersecurity controls into the entire risk management structure. So, prioritize data based on its sensitivity, quickly identifying and eliminating any vulnerabilities. Start by assuming that your users are already compromised. This will force you to build systems with privacy and protection in mind from the start. Treat cyberprotection like the business risk issue it is.
“Cybersecurity has to be something that’s ingrained into the way people think about new business opportunities and capabilities. It can’t be just something that the technology guys are going to fix.”
PwC's Sean Joyce and Suzanne Hall describe how cybertheives prey on employees' inattention to risk. They say it's imperative for financial services companies to prepare their workforce for increasingly sophisticated attacks by cyberintruders, including through social media.
PwC's Suzanne Hall describes how disclosures of cyberattacks at the heart of US finance, including the Securities and Exchange Commission, underscore that every financial firm should implement a comprehensive cybersecurity strategy. This means protecting data, as well as shielding company networks and devices, and ensuring everyone at the firm is trained in how to defend against cyberthreats.
Our teams in asset and wealth management, banking and capital markets, and insurance are helping our clients tackle the biggest issues facing the financial services industry. With professionals across tax, assurance, and advisory practices, we can help you find ways to thrive even in a period of uncertainty. Whether you're preparing for regulatory changes, putting FinTech/InsurTech to work, or rethinking your human capital strategy, we work together with you to resolve complex issues, identify opportunities, and deliver value to your business.
Principal, Cybersecurity and Privacy, PwC US
Tel: +1 (312) 298 2745
Managing Director, Cybersecurity and Privacy, PwC US
Tel: +1 (703) 610 7449
Global Growth Strategy, US Financial Services Practice, PwC US
Tel: +1 (312) 298 6823
Leader, Financial Services Institute, PwC US
Tel: +1 (720) 931 7836