Displaying items by tag: cybersecurity

According to a poll of over 355 financial services IT and business leaders, financial services firms feel more confident that they're protected from cyber risk than firms in any other sector. However, they still face significant third-party cyber risks. Cybersecurity firm Trend Micro Incorporated commissioned Sapio Research to perform the survey. The poll found that 75% of financial firms believe they're adequately protected from ransomware. This is far higher than the average of 63% across all sectors. This confidence is attributed to the actions being performed by cybersecurity professionals. According to the survey, 99% say they regularly patch servers, 92% secure remote desktop protocol (RDP) endpoints, and 94% have rules in place to mitigate risks from email attachments. But 72% of respondents also admitted that their organization had been compromised by ransomware in the past, and 79% see their sector as a more attractive target for cyber-attacks. In fact, Trend Micro found that 56% have had suppliers compromised by ransomware, 54% believe their suppliers make them a more attractive target, and 52% say a significant number of their suppliers are Server Message Blocks (SMBs), who may have less resource to spend on security.

Finsum:While financial services firms are more confident in their cybersecurity protection than other sectors, they often face more threats.

Earlier last week, the SEC and the Commodity Futures Trading Commission disclosed that they levied fines of more than $1.71 billion on several Wall Street firms. The regulators issued penalties to 16 financial companies for the failure to monitor the use of unauthorized messaging apps. The banks that were penalized include some of the largest firms on Wall Street, including Bank of America, Goldman Sachs, Citigroup, Morgan Stanley, Credit Suisse, and Barclays. The SEC’s probe revealed that between January 2018 and September 2021, employees of the aforementioned firms used WhatsApp, personal email, and other unauthorized services on their personal devices to communicate work-related matters. Personal devices can pose risk to an organization's data since it may not be as protected from cyberattacks as a secure company device, which enforces corporate security policies. Making matters worse, the 16 companies also failed to adequately maintain records of the communication, which hindered the investigation. In fact, the firms were not charged for the lax security, but their negligence in the documentation.

Finsum: The SEC and Commodity Futures Trading Commission fined 16 Wall Street firms a combined $1.71 billion for not maintaining documentation on the use of unauthorized messaging apps.

While the SEC has been pushing public companies to improve their cybersecurity, minimal adoption of stronger cybersecurity rules has led the agency to draft new rules requiring more formal cybersecurity reporting and disclosure. The SEC proposal outlined several requirements that are designed to improve cybersecurity awareness and reporting for corporate executives and board members. The first is cybersecurity incident reporting, including current reporting about material incidents and periodic reporting about previous incidents. The second requirement is cybersecurity policies such as periodic reporting about policies and procedures to identify and manage risks. The third proposal is management requirements including management’s role and expertise in assessing and managing risk and management’s role and expertise in implementing policies and procedures. The final requirement is board oversight such as reporting on how the board of directors performs oversight on cybersecurity and disclosure of the board of directors’ cybersecurity expertise if any.

Finsum:The SEC recently drafted new cybersecurity rules for companies, including incident reporting, policies, management requirements, and board oversight.

Over the past several months, financial firms are seeing an uptick in ransomware attacks. In fact, IT security professionals in the financial industry have noted that ransomware attacks have not only become more common but have also become more sophisticated. Cybersecurity professionals are seeing a new wave of threats that banks and investment firms are struggling to prevent. Over the past two years, financial firms are seeing more ransomware attacks that utilize outside service providers which are also known as ransomware-as-a-service. Firms are also seeing variants that have chosen different attack vectors, meaning they are now attacking other areas of firms such as corporate phone systems. According to Sophos’ The State of Ransomware in Financial Services 2022, 55% of financial service firms were victims of at least one attack in 2021, up from 34% in the previous year. The bigger issue for banks and other financial firms though is not just the number of ransomware threats, but their increasing sophistication.

Finsum:Financial firms are not only seeing an increase in ransomware threats, but the sophistication of attacks has also increased.

New York state’s Department of Financial Services (NYDFS) has proposed updates to regulations in the oversight of cybersecurity risks. The proposal would require board approval of cyber policies at banks, insurers, and other financial institutions that meet a certain size threshold laid out by the regulator. Companies would also have to disclose whether their directors have the expertise to oversee security risks or if they rely on outside cyber consultants. The proposal updates New York’s first-of-its-kind cybersecurity rules for financial institutions. Companies that run afoul of the new rules would risk NYDFS fines. The proposal follows similar federal proposals in which the SEC had highlighted board cyber expertise in proposed breach-reporting rules. Both the SEC and NYDFS proposals highlight the fact that increased threats from ransomware are too broad for security experts to oversee on their own. The updated regulations are expected to increase pressure on companies to quickly gauge the business impacts of such events. 

Finsum: Following in the SEC’s footsteps, the NYDFS has proposed an update to cybersecurity regulations that would require board approval of cyber policies at financial institutions.