By Michael McGehee, Senior Project Manager, Telos Corporation, shortlisted for the Best SaaS Product for Health & Safety or Risk Management category at The SaaS Awards 2022

The cybersecurity threat landscape is more complex and dangerous than ever. Evidenced by countless statistics but perhaps most apparent by the 2022 Verizon DBIR, the report found a 13% rise in ransomware this year — an increase as big as the last five years combined.

In 2022, The financial services (FinServ) industry experienced 268 incidents where data was compromised – an increase of almost 95% from 2020. Unsurprisingly, threat actors are after the money, with 95% of incidents in 2021 motivated by potential financial gain, according to Verizon’s report. Though regulation and reporting standards were created to alleviate some of the challenges these threats pose, the imposition of regulatory and compliance requirements opens a new set of hurdles to overcome for many organizations.

So how can we transform these standards from challenges to solutions? First, let’s understand exactly what we’re up against.

FinServ industry organizations experience the possibility of systems being breached, locked and held for ransom every single day. This is because threat actors are hungry for lucrative financial gain, leveraging many different attack patterns and attack vectors to unlawfully access an organization’s network and steal user data and funds. Even the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber risk in the global financial system, raised its Regional Cyber Threat Levels (CTL) from “guarded” to “elevated” for nearly half of 2022, as organizations saw ongoing fallout from the beginning of the Russian invasion of Ukraine.

While organizations are encouraged to have a response plan in place to ensure that they can react quickly to cases of ransomware, too often, it is already too late to save the data or funds that were stolen, and FinServ organizations must rely on outside organizations like the FBI to remediate with hackers. In more severe instances, some organizations even shut down as a result of a ransomware attack as they are unable to recover from the crippling financial strain — a trend that is becoming even more pervasive as companies struggle to stay afloat in the down economy.

Additionally, new technologies create added challenges as both organizations and threat actors race to get ahead. With threat actors seeking to capitalize on the increased utilization and implementation of cryptocurrencies and other decentralized financial (DeFi) tools, established firms need to be more proactive than ever to ensure that their security infrastructures are held to the standards necessary to protect their customers’ data and funds, as they seek to keep up with installing their own DeFi platforms. With over $3.5B lost to hackers just in 2022, the ever-evolving financial services industry must act with real haste to lay a foundation for the guardrails that will be needed for both these new platforms and others that will surely be created in the near future to keep out hackers who wish to exploit a system that is built on the ideals of less complex regulation.

Cue reinforcements.

To shift the paradigm and build up a strong cybersecurity posture to ensure that hackers are deterred from even attempting to breach an organization’s network, new standards and regulations like NIST, FedRAMP and more have emerged. Easy enough, right? Unfortunately, organizations and their security teams still have a long way to go.

While these parameters are well-intentioned and necessary for bringing about the necessary changes in how security infrastructures are built, many organizations in FinServ need extra help making sense of the complex requirements. Not to mention, it can take organizations anywhere from a few weeks to a few years to fully implement frameworks like NIST, depending on their existing resources and capabilities. While frameworks like NIST are designed to be apportioned to help organizations move from their current infrastructure to their desired infrastructure in a step-by-step fashion, with the ability to have different levels of implementation work in tandem with each other, this can easily create confusion and unique difficulties for organizations that have varied capabilities in different departments. Furthermore, the FinServ industry is a constantly evolving ecosystem, and as such, the regulations that these companies are required to comply with change just as rapidly. Varied levels of compliance throughout an organization require systematic tracking of different compliance levels to ensure that the organization is in lockstep as it continues to expand its regulatory and compliance efforts, rather than moving at multiple different paces.

So, what can be done?

Financial organizations should begin by setting their compliance baseline against a single security standard to keep their infrastructure goals uniform throughout their network. Then, by supplementing pure compliance with threat management and intelligence, these organizations can feel confident that their teams can stay on top of any new threat, even during audit preparation. With the SEC recently issuing new cybersecurity guidance, putting in the initial effort to establish preventative security and compliance measures can go a long way to streamline the entire compliance process.

From there, organizations should explore external solutions that make the process of complying with regulations easier. Zero trust tools and obfuscation, key parts of identity management, are paramount to protecting FinServ networks that deal with highly sensitive data. The often daunting amount of initial effort that compliance and regulatory reporting requires can be made more simple through the installation of a system that does the hard work for you. I recommend looking for the following criteria:

  • The ability to automate large sections of evidence collection and attestation, putting time back in the hands of the people who need it the most;
  • The ability to evolve with the changing ecosystem, ensuring that automated compliance is maintained through continued updates based on newly released information no matter how an existing regulation changes.