By Tracey Longo/ FA-Mag.com
Nearly 75% of the chief information and security officers at financial services firms plan to ask for more money in 2020 to battle cybersecurity threats.
That’s according to a new survey from the Financial Services Information Sharing and Analysis Center, which polled 300 compliance professionals at its annual conference.
The findings mark a sea change in the budget priorities of these security chiefs, a result of the escalating risk that cybercriminals pose to secure financial transactions, said Steve Silberstein, the center’s CEO.
He added that financial companies’ employees and third-party vendors are becoming areas of increasing concern as hackers target them seeking vulnerabilities.
Every week, regulators see more examples of cybercriminals’ evolving ability to target staff, existing customers and financial transactions using websites, e-mail and phone calls that mimic advisory firms and broker-dealers. Regulators from both the Financial Industry Regulatory Authority and the Securities and Exchange Commission point out this problem at FINRA’s annual conference in Washington, D.C., earlier this month.
The onus is on all firms, even small ones, to ensure they have instituted comprehensive and effective security awareness and training, said Greg Markovich of FINRA’s Chicago district office.
Letting cybercriminals hack or trick staff or customers “is a brand hit not only for you, but also for us,” Markovich warned information officers at the FINRA conference.
Can Employees Spot The Fakes?
“We see a lot of phishing and tags directed toward our reps,” said Amie Caban, the chief information security officer at New York City-based Guggenheim Partners, also speaking at the conference.
To combat the increasingly sophisticated attacks “we invest pretty heavily,” Caban said. “Interactive tutorials are mandatory for all our employees and contractors. If you have access to our network, you are required to take our training.”
Guggenheim also conducts simulated phishing campaigns, sending trick e-mails that could be from cybercriminals to all employees to test their ability to spot fakes that could cost the firm millions of dollars.
“We launch quarterly campaigns, and those who identify the e-mails get a prize every quarter,” Caban said. “We track repeat offenders [who don’t spot the phish e-mail] and require mandatory additional training for them,” she said.
Silberstein said, “The advancement and adoption of new technologies coupled with increased geopolitical tension has fueled a rapidly evolving cyber-threat landscape.
“An effective cybersecurity program,” he said, “needs to adapt to this environment, and funding must be deemed as a cross-functional investment.”
Currently, financial services firms allocate just 10 percent or less of their overall budgets to cybersecurity, according to 56 percent of the chief compliance and information security professionals in a survey performed by the Financial Services Information Sharing and Analysis Center.
Where The Cyber Budget Goes
Of that 10 percent, a majority (54 percent) said IT infrastructure and asset management is the area that receives the most funding. The three areas that receive the least amount of funding are employee training and education (4 percent), vendor management (6 percent) and business continuity (9 percent).
The “first and foremost thing firms should invest in is training, especially around e-mail,” said FINRA’s Markovich.
In addition to increasingly sophisticated phishing campaigns, the regulator is seeing more “typo squatting” and “the creation of imposter websites, where you have [a] URL that looks a lot like your URL. One thing that we’ve seen firms do is go out and register domains that are close to theirs and lock them up. Makes it more difficult for imposters to use one against your firm,” Markovich said.
He also urged firms to consistently monitor websites that are trying to mimic theirs, by hiring an outside vendor if necessary. “There are third-party firms that will track if domains that are registered are similar to yours,” Markovich added.
Tim Lotz, the vice president and head of global technology compliance and risk management at T. Rowe Price, advised firms at the FINRA conference to share as much as possible about their businesses with their information security professionals.
“How much about your business does cybersecurity staff need to know? The more the better. It is your most important line of defense,” Lotz said.