The FinTech and financial services industry is an exciting and intellectually challenging sector more so today than ever before. Firms ranging from startup to those with global presence occupy the space and are developing innovative solutions at a seemingly breakneck pace. As traditional financial business models that have not evolved much from the 1930’s collide head first with radically new digital technologies, the results are both exciting and rife with potential. At the center of both of those ecosystems sits information. The ability to create, correlate, analyze, store, process, and deploy information assets is central to this business model. Immediately proximate to fintech is the traditional financial services industry ranging from investment to brokerage to private equity firms. Together, both the FinTech and financial services industries rely more on information today than ever before. As the traditional paradigms and business models that have served these industries morph, an explosion of new opportunities has emerged. Inclusive of both the traditional financial services and FinTech industries, the digital financial services business model has emerged. Containing a sweeping continuum of organizations the current dynamism of digital financial services has – and is – changing the world. When disruptive technologies such as cloud-based services, blockchain-based currencies, virtual digital identities, and alternative investment models are considered one can begin to realize the scope of this dynamism.
To balance the nearly limitless possibility and opportunity brought by this brave new world is risk. Risk mitigation, avoidance, and management have long been central to the financial industry. With increasing oversight and regulation, firms face more numerous and onerous regulations dictating how acceptable risk is defined. In recent years, it is not difficult to understand why – a long list of potential perils that now including insider and cyber-based threats. By its very nature, the digitization of the industry and therefore the information underpinning it is borderless, fast moving, and intended to extend the reach far beyond the four walls of any firm. These same attributes bring risks never before present in the industry. The traditionally paper-and-person based way of doing business is being rendered seemingly obsolete and antiquated as borderless digital services make what was once a financial services fantasy an attainable reality. The industry has been left trying to reconcile many post-depression era safeguards with a 21st-century workflow and customer base. As cybersecurity risks increase, which most experts predict they will especially for smaller firms, so too must a firm’s ability to quantify and adapt to a new blend of risks.
IBM/Ponemon reported that in a 2015-2016 study of over 1,300 financial firms which were victims of a cyber attack or data breach, on average a single compromised record cost these organizations $257. Most firms have thousands to tens-of-thousands of records. When the financial penalties that can come regulatory bodies from a reportable cybersecurity incident are factored into this equation, the direct financial costs of such an incident become daunting. Often missed from the impact analysis of a security incident are the soft cost of client trust and firm reputation. The net result is highly unfavorable from whatever the vantage point. Firms must recognize and learn how these risks can be effectively mitigated to allow the amazing potential and empowerment of a borderless and hyper-connected financial services industry.
Adopting a few simple guidelines can provide tremendous value and protection to the information firms rely so heavily upon. Given the overwhelming sea of cyber-based threats and the daunting downside concequences of a data breach, the first suggestion that we would offer to private investors, fund managers, and firm executives is to understand the landscape and vernacular. Caught in the mire of cybersecurity risk, regulation, and mitigation this may seem like an unrealistic objective. However, applying basic risk management and mitigation techniques to cyber issues is step one. To accomplish this, we advocate the following steps to begin to quantify and control information-centric cyber-risk.
- Adopt a framework.
Utilize a framework such those provided by FFIEC’s Cybersecurity assessment tool or the SANS/CIS 20 Critical Security Controls (20 CSC). These cybersecurity frameworks are both derived from the extensive research and practice of the U.S. Government as published by the National Institute of Standards and Technology (NIST) 800 series of guidelines. Why use a framework? Simple. These frameworks provide a common language for executives, technologists, auditors/examiners, and consultants to communicate with each other. They establish common and pragmatic goals that are largely divorced from the increasing sophistication of industry jargon and the attack-du-jour.
- Understand the firm’s information assets.
Once a framework is chosen for the firm, the next step is to establish understanding what information is being stored, accessed, or generated and where that information resides. Categorize the information into large category-wide silos based on its C-I-A; Confidentiality, Integrity, and Accessibility needs. These silos often transcend organizational units, departments, and even business units. This process, considered strategic information asset categorization and classification, allows for appropriate protection of these assets.
- Identify appropriate protective methodologies.
Armed with the location, nature, and CIA of the firm’s information, prioritize the silos with information that is sensitive or regulated in nature. Special attention should be given to silos, which contain Personally Identifiable Information (PII). With silos defined, define a data protection plan, which enumerates how to best and most appropriately protect that information. It is important to note that “how to best protect” information must transcend office walls and corporate headquarters. Considering the technical, physical, administrative, and associative protection modalities of such protective methodologies must be considered. To emphasize the borderless nature of information, every point from which information can be accessed must be considered when formulating a data protection plan.
- Validate and document information security controls.
Securing the information assets and validating those security controls completes the process. A commonly overlooked first step is to document the firm’s information assets and the protective methodologies associated with each asset. Once completed, validate the information security controls using an established methodology. This practice may come in the form of an information security assessment or a review by a qualified security assessor. Regardless of how an assessment is conducted, utilizing the firm’s established security framework permits a common, consistent, and repeatable assessment process. Special consideration must be given to the nature of the assessments above; both engagements differ from a “Penetration Test”. Penetration tests are complex and multifaceted technical engagements, which evaluate an external adversary’s ability to gain access to an organization, move throughout that organization while avoiding detection, and to access sensitive information. Simply, these tests are the culmination and validation of security efforts across an organization. Undertaking a penetration exercise prematurely devalues the assessment results themselves and commonly results in inaction. This undertaking would be akin to requesting Special Forces soldiers to test their ability to gain access to a home. Clearly, the locks on the doors would be no match for high explosives and a trained breach team. Many firms waste precious time and resources engaging in such penetration exercises when even the most basic security controls have yet to be implemented.
Notice, the lack of acronyms or buzzwords. That is intentional. Buzzwords will change, technology will change; However, the nature of a financial services firm will not fundamentally change. Firms large and small exist to deliver value to their clients, investors, partners, and shareholders. The modality of value delivery will most certainly change but not the fundamental mission and purpose of the industry. Rooting a cybersecurity strategy in information-centric risk mitigation and management model permits easy adaptation as technology and attacks change.
Corporate Information Technologies provides financial services firms with expert I.T. services including compliance assessment, cybersecurity penetration tests, and network security. Corporate Information Technologies can help create, refine, or validate your organization’s Cybersecurity posture and mitigate the risks presented by its shortcomings.
Our comprehensive Cyber Security offerings range from assessment to fully managed security offerings.
Contact us to learn more and let us show you how good I.T. can be!