The cost of being hacked

Target, JP Morgan, Sony – ask anyone who keeps up with the news what these firms have in common and they’ll probably be able to tell you. They’ve each been the victim of a major cyber attack, resulting in high-profile resignations, regulatory fines, loss of revenue and, above all, an embarrassingly public blow to their reputation.

This reputational risk is one of the main drivers that have pushed cyber security up the agenda of financial services firms.

“Going back to the financial crisis of 2008, when you thought of the top ten risks, it didn’t come as number one. But today it’s moving up to the top slot. We’re talking more and more about cyber security as more than just risk management,” says Said Tabet, governance, risk and compliance strategy lead at EMC.

There was a time when such reputational risk could almost be dismissed, since clients tended to stick with the financial firm they knew, which was often the first one they banked with. But these days that loyalty has disappeared as customers have more choice and more ease in voting with their feet, says Andrew Rogoyski, head of cyber security services at CGI UK.

“The easier it is to change banks or retailers, the more sensitive those organisations become to the reputational impact of an online attack,” he says. “That’s increasingly true with generational changes – when I look at graduates today, they’re pretty merciless towards their providers.”

These changes, along with accelerated adoption of new technologies, such as mobile and the cloud, and the threat of tech-savvy market entrants, have propelled cyber security out of the compliance tick-box zone and into a foundational business strategy. Financial services firms need a cyber-security policy that covers every aspect of transactions, whether online or on a mobile app, and that protects data wherever it’s held, whether that’s deep in the company servers or off in the cloud.

FOCUS ON TRANSACTIONS

The financial industry’s legacy IT systems are still a problem for cyber security, but that’s not the only reason why covering transactions is such a challenge. Frequently, larger institutions are a conglomeration of mergers and acquisitions that have taken in tens of firms, all with their own IT systems and cloud contracts. One way to try to build a security strategy around all these systems is to focus on the transaction itself, explains Rashmi Knowles, at RSA, the security division of EMC.

Financial services firms need a cyber-security policy that covers every aspect of transactions

“We used to try to protect everything, to put a shield around legacy systems, cloud, mobile, social media, but now the thinking is very much around protecting the transaction itself,” she says, adding that the key is to increase the security for each additional risk – is it a transaction on a mobile; is that mobile operating overseas?

But service providers are also doing their bit to cater for the high-security demands of financial services firms. Both Ms Knowles and Mr Tabet say that cloud providers are starting to include security in their service level agreements, offering a guarantee of protection on data that helps, even if the responsibility still ultimately resides with the financial firm.

In addition, there is more collaboration between service providers, financial firms, governments and regulators. Information-sharing with initiatives such as the US Financial Services Information Sharing and Analysis Center have been going on for some time, pooling not just the knowledge of cyber attacks, but the intelligence necessary to try to avoid them. And now solution-sharing is on the agenda as well.

“When one institution, particularly a large one, is affected, the whole industry is weakened. It creates a problem that’s systemic. So we have to deal with it at that level and because of this there’s more and more discussion of solutions,” says EMC’s Mr Tabet.

Although compliance still helps to drive the adoption of security measures and the establishment of standards, cyber security is now about so much more. And the threats are the same, whether you’re a traditional institution and or a tech-savvy startup.