The past 20 years have visibly demonstrated the impact large scale events have on market, credit, and operational risks in financial services. Beginning with the bursting of the dot-com bubble, and more recently, the global COVID-19 pandemic, these events created significant volatility in stock prices resulting in increased market risk. In between these events, a different crisis began in the US sub-prime lending market. This quickly metastasized into significant global credit risk for large institutions and became the biggest existential threat to the industry in more than a century.
The subsequent regulatory activity in response to these events focused on operational risks. Those risks were associated with internal processes, behaviors, and systems within institutions which were determined to be contributing factors. While operational risk is not a contributing factor in a pandemic, the COVID-19 pandemic’s impact on financial services’ digitization does correlate with a material rise in cyber risk. It also put an even greater emphasis on cyber risk management within institutions and financial regulatory agencies.
Regulatory Agencies Step Up
Cyber risk is the largest and fastest growing operational risk within financial services. This should not come as a surprise, as the industry ranks as the most targeted by cyber criminals. This dubious distinction and related implications of a breach have ensured financial services’ high level of cyber security proficiency, protection, and alignment with standards such as the International Standards Organization (ISO) 27k series on IT risk and the US National Institute of Standards and Technology (NIST) Cyber Security Framework.
In the latter half of 2021, regulatory agencies responded to increasing cyber risks with updated guidance for institutions and auditors. The FFIEC issued an update for US banks to the Architecture, Infrastructure, and Operations Examinations Handbook, as well as guidance for Authentication and Access to Financial Institution Services and Systems. These updates were meant to address expanding risks related to digital financial services capabilities like access, authentication, cloud computing, and services provided by third parties. In the UK, the Financial Conduct Authority (FCA) issued initial guidance for institutions considering remote or hybrid work in advance of future regulatory audits. Similar actions by regulatory agencies and central banks are taking place globally.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium of 7,000 financial institutions, expects cyber threat activity to increase as cyber criminals search for zero-day vulnerabilities. Social engineering, malware, and distributed denial of services (DDoS) attacks are the most common persistent threats across the industry. The FS-ISAC’s predictions for 2022 and beyond reflect the challenging cyber risk environment for financial institutions:
- Nation-state cyber campaigns will mirror geopolitical tensions
- Nation-states will influence the financial services supply chain
- Ransomware groups will continue to professionalize
- Third-party risk will continue to threaten financial firms
- Zero-day vulnerabilities will increase
- Regulators will tighten the reins
- Incident response will mature
Digitization and Rising Complexity
The acceleration of digital during the pandemic heightened awareness of associated rapid IT changes and rising complexities. This is the number one cyber security challenge for financial institutions, according to the Deloitte Center for Financial Services and the FS-ISAC. The growing use of cloud, data analytics, and AI/ML in the development of new products and services, and the necessity of supporting remote and hybrid work environments, have expanded the scope and scale of what must be protected.
IT and operational risk leaders are focusing on “security by design” and “embedded security” approaches to manage this growing footprint and reduce the rising complexity of orchestrating security across many solutions. These approaches value security solutions that enable a ‘zero-trust’ future for access and authentication and are designed to provide enhanced visibility and intelligence as part of an integrated security architecture.
Cisco’s approach to embedding security across technology architectures led to the company becoming the largest global provider of security solutions. Today’s Cisco Secure portfolio provides world-class security from the cloud edge, across networks, applications, and workloads, to end-users and devices. Cisco Secure X is a cloud-native, built-in intelligence platform that connects the Cisco Secure portfolio and your infrastructure. It removes bottlenecks to enable your operations teams access to answers and actions that help keep the business operating securely.
While cyber risks will continue to pose challenges, financial institutions are well positioned to manage cyber risks in partnership with industry peers, regulators, and security solution providers like Cisco.