Emerging Threats in the Cyber Landscape
At this year's Regulatory Horizon 2022: Preparing for the Challenges of Tomorrow conference, we examined key governance, risk and compliance challenges that firms face in 2022, and beyond. A whitepaper has now been developed, capturing key takeaways and benchmarking polls from the event.
This blog features one of the nine chapters in the paper. Click here to view the full paper and access on demand recordings of panel sessions embedded throughout.
- Cyber threats seem greater than ever, in both the number and sophistication of attacks on financial firms
- 56% of respondents said they would pay the ransom in a ransomware attack, depending on the data that was encrypted
- In response to the threats, new cyber risk and data protection regulation is emerging around the globe, and firms are changing their cybersecurity strategies too
Emerging Threats in the Cyber Landscape
Financial firms have good reason to be worried about cyber risk. Even before the current spike in the cyber threat level due to the conflict in the Ukraine, attacks were already on the rise. Overall, there was a 68% rise in breaches from 2020 to 2021, according to the Identity Theft Resource Centre. The average total cost of a cybersecurity breach for a financial services firm is now $5.72 million, says the IBM Cost of a Data Breach Report. It’s not surprising that financial services regulators are responding to this by launching new measures for greater oversight. Firms are responding in a number of ways to this evolving landscape.
Cyber Threat Trends
Half of the respondents to the event survey said the increase in occurrence and sophistication of threats, such as ransomware, concerned them the most. It’s easy to see why – the sophistication of the attacks and the availability of the malware to download means firms are experiencing a greater number of attacks, that are becoming more difficult to repel. The kinds of attacks firms are seeing more of include:
- Ransomware – According to the ACA-NSCP 2021 Cybersecurity Program Survey, 83% of firms are “moderately” or “extremely” concerned about ransomware. It’s interesting that more than 56% of respondents said their firm may pay the ransom, depending on the data that was encrypted. However, it’s important to note that paying the ransom can encourage repeat attacks. New forms of ransomware are emerging and using new tactics such as the triple threat, where the criminals encrypt the firm’s data, threaten to release that data to the public, and then also threaten to tell all the firm’s suppliers, third-parties, and customers that it’s been hit by ransomware.
- Third-Party/Supply Chain Attacks – Regulators are very aware of the potential threat to financial firms through third-party attacks.
- Business Email Compromise – Attackers are becoming more sophisticated here too. Now they will send a business email that looks like it’s from someone an individual trusts, such as someone they may have a long business relationship with. Training staff to look for suspicious clues is important in preventing these kinds of attacks.
- Distributed Denial of Service Attacks – These attacks flood a website from multiple points of origin, making it really challenging to stop the attack. Today it’s very easy to access the programs to launch such an attack on firms – even the big internet companies are struggling to prevent these kinds of attacks.
Overall, the attack environment for firms continues to grow more challenging. With the current conflict in the Ukraine, the potential for state-sponsored cyber warfare is also increased.
Cyber Regulation Trends
Regulation around the globe for cyber risk is increasing, and the pace of regulatory change is likely to accelerate further as jurisdictions implement specific cybersecurity rules and personal data protection requirements along the lines of the EU’s General Data Protection Regulation (GDPR). Three sets of requirements that firms should be preparing for today include:
- The SEC’s proposed Cybersecurity Risk Management Rules – The SEC published proposals in February 2022. For registered investment advisors in the US, these proposals would be a significant upgrade, requiring much more stringent governance, reporting and documentation. Another noteworthy new requirement is the reporting of a significant breach to the SEC within 48 hours. The comment period for this ends on 17 June 2022.
- The EU’s Digital Operational Resilience Act – Otherwise known as DORA, this set of proposals has a large range of financial institutions in scope, including alternative investment management firms. DORA draws many of the existing operational resiliency rules in different EU countries together, and also contains many of the themes that are in the SEC’s new proposals. The rules are expected to be finalised this year, and there will probably be a transition period for implementation, similar to what happened with GDPR.
- Personal Information Protection Law (PIPL) – This law, which came into effect in November 2021, is essentially China’s version of GDPR. And much like GDPR, if a firm is offering services to individuals within China, it must comply with PIPL.
For financial firms, cyber risk includes both regulatory risk – that is, the risk of regulatory change – as well as compliance risk. Firms need to think strategically about the actions they take to comply, and how they evidence this compliance.
Cyber Programme Trends
Firms are fighting back against the cyber risks that they are facing in a variety of ways. Four key ways in which they are taking action include:
- Third-Party Risk Management – Regulators around the globe are paying more attention to third-party risk management (TPRM), in part because of the increased cyber risk these non-regulated businesses pose to financial services firms. Cyber risk management teams should be working very closely with TPRM teams to understand which vendors work with the organisation, what data they process, and which systems they may have access to. Firms also need to consider how closely the organisation relies on these companies from an operational resilience perspective. If there is an incident, the firm and the third-party should have an operational resilience plan in place, particularly if the company contributes to an important business process. When the relationship ends, what happens to the data and system access should be written into the contract up front.
- Incident Response/Business Continuity Planning – Firms should have a documented plan in place for managing a cyber-attack incident, and employees should be trained in their role in the response. It’s important to test these plans at least once a year through the use of tabletop exercises, and to also perform business continuity testing annually, or when circumstances change significantly.
- Cloud Migration/Security – Firms have moved substantial amounts of data and information processes into the cloud since the beginning of the Covid-19 pandemic in 2020. However, having data in the cloud is not risk free. Firms should regularly review what data they are storing in the cloud, where it is stored, who has administrator rights, and what their configuration is, because misconfiguration can leave a firm exposed. Firms should consider reviewing the configuration of their cloud environments on a periodic basis.
On Demand Webcast
Click here to watch a recording of the panel discussion on which this article is based.
Our specialists are on hand to help you to navigate these challenges while considering the complexity of your firm’s unique compliance, managed services, and ESG requirements.
In addition, our ESG advisory team are on hand to help you gain clarity on your ESG requirements and build a strong ESG program that meets incoming regulatory needs. This practice helps firms of all sizes develop and monitor ESG programs to mitigate risk, make informed choices, grow profitably and sustainably, and combat greenwashing in the process.
Complete this form or call +44 (0) 20 7042 0500 to connect with us.