past year provided many lessons about how risky the digital world continues to
be. The 2016 Data
Breach QuickView report
stated that there were 4,149
publicly disclosed data breaches worldwide last year, exposing 4.2 billion
records. That’s just the breaches that were made public; the total figure could
be much higher.
financial industry’s SWIFT transaction system became infamous after hackers
stole a Bangladeshi
bank’s SWIFT code and used it to make a series of transaction requests,
stealing $81 million. This was the most egregious example in the industry, but
there are many more that point to the need for stronger cybersecurity measures.
big player last year in the cybercrime world was ransomware. In the first
quarter of 2016 alone there was an average of over 4,000 attacks per day,
according to Deloitte. That was a 300 percent increase from the 1,000
ransomware attacks per day the prior year. In fact, ransomware is now
considered the top cybersecurity threat to the financial industry.
recent SANS survey, 54 percent of responding financial services firms said they
consider ransomware the biggest threat to their business. And more than 32
percent of financial firms said ransomware attacks have resulted in losses of between
$100,000 and $500,000.
or the lack thereof, has become a headline issue, threatening financial institutions’
reputations and bottom lines. It is such a high stakes game, in fact, that regulators
are expected to take on a growing role going forward.
New Push for Cybersecurity
Laws and Regulations
There has already been significant action on the cybersecurity
legislative front recently.
In October of last year, the Group of Seven industrial powers agreed on guidelines to protect the global financial
sector from cyberattacks. That followed various cross-border bank thefts at the
hands of hackers.
European Union has approved cybersecurity rules that force businesses to
strengthen their defenses. They require banking, energy and major tech
companies to report attacks, and they require EU nations to cooperate on
network security matters.
The EU’s General Data Protection Regulation (GDPR) has
serious implications for any organization that processes the personal
data of people residing in the EU, regardless of the company’s location. The
financial sector must pay particular attention to this regulation because it
processes a huge amount of personal
data on a daily basis. Those that do not comply or that try but fall short of
the GDPR’s stringent privacy rules face fines of up to €20m or four percent of
the company’s global annual turnover.
has a thriving IT industry, and the country has developed a national strategy through which government and
the private sector are working together to address cybersecurity. Last
year, it issued a
white paper describing major risks and initiatives
on this front.
states aren’t waiting for the federal government to act. At least 28 states last
year considered or introduced cybersecurity legislation, according to The National Conference of State
of these laws and bills address national infrastructure and governmental
agencies. But some of them specifically target the interests of organizations,
including financial service organizations.
example, a new law in Colorado calls for the creation of a state cybersecurity
council to provide policy guidance to the governor. One of the three
cybersecurity bills signed into law in California last year makes it a crime
for a person to knowingly introduce ransomware into any computer, computer
system or computer network. Utah has enacted civil penalties for hackers. And
Washington State has established the State Cybercrime Act.
these other proactive entities, the financial services industry can take part
in the conversation with legislators and regulators who are forming new laws
and regulations. Banks that may have historically only concentrated on
compliance and aren’t involved in new cybersecurity discussions may want to
start voicing their opinions and lending a hand in these efforts now, before
cybersecurity regulatory decisions are cemented.
the same token, regulators can get consultation from cybersecurity experts to
ensure that they fully understand cybersecurity risks and the real capabilities
of corresponding technical controls, as well as any possible unintended
consequences of regulations written with too broad, or too narrow, a scope.
regulators addressing new cybersecurity risks and financial institutions
participating in these conversations should make sure that they have at the
table individuals who are well-trained and certified in all relevant cybersecurity
topics. This will ground the conversation around the technical realities of the
risks they are addressing, as well as the technical controls currently
available to mitigate those risks.
addition, financial service providers would do well to keep in mind that there
is a lag time for legislation of three to four years due to the drawn-out lawmaking
process. However, cybercriminals don’t experience this lag time, which means providers
need to take a proactive approach, and surpass mere compliance of cybersecurity
regulations. To make their organizations as secure as possible from the myriad
cyber threats, they must become as innovative and fast-paced in their efforts
to safeguard their networks as the cybercriminals attacking them.
About Tom Gilheany
Gilheany is the product manager of security learning products within Cisco Services. His
background is diverse; he’s worked in small startups and multinational Fortune
100 companies in product management and technical marketing positions. Prior to
his transition to marketing, he spent more than a decade working in Information
Technology and Operations. Tom holds a CISSP, an MBA, and is an active board member
of the Silicon Valley Product Management Association and Product Camp Silicon