Cyber-attacks in the finance/banking sector were up 53% in 2021, and according to IBM and the Ponemon Institute, the average cost of a data breach in the financial sector in 2021 was $5.72 million. Many insiders tie this rise to the sophistication of attackers, the rush to cloud everything and the vulnerable nature of today’s hybrid workforces. As a result, board directors at banks and insurance companies view cyber security as a top priority. On the strategic front, many are employing cybersecurity committees for stricter oversight and scrutiny. From a tactical perspective, finserv boards are demanding more robust cyber security reporting by the company’s executives.
“When it comes to board reporting, defining the right objective metrics and delivering them on a sufficiently frequent basis are challenges. It is important to use a variety of techniques to quantify cyber risk and calculate the risk exposure and how it can be reduced through targeted investments.”
Top 5 cyber-attacks on financial services organizations:
- Phishing — imposters pose as legitimate professionals through erroneous emails to gain computer or network access
- Ransomware — criminals lock victims out of their computers/networks in exchange for money
- DDoS Attacks — victim’s server is flooded with fake connection requests, rendering it inoperable and offline
- Supply Chain Attacks — attacks on vendors and the need for third-party list management
- Bank drops — criminals store stolen money in fake bank accounts opened with false credentials.
Board Reporting Suggestions
Communicating cyber security risk to the board can be challenging, especially since many of the directors may not be technically adept. Therefore, there are certain factors a finserv organization ought to consider when reporting, such as:
- Talk about the value your security programs bring to the organization – Don’t talk about the aspects of the security initiatives themselves but rather the value those programs bring to organizational safety and data security.
- Eliminate highly technical terms – Rather than using cybersecurity tech speak that the board may not understand, speak in terms of potential risk and business impact. Instead of talking about “embedded hardware authentication”, for example, explain the importance of ensuring the authenticity of hardware tools and the risks of not doing so.
- Align key performance indicators (KPIs) and risk performance indicators (RPIs) to industry standards or like competitors – Performance metrics don’t mean anything if they aren’t anchored by comparisons to industry best practices or other companies. This insight allows the board to fully understand the significance of the performance measures you are sharing.
- Keep the board apprised of metrics out of cycle – Don’t wait until the quarterly board meeting to drop important metrics on the board. It may be too late to do anything about their impact. When important metrics surface, share them with the board quickly, even if it’s in between meetings. This way, the board and the executive team can authorize remedial action in time to make a difference in the company’s security posture.
- Identify and share recent security/compliance updates and policies – Changes in presidential administrations and new legislation can change the requirements for regulatory reporting. Share relevant updates with the board as they occur. Proper resource allocation, changes to SOPs and critical decisions can therefore be made appropriately and in a timely manner.
Protecting your business’s data, its reputation and its viability must remain top priorities this year and moving forward. Keeping your board continuously informed is the best way to ensure the proper resources, strategies, systems, processes and controls are at your disposal to combat the ever-increasing flood of cyber attacks on the financial sector.