Banks must develop and maintain a cyber-risk strategy to be developed and maintained at the executive level, and not just think of cyber security as "an IT problem," according to a new report titled "Transforming cybersecurity: New approaches for an evolving threat landscape" from Deloitte.
The need to approach cyber security as a strategic business problem is more imperative as the financial services industry becomes a more frequent target, according to the report. U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represent the highest average loss across all industries, according to Deloitte. That number is 43.9 percent higher than in 2012, when the industry was ranked third, after the defense and utilities & energy industries.
Further, the report notes that the business and technology innovations that financial services companies are adopting in their quest for growth, innovation, and cost optimization are in turn presenting heightened levels of cyber risks. These innovations have likely introduced new vulnerabilities and complexities into the financial services technology ecosystem. For example, the continued adoption of Web, mobile, cloud, and social media technologies has likely increased opportunities for attackers
[The mobile employee -- as well as the mobile customer -- are here to stay. Is your bank prepared? Learn how to set up and maintain a mobile infrastructure that can support today's needs and tomorrow's expected mobile demands. Attend the From BYOD to 802.11ac: How to Build A Next-Generation Mobile Infrastructure session at Interop 2014 in Las Vegas, March 31-April 4.
You can also REGISTER FOR INTEROP HERE.]
While the CISO or IT risk officer still has a very significant role to play, for sustainable success firms may consider appointing a chief operating officer (COO) or chief administrative officer (CAO) equivalent to lead a cross-functional team to drive the cyber risk agenda. Vikram Bhat, who leads Deloitte's financial services team, says that while senior leaders are involved in this process at most banks, it's still "predominately driven through IT organizations." Further, he says business leaders can and should be held accountable for their responsibilities related to data protection.
Bhat also notes that banks need to place a priority on using automation and data analytics in order to monitor and detect anomalies that could point to cyberattacks. The report notes that financial services firms should consider revisiting their IT security investments and prioritizing investments to create the required automation and analytics in their environment.
Further, Bhat notes that with the increasing use of innovative technology, like mobile and cloud, by banks to offer new products or pursue efficiencies, these also provide new avenues for cuber criminals to attack. He says the cyber security angle "needs to be fully incorporated into the decision-making process throughout the whole lifecycle, and sometimes you might make a different decision if you really incorporate it."
Bryan Yurcan is associate editor for Bank Systems and Technology. He has worked in various editorial capacities for newspapers and magazines for the past 8 years. After beginning his career as a municipal and courts reporter for daily newspapers in upstate New York, Bryan has ... View Full Bio