Cybersecurity for finance
Financial institutions hold vast quantities of high-value information, including client data, banking records, proprietary research and trading algorithms, which is at constant risk of being compromised.
In the face of growing threats, and under pressure from regulators, trading partners, and customers, it is vital that organizations such as banks, hedge funds, wealth management firms, and private equity houses make the right security investments to ensure that this data is fully protected.
Common cybersecurity challenges in the financial services sector include:
• Defending growing and increasingly fragmented network infrastructure
• Integrating new technologies alongside legacy systems
• Balancing system accessibility with security
• Minimizing the financial and reputational damage of breaches
• Achieving compliance with the GDPR, SWIFT CSP and NYDFS regulations
Key security questions for financial services organisations
Security questions organizations in financial services should be asking:
How often is digital infrastructure tested for vulnerabilities?
Are systems able to identify threats that bypass the perimeter?
Are staff sufficiently trained on information security risk?
Is operational resilience regularly assessed?
How will services be affected in the event of a cyber incident?
Has the company had any cyber-related incidents? What type of incidents have they had?
About whom do they have data? Customers? Employees? Agents? Deposit holders? Policyholders?
What regulations is the company required to comply with? NYDFS? GDPR? California’s Consumer Privacy Act?
Is there anything in the contract with the company hosting the client’s data or providing cloud services that might impact other companies storing information in that facility?
Does the company have business recovery procedures in place?
Does the company have insurance? How does this affect the company’s ability to recover from a cybersecurity incident? Disclosing this in the 10K helps investors understand who is responsible for cyber-related operational risk.
Does the board understand its disclosure responsibility?
Does the company understand how to perform cyber-related risk reporting? Can they report fast enough for the risks to be considered properly by the company’s disclosure committee.
Cybersecurity compliance for financial services
Antares is well placed to help financial institutions tackle the complex challenge of achieving compliance with NYDFS, SEC and SWIFT CSP requirements on cybersecurity, GDPR, and other data protection requirements.
In effect since May 2018, the GDPR sets strict data security standards, requiring organizations to protect personal data and report breaches to the relevant authority within 72 hours.
Item 503 (c) of Regulation S-K (of US Securities Act of 1933) and Item 3.D of Form 20-F (which must be submitted by “foreign private investors”) require companies to disclose the most significant factors that make investments in their securities speculative or risky. The new guidance recommends that companies include cybersecurity risks and incidents in these disclosures. The SEC advises companies to avoid generic disclosures and tailor them to their particular cybersecurity risks and incidents.
Financial services companies that take online card payments also need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Requirements include maintaining a secure network, implementing robust security policies, regularly testing systems for weaknesses and proactively monitoring network infrastructure.