Overcoming board-level cybersecurity obstacles in the financial services industry

Dottie Schindlinger, Diligent

Today’s financial services institutions are challenged to keep pace with changing and covert cybersecurity threats. Since financial institutions are among some of the most appealing targets for hackers, it is critical for these organisations to remain extra vigilant about securing confidential information.

As the stakes increase, and with phishing’s dark cousin “whaling” – a type of fraud that targets high-profile end users, such as C-level corporate executives, politicians and celebrities – now a major concern, senior executives and board members alike are being held increasingly accountable for corporate missteps. Yet many are facing their own unique and persistent cybersecurity threats, such as whaling attacks that add another layer of risk into the organisation.

With cybersecurity identified as one of the industry’s top risks, it is essential that financial institutions develop and implement effective systems, processes and protocols with the C-suite and the board in mind to prevent damaging incidents from occurring. Here are three areas in need of immediate attention within companies large and small in the financial services sector:

1. Renew focus on compliance

To ensure effective cybersecurity, financial institutions need to be mindful of all new and evolving federal, state (if operating in the US) and industry compliance standards. While many states have already adopted data breach notification laws, they are also now focusing on the importance of breach prevention.

Most recently, the State of New York’s Department of Financial Services (DFS) put a law into effect that directly addresses cybersecurity requirements for financial services companies. The law requires all financial institutions doing business in New York to comply with the new cybersecurity regulations at DFS, with directors required to certify that cybersecurity policies exist and are effective.

While the regulations currently impact only financial services firms, it includes all those conducting business in New York, and over the next two years, will extend to any third-party vendors doing business with these firms as well. This new regulation will likely be the first of many similar ones, impacting hundreds of companies.

2. Know and manage against cost of failure

The true cost of failed cybersecurity and data exposure for a company was once impossible to estimate. Now, thanks to a renegotiated Yahoo-Verizon deal, it has become evident, and is estimated at around $350 million. This astounding drop in price, coupled with new regulations that have been put in place, should serve as a wake-up call to the collective business world. It makes it especially clear that financial services institutions must now take the appropriate steps to ensure that the highly sensitive and valuable personal data they hold remains secure, no matter what. Every company must have a cybersecurity plan in place, and everyone, including board members, must take part in these efforts.

Beyond this regulation, directors and other senior executives are responsible for ensuring the value of their brand – and today that value is closely tied to data protection and cybersecurity. Without solid security education and training, everyone within an organization has the potential to put their company in jeopardy of a data breach and its potential fallout, which includes costly fines and often a reputation hit.

A recent study undertaken jointly by NYSE Governance Services and Diligent Corporation found that 62% of corporate directors are not required to take any cybersecurity training; only 9% were required to take the same level of cybersecurity training as the rest of the company’s employees.

Meanwhile, nine out of ten directors use unsecured, personal email accounts (including Yahoo! Mail, Gmail and other systems) at least occasionally to send messages related to board business, and half of directors had no knowledge of whether the company’s information security team monitors or audits the board’s adherence to the company’s communication policies. This presents a huge threat to corporate security and governance.

3. Enforce a top-to-bottom approach

It is especially important for financial institutions to limit potential exposure and to regain critical control over sensitive data, with regular reporting provided to the board. However, this will require directors to improve their general understanding of cyber risk and cybersecurity practices and policies.

The Ponemon Institute and Fidelis Cybersecurity recently released a report, which revealed a shocking lack of critical cybersecurity knowledge from top-level leaders. Specifically, only 41% of board members claim to have expertise in cybersecurity and another 26% said that they have minimal or no knowledge of cybersecurity.

Furthermore, directors’ behaviors might unknowingly be putting their companies at risk. Recognising that there is no limit to the potential damages posed to a company by a data breach, as made clear by recent headlines, those at the helm of these organisations’ risk management and governance departments must educate these company representatives and plan ahead accordingly.

Since many top-level leaders – including the board of directors – are routinely sending/sharing confidential and potentially damaging information via private email accounts without any understanding of the risks posed by that convenient practice, it is essential to educate them. To make certain that these company representatives are aware of the vulnerable and exposed nature of private emails, they must get trained or retrained at least once a year. They should also be provided with on-demand access to security protocols and procedures to help them avoid being at the source of this type of data loss. Successful training and data governance can help keep companies/financial services institutions, customers and employees safe from harm and out of the headlines.

The long and short of it

Needless to say, the collective business world will need to make cybersecurity and data protection a high priority in order to maintain business, reputation and customer faith.

By implementing secure, encrypted technologies alongside necessary policy and cultural organisational changes, companies will not only decrease the likelihood of a breach, but also strengthen how a company responds to an incident. This will lead to overall enhanced profitability and stability for the individual organisation as well as for the financial services industry overall.

By Dottie Schindlinger, VP and governance technology evangelist at Diligent