cyber compliance

Cyber Risk Management in Financial Services

by Smarsh

Cyber risk management is a hot topic these days, garnering increasing attention from regulators, including the financial services industry. As cyberattacks become more prevalent, it’s becoming increasingly important that financial services firms enhance their cybersecurity defenses to best protect themselves against cyber threats.

In our recent webinar, Preserving Trust: Cyber Compliance in Financial Services, our experts reviewed key cyber risk management frameworks that all financial services firms should familiarize themselves with. They also discussed third-party risk management controls to mitigate cyber risk, recent regulatory developments, and best practices for safeguarding sensitive data.

Cyber risk management frameworks

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and NIST’s Cybersecurity Framework Version 2.0 (CSF 2.0) are two internationally recognized frameworks for implementing a robust cybersecurity program.

According to NIST, the RMF provides a “comprehensive, flexible, risk-based approach” that integrates security, privacy, and cyber supply chain risk management activities into the system development lifecycle through the following seven-step process:

Prepare: Carry out essential activities to help prepare all levels of the organization to manage security and privacy risks. The outcome of this step should be to identify key risk management roles; establish organizational risk management and determine the firm’s risk tolerance level; conduct a risk assessment; develop and implement a continuous monitoring strategy; and develop security controls.
Categorize: Inform the organizational risk management process and tasks by determining adverse impacts in the event of loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems.
Select: Select, tailor, and document the controls necessary to protect the system and organization commiserate with risk.
Implement: Implement controls specified by the organization’s security and privacy plans. Update the security and privacy plans to reflect any new controls implemented.
Assess: Ensure the controls have been implemented correctly, that they are operating as intended, and are producing the desired outcome for meeting the security and privacy requirements for the system and the organization.
Authorize: Establish accountability around the process by requiring a senior official to determine if the security and privacy risk based on the system’s operation or the use of common controls is acceptable.
Monitor: Continuously monitor the security and privacy posture of those systems, and continuously report on the organization’s security and privacy posture to management.

Another important framework that complements the RMF is NIST’s widely adopted CSF. NIST has adopted the latest version, CSF 2.0, to help organizations of all sizes and across all sectors manage and mitigate their cybersecurity risks and achieve their cybersecurity risk management goals.

In particular, CSF 2.0 emphasizes the importance of governance, encompassing “how organizations make and carry out informed decisions on cybersecurity strategy” and how to better secure their supply chains, according to NIST. CSF 2.0 also includes a new financial sector Community Profile, providing an implementation roadmap for organizations in the financial services industry.

Third-party risk management controls

Many organizations today use third-party vendors to service their end customers. However, third parties can create risks for the organization if their vendors do not have robust cybersecurity controls in place themselves. By using the steps outlined in the NIST RMF and CSF, financial services firms can better enhance their third-party risk management (TPRM) controls.

Sanjay Pathak, vice president of managed services at Smarsh, shared the following key questions to consider when thinking about how to mitigate third-party cyber risks:

Has the organization identified and risk-ranked each third-party vendor based on the sensitivity of the data that the vendor manages and stores?
Has the organization performed due diligence on each vendor, based on the level of risk that the vendor poses to the organization?
Has the organization evaluated whether vendors have appropriate controls in place to meet the firm’s cybersecurity requirements and posture?
Is there someone in charge to continuously review how those processes and risk controls are being managed?
What service level agreements (SLAs) are in place to protect the organization to ensure that risks posed by the third-party vendor don’t fall on the organization?
If a cyber incident occurs, what remediation measures need to happen?
What controls need to be put in place to ensure that key stakeholders are alerted and that there is a post-incident review to ensure that the incident does not occur again?

Some firms may be using different third-party systems to capture different types of data, and some of those third-party systems may be handling more sensitive data than others. Examples include an ADP system that manages payroll data or a Salesforce system that collects personally identifiable information (PII) for sales leads.

Third-party vendors that handle data that doesn’t pose much of a business risk may be put in a lower risk tier than another vendor that is capturing data that the organization deems critical to the business, Pathak said. The higher the risk that a vendor poses, the deeper the level of due diligence it will require.

Pathak stressed that the most important message to take away here is that third-party vendor risk should be part of an overall cyber risk management program, not just internal systems and controls.

Regulatory focus on cybersecurity practices

As cyberattacks become more frequent and sophisticated, they are causing significant harm to investors, firms, and markets. That has regulators taking notice.

For example, FINRA has begun evaluating how firms are approaching cybersecurity risk management by reviewing their controls across several areas, including: technology governance; risk assessments; technology controls; access management; incident response; vendor management; data loss prevention; system change management; branch controls; and staff training.

Additionally, FINRA has issued several guidance documents, including an interpretive guidance highlighting best practices for how to respond to a cyber incident.

Common types of cyber schemes

While the financial services industry faces many types of cybersecurity threats, phishing schemes are especially prevalent and “often use spoofing techniques to lure you in, get you to take the bait,” said Jonathan Evans, leader of the cyber compliance division at Smarsh. “These scams are designed to trick you into giving information that criminals should not have access to.”

One common type of phishing scheme is when cyber criminals send an email that appears to be from a legitimate business asking the person to update their password or verify their personal information, such as bank or credit card information. Once they click on the link, it leads to a spoofed website that looks identical to the real business website, where a cybercriminal is then able to compromise the person’s sensitive information.

Cybercriminals are even using emails pretending to be from legitimate regulatory agencies as bait. In March 2024, FINRA issued a cybersecurity alert notifying firms about ongoing phishing scams involving fraudulent emails purporting to be from FINRA executives. In that alert, FINRA warned, “The e-mail addresses and domain ‘data-finra.org’ are not connected to FINRA, and firms should delete all emails originating from these domains.”

Reporting requirements for cyber incidents

Financial services firms also have regulatory obligations to report cyber incidents. For example, a final rule issued by the Securities and Exchange Commission (SEC) in September 2023 requires public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934 to disclose any cybersecurity incident that the company deems “material” to investors.

In that disclosure, the company must describe the “material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations,” according to an SEC fact sheet.

A material cybersecurity incident must be reported within four days of discovery unless the U.S. Attorney General determines that its immediate disclosure would pose a “substantial risk to national security or public safety,” the SEC stated.

The company must also annually disclose material information regarding its cybersecurity risk management, strategy, and governance. The rule requires comparable disclosures by foreign private issuers.

Cyber risk management best practices

Evan stressed that end users, devices, and networks are all areas that pose cyber threats and need to be properly managed. Consider, for example, who has access to the systems and networks that hold sensitive customer data and/or data that is critical to the organization, and what can be done to protect that data.

Evan further advised that firms mitigate physical risks as well, such as locking sensitive documents in a desk drawer, rather than leaving them in plain sight. Encrypting data is also critically important, he said.

Education and awareness are other proactive ways to reduce cyber risk. It’s important to create a security awareness training program, Pathak stressed. Arm employees with the knowledge to know who to turn to in the event they’ve become victimized by a phishing attack or other cyber incident.

Given that regulators are paying closer attention to organizations’ security and data privacy processes, procedures, and controls, financial services firms that want to best protect themselves from cyber threats should review the NIST frameworks and any current and forthcoming regulatory guidance documents as they become available.

FEATURED GUIDE

Cybersecurity vs. Cyber Compliance

Share this post!

Author
Recent Posts

Smarsh

Smarsh® is the recognized global leader in electronic communications archiving solutions for regulated organizations. Smarsh provides innovative capture, archiving, e-discovery, and supervision solutions across the industry’s widest breadth of communication channels.

Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.

Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work

More Resources

glass office conference room meeting 2 featured img