The year 2017 saw unprecedented change in the world of cyber – the number and scale of attacks grew significantly, while in many cases governments, regulators, and financial services firms were perceived to be scrambling to catch up. In 2018, the momentum around cybersecurity will accelerate in a range of ways – below are Cordiums top five trends:
1- Cyber threats and the number of attacks will continue to grow. The numbers here can vary, but predictions are reaching in the neighborhood of $6 trillion in global cyberattack damage by 2021 according to data from Cybersecurity Ventures. This would make cybercrime larger, economically, than all of the drug trafficking in the world combined. As a result, according to Gartner, spending on cybersecurity is expected to hit $93 billion globally in 2018. In this Wild West, more White Hats are needed – there is a persistent cybersecurity skills shortage – which means the cost of hiring good people to help firms combat cybercrime will rise sharply. Of course, expect to see more spending on technology, and compliance infrastructure too.
2- Government focus on critical infrastructure resiliency – including the financial services industry – will increase. The May 2017 WannaCry ransomware attacks, which hit utilities, health care, and other critical infrastructure organizations around the world was a wake-up call for governments. Although work had already begun on addressing the vulnerability of critical infrastructure countries like the US and the UK, the very real impact of the virus turned what had seemed like a purely theoretical disaster movie scenario into something quite tangible. In October, the US Department of Homeland Security (DHS) and Federal Bureau of Investigation issued an alert warning of the possibility of an attack on critical infrastructure, and industry experts are predicting a range of potential attacks on critical infrastructure – from rogue states and criminals. For financial services firms, the stakes of getting cybersecurity wrong – in terms of both systemic risk and reputational risk – are very high indeed.
3- Rulemaking as well as enforcement on cybersecurity, data protection, incident reporting, and third party risk will continue to rise. New York States Department of Financial Services was out of the gate early in February 2017 with a set of ground-breaking cybersecurity rules, including a notification requirement. Since then, other US states have followed suit. In the EU, implementation of the General Data Protection Regulation (GDPR) for May 2018 is focusing minds. Financial services regulators are already beginning to crack down on compliance – for example, in the US, Securities and Exchange Commission examiners are asking to see tailored cybersecurity policies as well as evidence of implementation. Both the US and the UK are focusing supervisory efforts on third party risk – a significant element of cybersecurity. Expect to see significant enforcement actions in 2018 as regulators around the world signal just how serious they are. In terms of regulation, however, is just the beginning. Rulemaking in most jurisdictions hasnt even touched topics such as the Internet of Things (IoT) or Artificial Intelligence (AI) – new tools that financial services companies – and cyber attackers – are already starting to make use of. As well, regulation around cryptocurrencies and biometrics is in its infancy.
4- Regulators will be looking to see involvement from leadership and the whole organisation – including the board and the business -on cyber resiliency. Tone from the top is a recurring theme in supervisory circles, and this is becoming true for cybersecurity too. Gone are the days when cybersecurity was something only for the IT department to be focused on. Over the next year or two, regulators are going to be looking to see organizations bake cybersecurity into their overall approach to business strategy – they are going to want to see boards and senior management be more proactive, rather than reactive, around the cybersecurity threat. At minimum, this means the board should understand the organizations approach to cybersecurity and be reviewing this approach regularly. Key stakeholders in the business should be sitting in on a management-level cyber committee, and be a part of any decision that impacts customers, operations, and compliance.
5- Supervisory focus on getting the basics right – including policies, processes, testing, and a strong incident response plan, will escalate. There is little doubt that people still represent the biggest point of vulnerability when it comes to cybersecurity – such as clicking on a link in an email by accident. So, it makes sense for regulators to ensure financial institutions get the basics right. Supervisors want to see robust policies and evidence of their implementation – including appropriate training. As well, they want to see good incident response plans that have been tested through table-top exercises. Technology can help with the basics, too – techniques like multi-factor authentication, particularly using biometric authentication – can be redeployed from smartphones onto corporate computers as a new level of security. Techniques, which include fingerprint, face, and voice recognition, can be used to control who has access to consumer data, for example. Automating other kinds of cybersecurity can also be an investment worth making. According to the poll conducted at a Cordium New York event in November 2017, more than 44% of respondents had made a significant technology investment for cyber and information security within the past six months. Expect to see firms continue to invest more – in training, processes, and technology.
In short, cybersecurity will be a significant focus in 2018 – for firms, regulators, and the criminals that inflict the damage. Looking ahead, the more proactive a firm is in its approach to this area, the more resilient it will ultimately be in the face of a threat.