DTCC: Top 3 cybersecurity gaps in financial services

By Jason Harrell, Executive Director, Technology Risk Management, Head of Business and Government Cybersecurity Partnerships at DTCC

2020 has been filled with many significant events. Brexit, the upcoming US elections, and the ongoing COVID-19 pandemic have dominated headlines and have driven market behaviour. The financial sector closely monitors these current events with a focus on continually enhancing its ability to be resilient to the increased and ongoing cyber activity that often results from them.

Resilience, or the ability to prevent, adapt, respond to and recover from events that affect a firm’s operations, requires a comprehensive strategy. As a result, market participants, working alongside supervisory authorities, vendors and their peers, must consider how they can continue to bolster the preparedness and response of the collective global financial system in the face of disruptive events.

This on-going assessment has revealed three areas which can continue to be improved: workforce displacement, third party/supply chain risk, and incident reporting.

Workforce displacement
The coronavirus pandemic shifted the workforce from largely centralized office locations to countless home networks. This sudden shift has increased the pressures on millions of families to adjust to a new work-life approach. For financial institutions, this displacement created a greater reliance on its employees to protect their home networks from compromise while increasing vigilance around the current safeguards to protect the organization from this new threat vector. For individuals, the shift from office to home can potentially lower an employee’s focus and ability to identify phishing and business email compromise attacks. Cybercriminals have sought to capitalize on this area with numerous attempts to lure individuals to click on malicious links related to the pandemic. COVID-19 heat maps, information sites, donations, and other emails are constantly being used to entice individuals. Financial institutions must continue to be vigilant in providing their workforce with the tools and information needed to fully understand these attacks and protect themselves, their home networks and ultimately their organization from compromise.

Third-party/supply chain
Firms are increasingly leveraging third-party providers to accelerate innovation and reduce costs by outsourcing operational services. While this approach has advantages, it is important that financial institutions understand the operational impacts of a third-party supply chain disruption during times of stress or volatility. This presents a strategic challenge, as it can be difficult for firms to fully understand the resilience capabilities of third-party vendors. These third parties may also use vendors and other service providers which increases the difficulty for financial institutions to understand the complexity of their supply chain. An expanded supply chain also increases the surface area for potential threat actors to disrupt a firm’s activities and overall financial market stability.

While industry discussion around third-party risk and resilience are ongoing, two clear themes are emerging. One, third-party risk is a growing area of interest among global supervisors looking to ensure their regulated entities have business models and operating structures in place that manage these potential risk exposures. Two, there is a shared responsibility between financial institutions, supervisory authorities, and critical service providers to affirm sector resilience from third-party service disruptions and address any cybersecurity gaps that may be created by expanding supply chains.

Incident reporting
Financial Institutions that provide multiple financial products or operate in several jurisdictions may be subject to examination by numerous supervisory authorities. These same authorities must be notified of material operational events that impact the delivery of financial services to the market. These notifications may differ around the amount of time given to report an incident, the information required in the notification, and how these reports are submitted (e.g., email, web form). These deviations make it challenging to comply with regulatory obligations while simultaneously managing the resources necessary to effectively respond to an incident. Therefore, any opportunity to better align incident reporting across regulatory authorities and reduce the resources required to report an incident could increase the resilience of the financial sector and should be considered. Harmonization around incident reporting may also provide greater insights into operational incidents across the financial services sector, which could be used by financial institutions to focus on potential weaknesses or changes in the threat landscape.

Since 2013, cybersecurity has consistently claimed the top spot on DTCC’s annual Risk Forecast since the survey launched. The survey that will inform the 2021 forecast is currently underway, and while the pandemic and geopolitical factors are likely to rank high on the list, it is expected that cybersecurity will remain a chief concern and a continued threat to resiliency. By working to better address areas such as workplace displacement, third party/supply chain risk, and incident reporting, institutions can help to ensure the resilience of an increasingly digitized and interconnected financial services industry, while cultivating trust that the markets will continue to operate smoothly.

Jason Harrell
Executive Director, Technology Risk Management, Head of Business and Government Cybersecurity Partnerships
DTCC