Three steps to build resilience to cyber attacks

As the likelihood of a cyber attack on multiple financial firms increases, banks must shore up their operations to be able to quickly recover. Regulators, concerned with the growing number of cyber incidents, have turned their attention to the resilience of financial institutions and their respective third parties, requiring these organizations to develop capabilities that build greater resilience and have developed rules and principles designed to guide financial firms through that process.

“Resilience” comprises different focus areas—including operations, cybersecurity, and individuals—but there are three things that financial institutions can do today to improve their resilience and boost their cyber defenses.

Understand business operations

A cyber attack that disrupts the critical operations of a single bank poses a risk to the entire financial sector. Therefore, it is essential that firms have a clear and consistent understanding of their critical operations across business lines and that they secure internally-owned systems.

It is also important to assess the role that third parties play in delivering these critical operations. The key is clear documentation, with buy-in from the business areas that use it. Clarity and agreement on critical operations allow banks to understand the potential impact of operational and cyber incidents.

Increasing reliance on third parties to deliver critical operations means that true operational resilience cannot be achieved without verifying the resilience of those third parties. So financial firms must ensure they understand what the third parties do to build resilience capabilities, and oversee how they deliver their services. Ultimately, third parties should be viewed as strategic partners, and firms should work with them to identify opportunities to build resilient services.

Enhance technology capabilities

Cyber attackers are continuously modifying their tactics, techniques, and procedures (TTPs) to bypass legacy security controls. Sophisticated criminals rely less on malware and more on custom toolkits, built-in operating system tools, and valid user credentials to gain entry into firms’ networks. These approaches significantly decrease the effectiveness of anti-malware software.

Financial institutions should consider more advanced threat detection including threat hunting, advanced intrusion detection with automated prevention and remediation capabilities, and threat-led penetration testing of networks to enable the rapid detection of malicious cyber activity.

Emerging technology and improvements to existing technology are driving innovation and newer, better products in this space. However, new technologies may create new risks. As banks adopt them in the process of modernizing their services, they also must understand how any changes in their technology environment affect their risk posture.

This may include assessing the implementation of any new technology against the vendor’s security baseline and the financial institution’s cyber risk framework, as well as increasing the monitoring of the new network infrastructure.

Prioritize security training

Security awareness is the process of making employees aware of risks and informing them of expected behaviors. Employees should understand the risks they face and receive clear instructions on how to minimize them. Firms can educate their employees on these risks by leveraging various tools like screensavers and podcasts, and by developing a schedule for distributing content and training.

Technology and security professionals need specialized security training, given their hands-on role in the implementation and delivery of security and related services. One-time training is not sufficient to effectively manage threats. Firms should budget and provide ongoing training for employees to ensure their knowledge and skills remain current, and that they are familiar with the latest security practices within their line of expertise.

Lastly, forming peer-sharing groups across organizations may enable security professionals to learn best practices from similar organizations, which they can then incorporate into their own policies.

As the financial services industry’s risk landscape continues to evolve, resiliency will remain a critical consideration across firms. It is important to remember that resilience is a journey that will need to be continually assessed and fine-tuned. By gaining a thorough understanding of critical business operations and dependencies, enhancing technology capabilities, and prioritizing internal security training and awareness, firms can lay the foundation for increased resilience in this complex threat landscape.

Jason Harrell is managing director, operational and technology risk and head of external engagement at the Depository Trust and Clearing Corporation