The capital markets have always been a lucrative target for cybercriminals, and the past few years have only intensified these threats. A stark reminder of this vulnerability was the ransomware attack on CNA Financial Corporation in March 2021, one of the largest insurance companies in the United States. This incident, where hackers demanded a $40 million ransom, raises pertinent questions about the alarming sophistication and audacity of cybercriminals targeting financial institutions.
The nature of attacks has evolved, with advanced persistent threats (APTs) and sophisticated phishing schemes becoming more prevalent. Recent statistics highlight that ransomware attacks, too, have become increasingly common, with 17% of security incidents in 2023 involving ransomware.
As digitalization accelerates and geopolitical tensions rise, capital markets firms must recognize that their traditional security measures may no longer suffice. In our blog, we provide a nuanced, critical take on the essential strategies capital markets firms must adopt to ensure robust cybersecurity.
Let’s start by understanding the nature of these threats.
Dissecting the Threat Landscape
Typically, capital market firms trust their employees, vendors, and contractors with valuable data, including confidential client information, which eventually increases the risk of an insider attack. Insider threats are considered highly dangerous as they are difficult to predict and detect in a timely manner, ultimately raising the overall cost of insider threats.
Another aspect is how several firms increasingly rely on third-party IT service providers. While such external providers ensure improved operational resilience, they also expose the industry to systemwide shocks. For example, a 2023 ransomware attack on a cloud IT service provider caused simultaneous outages at 60 US credit unions.
The Need to Adopt a Multi-faceted Cybersecurity Strategy
To stay ahead of cyber threats, capital markets firms must adopt a multi-faceted cybersecurity strategy that encompasses advanced technologies, regulatory compliance, and a security-first culture.
Systemic Risk Assessment and Third-Party Dependencies
According to a recent report by IBM, the average cost of a data breach in the financial sector was $5.72 million in 2023. The interconnected nature of U.S. security markets makes systemic risk assessment and third-party dependencies critical areas of focus for cybersecurity. Systemic risk in the context of cybersecurity refers to the potential for a cyber incident to trigger widespread instability within the financial system.
For instance, the 2020 SolarWinds attack highlighted how vulnerabilities in widely used software can affect multiple financial institutions, including capital market firms. The breach allowed attackers to access sensitive data across numerous organizations, showcasing the cascading effects of such incidents.
The SEC charged SolarWinds and its Chief Information Security Officer (CISO) for misleading investors about the company’s cybersecurity practices and risks. This marked the SEC’s first cybersecurity enforcement action against an individual, emphasizing the importance of truthful cybersecurity practices and robust internal controls for public companies. For the industry, this highlights the necessity of prioritizing transparency and robust cybersecurity measures as integral components of corporate governance. Firms must recognize that cybersecurity is not just an IT issue but a critical business imperative. The takeaway is clear: robust cybersecurity and honest disclosure are now non-negotiable to meet regulatory standards and protect investor trust.
The SEC’s Regulation S-P requires firms to adopt written policies and procedures to protect customer records and information. This regulation highlights the need for firms to manage third-party risks effectively. Similarly, FINRA’s Rule 3110 emphasizes the importance of supervisory systems to monitor and manage cybersecurity risks associated with third-party vendors.
Prioritizing Data Reporting and Information Sharing in Capital Markets
Capital markets firms should prioritize the collection and reporting of cyber incidents and share relevant information with industry peers to nurture collective preparedness. The 2017 Equifax data breach, which exposed personal information of 147 million people, highlighted the consequences of delayed reporting. The breach resulted in severe regulatory scrutiny and financial penalties, emphasizing the need for prompt incident disclosure.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) is an industry consortium of 7000 financial institutions, providing a platform for financial firms to share threat intelligence and mitigation strategies.
Promoting Cyber Maturity and Governance
Cyber maturity should be integral to the governance structures of capital markets firms. This involves ensuring that boards have direct access to cybersecurity expertise. For example, leading firms like Goldman Sachs have established dedicated cybersecurity committees within their boards to oversee and guide cybersecurity strategies. Such governance frameworks ensure that cyber risks are managed at the highest levels, fostering a proactive approach to cybersecurity.
Another aspect involves improving cyber hygiene, which includes deploying antimalware solutions, enforcing multifactor authentication (MFA), and conducting regular cybersecurity training for employees. Improving log visibility is yet another factor, given how enhanced visibility allows for quicker detection and response to potential threats. According to a 2022 McKinsey survey, between 2019 and 2022, several firms have increased their log visibility from 30% to around 50%, with plans to reach 65-80% in the next couple of years.
Derisk to Protect – The Way Forward
While transformative, the adoption of AI, blockchain, and cloud services introduces new cybersecurity risks to the already vulnerable threat landscape of capital markets. These technologies if not properly secured, can become entry points for cyberattacks.
Firms should not solely rely on technology but also invest in continuous employee training, regular risk assessments, and robust incident response plans. Ultimately, technology should be part of a broader, proactive cybersecurity strategy that includes regulatory compliance, information sharing, and strong governance to truly secure capital markets. The cyber clock is ticking, and financial institutions must prioritize derisking these technologies to safeguard their operations and reputation.
Talk to us to strengthen your cybersecurity strategy with our tailored IT solutions. Address current vulnerabilities and prepare for future threats.