Cybersecurity Risk Readiness Of Financial Sector Measured
BitSight, a cybersecurity consulting firm has released its latest issue of the “Third-Party Cyber Risks For Financial Services” series, with the April 2019 issue focusing on the blind spots in security arrangements and best practices organizations may start to mitigate it. The company highlighted that the financial industry is at the receiving end of massive spikes in data breaches and system compromises, and drastic actions must be implemented in order to mitigate the risks.
“While the finance industry has historically had more robust cyber defenses compared to other industries, the many third parties involved in its massive supply chain – including legal organizations, accounting, and human resources firms, management consulting and outsourcing firms, and information technology and software providers – all pose potential weak spots. This begs several important questions: How is the finance industry responding to the growing challenges associated with third-party cyber risk? How are organizations measuring and reporting on this risk? What tools are they using?,” said in the report.
To answer the questions raised, BitSight polled 126 financial services companies through their representatives including those who represent insurance firms, banks and other professional financial services. They came from the United States, Europe and the United Kingdom, the majority of which are high-level managers and VP-level of their respected firms. Risk management for these companies are no longer new, as is the steering wheels of the financial sector, they have the responsibility to strictly enforce strong encryption protocols within their organization and maintain order across-the-board.
“Nearly 97 percent of respondents said that cyber risk affecting third-party vendors is a ‘critical’ (57 percent) or ‘Important’ (40 percent) issue. The C-suite is particularly aware of this issue and is taking responsibility for it in new ways. Respondents reported that CISOs, CIOs, Chief Risk Officers, Chief Compliance Officers, and CEOs are primarily accountable for third-party risk within their organizations, and 1 in 10 organizations have a dedicated role for managing vendor, third-party or supplier risk,” explained in the report.
The good thing that the report disclosed is that supermajority of the respondents confirmed that the cybersecurity issues are handled by trusted people inside the company itself and not a 3rd party vendor. 34% answered that the risk handling is handled by their CISO (Chief Information Security Officer), 20% of them have their CIO (Chief Information Officer) take the obligation, while 23% hires a Chief Risk Officer who has a full scope of responsibility in an event that a cybersecurity issue occurs.
“Clearly, financial services firms are still challenged to communicate and measure the effectiveness of their third-party risk management strategies to board members and to leadership. Organizations need to be thinking about what security metrics are most important, how to track them, and how to leverage them more effectively in executive communications. Beyond that, they need to consistently communicate how they are improving security and managing risk among third parties and other vendors,” concluded the report.
BitSight highlighted the importance for companies to keep their data and their customers’ data accurate and in good quality (unchanged by someone outside the organization), they also stressed the importance of setting-up enough funding in order to establish and maintain a continuous monitoring process for critical corporate systems. Companies need to look beyond the cost of an on-site assessment (penetration testing), seeing it as an investment will be a great start.
Julia Sowells948 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.