As a Financial Service Provider, how should your firm prepare for cyber threats?
Financial Service Providers store large quantities of sensitive information and also process significant financial transactions, on behalf of their clients. To deliver financial services to clients, new technologies are being adopted including generic cloud services and specific fintech. New technologies carry new risks and Financial Service Providers are an attractive target to cyber criminals, regardless of their size. Cyber risks include privacy breaches, data loss and financial loss which leads to general disruption and damage to a providers reputation. A number of Financial Regulators have recently provided clear guidance on Cyber Resilience. We have summarised this below.
On 11 July 2019, the Financial Markets Authority (FMA) released a report on their review of cyber-resilience in New Zealand financial services. The report summarises the findings and provides guidance for firms where the need for improvement has been identified. The FMA has encouraged sector participants to comply with its expectations and best practice. “Cyber-risk encompasses all risk of loss, disruption, or damage to a firm caused by failure in its information technology systems – from both internal and external threats. The interconnectedness of the financial sector means any part of it might be an entry point for a wider cyber-incident.”
The report goes on to recommend that all market participants should assess cyber-risk as part of their wider risk-assessment and management programme. “We also strongly encourage all market participants to use a recognised cybersecurity framework to assist with planning, prioritising and managing their cyber-resilience. The National Institute of Standards and Technology (NIST) cybersecurity framework core, for example, enables firms to assess maturity across five functions: Identify, Protect, Detect, Respond, and Recover.”
On 20 October 2020, the Reserve Bank – Te Pūtea Matua (RBNZ) released draft guidance on what regulated entities should consider when managing cyber resilience. The draft guidance, which is open for feedback, outlines the Reserve Bank’s expectations around cyber resilience, and draws heavily from leading international and national cybersecurity standards and guidelines. “As cyber risk continues to rise, there is growing awareness that cyber incidents could present risks to the stability of the entire financial system. Improving cyber resilience has become a key priority for prudential regulators around the world.”
Australian Council of Financial Regulators (CFR) Guidance
The Council of Financial Regulators (CFR) has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry. The CORIE framework has been developed to aid preparation and execution of industry-wide cyber resilience exercises. A key objective of the CORIE framework is to provide data and reporting to inform relevant Australian regulators of systemic weaknesses that may present a risk to the integrity and stability of Australian financial markets. The framework also aims to identify actions to uplift the cyber resilience of financial institutions. CORIE’s exercises will mimic the tactics, techniques and procedures (TTPs) of real-life adversaries, creating and utilising tools, and using techniques that may not have been anticipated and planned for.
How We Can Help
We assist financial service professionals manage their cyber security risk, with a particular focus on data privacy and security. Examples of our services include: