Six New Year resolutions for financial services CISOs

What should be the priorities for financial services cybersecurity teams in 2022?

In brief

• Importance of CISOs in organisations is further increasing
• Knowing yourself and your third parties with regard to cybersecurity is key

For most chief information security officers at financial services businesses, 2021 has been a challenging year. Almost three-quarters of CISOs in the sector (71%) have seen an increase in the number of disruptive cyber-attacks on their organisations over the year according to EY’s Global Information Security Survey 2021. 

And the regulatory burden has never been tougher: 50% of financial services CISOs say compliance can be the most stressful part of their job.

Against this backdrop, and with their resources often stretched, how will CISOs and their teams rise to the challenge in 2022? Protecting the organisation as its attack surface expands and endpoints multiply is getting harder. EY’s Cybersecurity Health Check (powered by Tanium) finds that between 12% and 20% of endpoints have been missed – and that 60% of managed devices are missing six or more critical patches.

The answer is that every organisation will need to prioritise – and now is the moment to be making New Year’s resolutions about the tasks that lie ahead for the next 12 months. Here are our suggestions:

1. Bear down on third-party risk and exploited software

The management of third-party risk is an increasingly important focus for the regulatory authorities. In particular, FINMA and its peers are keen to understand how financial services firms are using cloud platforms – how is your data protected when it sits in the cloud, for example?

More broadly, cyber attackers appear to have identified the supplier ecosystem as a point of vulnerability, particularly in industries such as financial services, where many firms have strong defences of their own networks and endpoints. They are targeting third party software updates, as with the SolarWinds attack, stealing log-in details from third parties, and injecting malicious code into vulnerable applications.

This year, every financial services CISO needs a strategy for third-party risk. EY’s Cybersecurity Health Check can help, offering remediation for vulnerabilities such as the Log4j issue recently identified in Apache’s Java-based logging library, so widely used by enterprise apps and cloud services.

2. Reassess communications with management

The relationship between cyber security and management is also moving centre stage for regulators. That looks problematic for many financial services: in EY’s GISS, more than half (57%) of the sector’s CISOs complain they are not consulted in a timely fashion over strategic decisions that the organisations makes.

The challenge for the year ahead is to build structures that ensure cyber security is able to play its key strategic role – to ensure the organisation’s leadership understands risk so that it can make informed business decisions. How can you use solutions such as Tanium’s cybersecurity reporting tools to build a data-driven story to take to the board? Does your organisation even have a policy setting out its appetite for cyber risk?

3. Invest in detection alongside prevention

The changing attack landscape – including the increased sophistication of attackers now using machine learning and artificial intelligence tools – makes it imperative for financial services businesses to invest anew in their detection capabilities. Solutions such as Tanium’s endpoint management security platform, which monitors every endpoint for risk and threat, and automates the response, will prove invaluable.

Good IT hygiene is crucial for every organisation, and the focus on prevention makes sense – but this work alone is not enough. In EY’s GISS, 53% of financial services CISOs conceded they did not know whether their defences were strong enough to prevent cyber attackers with new strategies breaking through.

4. Get on top of SWIFT’s requirements

Is your organisation compliant with SWIFT’s latest Customer Security Programme requirements? The payments network set the end of 2021 as its deadline for compliance based on an independent assessment, so bedding down new arrangements will be an important focus in the months ahead.

The current regime includes 22 mandatory controls and a further nine advisory controls, as well as requiring an independent assessment that this work has been done. Again, tools such as Tanium’s reporting functionality will prove valuable.

5. Don’t assume the ransomware boom has peaked

An explosion in ransomware attacks has been one of the big stories of 2021 and while financial services’ organisations have defended themselves relatively well against this threat, the danger is not over. With ransomware software now widely available to a broad range of attackers, with hackers industrialising their code, 2022 is likely to see a further increase in these attacks.

That number may shrink in the year to come. Endpoint security has never been more crucial.

6. Prepare for more work from FINMA

The Swiss Financial Market Supervisory Authority (FINMA) has made it absolutely clear that it regards cyber risk as a clear priority for its supervisory activities. It is likely the regulator will step up its activities in 2022, particularly in the banking sector, though insurers are increasingly moving into FINMA’s focus too. Learning the lessons of its interventions so far is important – its audits of financial services firms; cybersecurity readiness, for example, provide important intelligence on what the regulator expects.

Regulated firms also need to think about how FINMA’s work fits into the international regulatory context, given the need to comply with the regimes that apply across all the markets in which they operate. In EY’s GISS, 67% of financial services CISOs said they expected regulation to become more fragmented – and therefore more time-consuming – in the years to come.