White Shirt Black Tie Explain

When you know more about these threats, their nature, and their perpetrators, you can develop a deep bench of data and facts to better protect your institution.

Reducing Risk

Cybersecurity Threats Aren’t All Bad for Financial Institutions

  • John Moeller
  • Keith Brooks
  • 10/31/2019

As we meet with financial institution leaders across the country, it’s clear that cybersecurity threats are of one of the largest challenges for institutions. Between the seemingly random nature of the attacks and the utter devastation they can bring to a business, these threats are always among the top security risks. Knowing this, we’ve decided to turn the table and think about whether cybersecurity threats can actually benefit an institution.

Could cybersecurity threats be a good thing?

The obvious answer is no. But in all actuality, good can come out of today’s cybersecurity threats. When your cybersecurity tools, training, and procedures uncover and define a threat, you can, and should, be using that to drive your strategic technology planning so you can address these risks.

In today’s world, when cybersecurity threats are alarmingly on the rise and taking new and inventive shapes on a daily basis, many institutions are still under-planning and underspending in technology and preventative measures that should ideally help protect an institution, its customers, and its data. Most institutions are replacing their old technology, as is required to maintain their current states of operation and cyber readiness. But it has become commonplace that, when this new technology is deployed, it is not configured adequately to address mitigating controls presented in tools like the FFIEC’s Cyber Assessment Tool (CAT) and the newer FSSCC’s Automated Cyber Assessment Tool (ACAT).

Unfortunately, the days of spending on technology to just replace what is beyond its serviceable life are gone, and the days of meaningfully planning and strategically addressing the ever-changing faces of cybersecurity are here to stay. If an institution does not think progressively and look to the future, its technology becomes the biggest and most visible target for cybercriminals to exploit. And nobody wants to have that distinction set them apart in an already tightly contested marketplace.

Plan before you buy new technology

When looking at the current state of banking, stop for a moment and consider that while leaders of these institutions identify cybersecurity threats as one of their top two risks, they also acknowledge that they are dramatically underspending on the very technologies required to mitigate these risks. Financial institutions should take the time to update their current strategic technology. This means that any new hardware, software, or outsourcing agreements being considered for purchase or use should show tangible value in mitigating known cybersecurity threats faced by the institution.

Each strategic initiative in an institution’s plan should also directly support one or more controls as identified in the ACAT. At the very least, all new technology implementations and improvements should seek to improve the overall baseline maturity controls of the institution and help it to meet evolving level security controls as defined in the ACAT. Simply put, improving the maturity of the controls in place within your institution improves the overall security posture of the organization.

Make cybersecurity part of your existing strategies

There are other benefits to embracing cybersecurity, its associated threats, management, and the systems your institution has created to deal with it. Leaders and their board of directors are already well-versed and skilled at calculating, managing, and ultimately addressing risk in their day-to-day jobs. But what would happen if you were to tie cybersecurity threats to your existing strategic planning processes? For starters, your institution would begin to automatically spend more focused, concentrated time making leadership aware of significant and ever-changing cybersecurity threats. The very nature of these steps would add highly valuable continuing education to help them understand the threats that exist in today’s modern cyberspace. If these leaders are exposed to focused, clear, and valuable information, presented in a clear and concise manner that neither embellishes nor downplays the true nature of the risks they face, it is very likely that these leaders will commit to the additional IT spending dollars needed to secure an institution’s technology. This process, and the required spending it will drive, will naturally reduce cyber risks.

Cybersecurity threats aren’t going away

So, are cyber threats a good thing? By nature, no. But as the world stands today, these threats are most certainly a part of our daily reality. By having knowledge of these threats, their nature, and their perpetrators, you can develop a deep bench of data, facts, and information that you can lean on to educate, remediate, and better protect your organization. Ignoring this information is not an option, and neither is pretending it doesn’t exist. Instead, institutions should take this information and make it actionable and meaningful to those in positions of leadership, which is a sure-fire way to draw the necessary attention to these serious concerns.

How we can help

Defending your organization from cybersecurity threats starts with taking proactive steps. Our professionals are well-versed in financial institutions and can help assess the cybersecurity measures you currently have in place. Through a vulnerability assessment, penetration testing, and other cybersecurity services, we can help you recover from previous attacks and strengthen your defenses against future threats.

  • John Moeller
  • Principal
  • Keith Brooks
  • Client Engagement Leader - Enhanced Managed Services