NYDFS

Risk Facing Financial Services

Risk Facing Financial Services

Financial services institutions have changed significantly over the last decade – from utilizing technology in new ways to stay competitive and drive efficiencies, to adapting business practices in light of the global financial crisis and recent narrow interest margin markets.

As these businesses evolve, they’re faced with a new range of exposures that can result in significant and lasting commercial costs, and traditional exposures come to light in a different context. Crime has also changed for these businesses, with a growing number of attacks against financial institutions taking place online and through digital means.

To better understand this changing landscape, we’ve outlined the top risks facing financial institutions today:

 

Social engineering and funds transfer fraud

Financial Services .jpg

Some of the most frequent cyber claims made by businesses in the past year involved funds transfer fraud and some form of social engineering. Funds transfer fraud is often carried about by criminals leveraging fraudulent emails or phone calls to request the transfer of funds from a legitimate account to their own. In some cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. While financial institutions have greater control processes, including separation of responsibilities, both banks and their clients are at risk of falling victim to these types of attacks, and as long as they continue to prove successful, we expect this threat to grow in both frequency and severity. Financial institutions should consider employee training on these newer forms of fraud, including how to identify phishing emails. Banks should also be concerned about their customers’ susceptibility to social engineering fraud, and should consider education campaigns where relevant.

 Adherence to post-crisis regulation

Following the mortgage crisis in 2007-2008 and the subsequent global financial crisis, the regulatory burden for banks has increased significantly. This brings additional costs when meeting these new requirements, along with higher potential penalties if an institution fails to comply. In many instances, resultant fines and penalties following regulatory failures are uninsured or uninsurable. Financial institutions should seek cover where regulatory enquiry costs and expenses are covered.

 Falling prey to predatory banking

Financial institutions have found themselves in a narrow interest margin environment, which means the pressure on banks to generate revenue from non-interest earnings is intense. In some cases, the desire to drive revenue through new or existing products has led to instances of selling inappropriate products to consumers, resulting in significant consumer claims. Institutions must ensure that their products are suitable and that they meet the needs of the consumer and the consumer’s expectations. It’s also important for institutions to ensure their remuneration policies do not inadvertently encourage the miss-selling of products. The fallout from consumer protection scandals can be costly not only from a legal and regulatory standpoint, but also in terms of damage to the brand.

 Reputational damage

Predatory banking is only one type of behavior that can bring reputational harm to financial institutions. Large institutions can suffer backlash for a variety of misdeeds made public, for instance the failure in anti-money laundering controls by Wells Fargo or HSBC, who were hammered in the media for their behavior. On a smaller scale, for regional and community-based institutions, the power of social media can mean that reputational damage spreads far faster than ever before.

 Systemic instability

Nearly a decade later, the effects of the global financial crisis are still being felt by financial institutions around the world. Recent concerns over Deutsche Bank’s operational cut backs and stock price decline have shown there is still uncertainty around the performance of even the biggest financial organizations. Additionally, recent instability in Europe – particularly in Italy and Spain, as well as the still incomplete negotiation – could have effect elsewhere, including the US, where European headquartered institutions such as Deutsche Bank, Barclays and HSBC are systemically significant institutions.

 Challenger banks and new technology

The traditional banking model is increasingly challenged by newcomers trying to use technology to replace existing processes and disrupt the status quo. In the UK and Europe, challenger banks are gaining steam and traction among younger generations and early adopters. In the US, there are few online-only challenger banks, but there is increasing competition from payment processors, online non-bank lenders and other providers who are edging their way towards areas conventionally controlled by banks. The risk for traditional institutions will not only be economic, but they will also need to provide more services to their clients to ensure they are competitive and relevant, and they may need to reassess their cyber exposure as they put more systems online.

 

NYDFS Cybersecurity Retain a CISO, CSO -Regulation Compliance

NYDFS Logo.jpg

With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training, and controls in place in order to protect data and information systems, said Superintendent  in a press release issued by DFS, CyberSecOP helping financial organisation comply with the NYDFS manadates.  

With the New York Department of Financial Services’ (NY DFS) new terms poised to come into effect next month, banks and financial services companies operating in the state must start preparing for the change.

One of the most discussed issues in the controversial proposal is the requirement to appoint a CISO (chief information security officer). The move was met by heavy criticism at a hearing in December last year, leading to a massive backtrack from the DFS in a revised proposal.

Requirements of the CISO

The latest proposal removes any explicit requirement to hire a CISO, which is good news for many smaller or rural financial institutions that don’t currently have one in place. What this means, practically, is that the position is no longer necessarily exclusive. Banks can choose to designate someone to complete the tasks of a CISO while also performing other duties. Alongside this, the proposal does not state that the specific title of ‘CISO’ is required.

So what will the CISO (or CISO by any other name) be asked to do? The role now covers a broader set of responsibilities but in a less detailed manner. The designated person will have to provide an annual report to the board of directors (previously proposed as a biannual report) on the “cybersecurity program and material cybersecurity risks”, according to the proposal. It is now specified that the report must be “in writing” but it no longer needs to be provided to the NY DFS upon request.

The required content of the report will now also be less extensive. The CISO must identify and report only on material cyber risks rather than all cyber risks. This will involve “consider[ing]” those issues “to the extent applicable.” Additionally, the CISO will be able to tailor their focus to the issues appropriate to their organization.

Finding the right candidate

The NY DFS’ revision allowing the CISO to be an employee of the covered entity (i.e. an internal hire), or an affiliate or third-party service provider offers crucial flexibility for smaller financial institutions.

Companies with only a handful of employees – the most vocal in their frustration at the DFS’ initial plans – may look to shuffle their existing staff.

When doing that – or in making a new hire – there are certain things organizations need to look for. The CISO role is not just a tech-specific position, notes John Linkous, RSA Conference’s technology advisor, but they must now be “a trusted advisor to the business as a whole”. He adds:

“One of the most critical capabilities is simply the ability to understand the business much more intimately than his or her predecessors. Business drives the need for technology, and so security must be focused on how data is used within those business functions, across the end-to-end spectrum. Without a solid understanding of what the organization does, and how it makes money, an information security officer is going to have a fundamental disconnect with what’s needed to protect the enterprise.”

Third-party service providers or affiliates

Given the responsibility placed on the CISO, outsourcing the role to a third party can be an appealing proposition.

Going down this route presents its own set of issues, though. As TechTarget reported, third parties are “almost always” involved when it comes cyber breaches – arguing that it is either through a lack of accountability or oversight. While service-level agreements (SLAs) are always advised, the DFS has taken steps to ensure the right measures are in place. In response to the fear that financial services firms would not always have sufficient power to force third parties to accept their preferred provisions, the NY DFS now dictates that all third-party services must be performed under contractual provisions rather than by way of “relevant guidelines for due diligence.”

Source: www.itgovernanceusa.com