- 10 Questions for Financial Services when considering CyberSecurity Solutions
Netify have listed 10 Questions for Financial Services organisations which IT decision makers must answer and the requirements vendors must meet.
1) What financial services does my organisation need to expose to the public internet?
a) Online banking services
b) Portfolio access
c) Transaction processing
d) Others?
Requirement 1 – mitigations for web-based attacks: If any of the above are requirements, solutions must include features that defend against web-based attacks as primary attack vector. Important features to look for include DDoS mitigation, Web Application Firewalls (WAF), and Secure Web Gateways (SWG).
2) What type of financial services does my organisation provide to customers/users?
a) Financial advice
b) Investment Advice
c) Trading tools with live trading
d) Other brokerage services
e) Banking services
Requirement 2 – robust reporting: If any of the above are requirements, solutions must provide capabilities for compliance reporting. Consider this: in the United States, every trader, advisor, or broker must be licensed and registered. Financial services organisations who employ traders, advisors, or brokers must be able to prove to auditors that they verified licensing and registration upon hiring and that they continuously monitor licensing and registration for existing employees. The same level of diligence is required for proving that cybersecurity controls are effectively implemented, so it’s important for solutions to enable organisations to generate reports to satisfy compliance audit requirements, without requiring additional tools or development.
3) What type of payment information do your organisation’s internet-facing applications gather, share, process, or store?
a) Credit card data
b) Debit card data
c) Live payment transactions
d) No credit card or payment information is processed or stored in any way, or, it’s processed or stored securely by a 3rd party
Requirement 3 – 24×7 monitoring: Unless you chose ‘d’, you’ll need a SOC or a security solution that provides 24×7 threat detection and incident response capabilities. In addition to meeting requirements for PCI DSS and other compliance frameworks, the financial services industry has a critical need for fast detection and response.
4) What type of security team does my organisation currently have?
a) In-house SOC staffed 24×7 with a team of analysts and incident responders
b) The IT department has some security specialists that are effective at dealing with threats and incidents
c) The IT department deals with most threats and cybersecurity incidents and we have consultants that they can call-in for help when necessary
d) We have a 24×7 managed security service that handles all of our detection and response requirements
Requirement 4 – alignment with a maturity model: Cybersecurity solutions need to fit the organisation’s target security maturity. Organisations should have a way to track progress toward a target level of maturity and choose solutions that evolve with the organisation as its security posture evolves. This is an important part of Governance, Risk and Compliance (GRC) and it’s never too early to implement a solution with GRC capabilities. This helps visualise what the current posture is (a), outline what you’d like it to be in the future (b) and implement a plan to get from (a) to (b).
5) Users of my organisation’s services and resources come from:
a) Around the world
b) Just the United States
c) The United Kingdom and European Union
Requirement 5 – privacy and data protection compliance: If your organisation stores or processes information belonging to citizens of the United Kingdom or European Union, solutions must provide or incorporate security policies necessary for compliance with GDPR. When doing business on an international level or sharing information overseas, it is very important to know that your organisation is following all GDPR standards or other relevant standards in jurisdictions where your customers live.
6) My organisation has compliance obligations that require us to provide notice and get consent for handling the following types of data:
a) Financial
b) Personal
c) Credit card information
d) Transaction history
e) Nothing that we’re aware of
Requirement 6 – data classification: If you have compliance obligations around handling any type of protected data, solutions must have the ability to allow for the classification and indexing of protected data points (preferably in an automated way), and the ability to manage data retention. This can be found in cloud platforms with built-in Identity and Access Management (IAM), Content Delivery Network (CDN) providers, or bespoke data classification and consent management tools. To fully comply with privacy regulations like GDPR or CCPA, organisations need to ensure that proper notices are displayed, consent is given and prove the relation to the consent with the user as well as archiving or destroying that information by aging it out or allowing for removal requests from users to be processed.
7) How would a ransomware attack impact my organisation?
a) It would be dealt with – we have a complete (and tested) mitigation and recovery strategy
b) It would be devastating – we have no mitigation or recovery strategy
c) It would be difficult but we’d manage by recovering from backups
Requirement 7 – ransomware protection: Any good security professional will never commit to being 100% prepared for any adverse event. Regardless of how prepared you may think you are, you should always be looking for solutions that specifically address ransomware as it’s one of the top threats in the current landscape across most industries. Ransomware is also one of the most prevalent threats in the financial sector due to its ease of distribution, abundant availability for automation even for less-experienced attackers and high effectiveness. Financial organisations should also have a tested data breach prevention and mitigation strategy that ensures data will not be lost or stolen and is always available when needed.
8) Where are our data and applications hosted?
a) Cloud
b) On premises
c) Both
Requirement 8 – appropriate perimeter defenses for your on-premise, cloud, or hybrid solution: Many of today’s leading cybersecurity solutions are focused on protecting cloud infrastructure, so if your infrastructure is mostly on-premises or isn’t connected to the Internet, ensure that you’re looking at solutions who can support on-premise environments without outside connectivity. For cloud-based internet-facing environments, strong Identity and Access Management (IAM) and Web Application Firewalls (WAF) are critical first lines of defense.
9) My organisation’s stance on cybersecurity is best described with the following statement:
a) My organisation is committed to meeting the minimum requirements by law or contract obligations.
b) We’re not subject to any compliance obligations, but my organisation is committed to using industry best-practices to secure data and privacy.
c) My organisation is committed to providing world-class security of data and privacy in order to gain customer trust and maintain our brand reputation.
d) My organisation is committed to evolving our security posture as best we can, but we know we have a lot of work to do with limited resources.
Requirement 9 – future proofing: Regardless of what resources you have or how committed you are to focusing resources on security, you should always favor solutions which are innovative and able to continue to grow with the ever-changing cybersecurity threat landscape. We all know that cyber threats are not the same from day to day and that as soon as one threat is discovered, a new variant is already being developed or released into the wild. Solutions also need to be flexible when it comes to automation and reporting so it’s able to keep up with new and changing compliance requirements. One can reasonably predict that the regulations around cybersecurity will continue to change rapidly in response to emerging threats and increased frequency in breaches.
10) My organisation’s brand relies on maintenance of:
a) Customer service
b) Product quality
c) Marketing
d) Trust
Requirement 10 – internationally-recognised standards: Where demonstrating your security program’s capabilities is important to maintaining customer trust, consider avoiding vendors who can’t demonstrate compliance with internationally recognised standards like ISO/IEC 27001/27002, NIST 800-53, or others which are aligned with your industry.
How to compare features vs requirements for financial services companies?
It is imperative that organisations understand how cybersecurity aligns with business goals when looking at security solutions. That means knowing what regulations apply to them and whether they want to future proof their security posture or just keep up with most best-practices. If meeting compliance requirements is the task at hand, there are many vendors that can put a solution together for near-immediate results, but understanding what the organisation’s compliance obligations are and which vendors strengths map to those obligations is key first step in the selection process.
Understanding your organisation’s security capabilities, whether they can meet compliance requirements and whether it makes more sense to expand your security team or retain managed security services similarly important. While traditional endpoint security products like Malwarebytes, Kaspersky, or ESET might offer solutions suitable for on-premise, cloud, or hybrid environments, it’s important to remember that these are essentially Do-It-Yourself (DIY) products and these vendors don’t offer managed services. If DIY products are a good fit for your needs, make sure to take them for a test drive to ensure that they can meet reporting requirements without having to develop or acquire additional tools.
In organisations with applications which process financial transactions in real-time or sensitive financial information distributed across a large enterprise estate, solutions with best-in-class eXtended Detection and Response (XDR) as well as Managed Detection and Response (MDR) services can be an important layer of defense. These types of environments need trained and experienced analysts who can perform live threat hunting to detect Advanced Persistent Threats (APTs) who may have escaped perimeter defences and found refuge within in the network to ‘live off the land’.
To summarise, organisations in the financial services sector need to implement a layered defence approach to meet their business and legal needs. The NIST CSF is a great place to start because it’s designed for either partial or full implementation. Many resources exist to help map security frameworks to solutions from NIST, the Center for Internet Security, the Cybersecurity and Infrastructure Security Agency (CISA) in the United States and many more. There are also many vendors who offer GRC products and managed services to help organisations at any security maturity level implement and manage security policies and track progress toward compliance. Fortunately there is an abundant marketplace of cybersecurity solutions available and many of them have a specific focus on financial services organisations or relevant compliance frameworks like PCI DSS, SOX and others. This means that financial services organisations have many choices of cybersecurity solutions that can protect them from today’s threats, but making the best choices needs to begin with a solid understanding of your organisation’s unique needs, business goals and legal obligations.