This is the final installment in a three-part series exploring cybersecurity predictions for 2023. In the first two pieces, Michael Welch and Ferdinand Hamada explored their predictions for GRC and the healthcare sector.
In this piece, Perry Menezes, MD and Global Head – Financial Services, Cybersecurity Practice, MorganFranklin Consulting describes his cybersecurity predictions for the financial industry. However, many of these predictions are equally applicable to companies across all industries.
1. Cloud Adoption gains steam in the Financial Service Sector, as perception over (cyber) security risk changes for the better.
Over the past few years, as the barriers to cloud adoption have started to reduce, including the regulators starting to feel comfortable about moving to cloud in the FS sector, financial institutions are cautiously making the move to cloud computing. While there are benefits of moving to the cloud, Financial Services firms are taking a cautious and measured approach and path towards migrating to it.
While cloud computing has benefits in the areas of availability and cost effectiveness, if not managed properly (with good cloud governance, shifting from a tech-centric view to a more business-centric view, understanding other contracting considerations in relation to cloud service arrangements, etc.) these benefits can quickly turn into liabilities for the firm.
Digital banks are leading cloud adoption, and as with any journey, they realize it’s not an overnight journey, rather one with clearly defined milestones, budgets, resources and understanding of dependencies across the enterprise. A factor in this journey is also of how compliance, security, resiliency risks and mitigation play a part. A rush (and not properly thought of plan) towards cloud adoption and migration exposes firms to a greater risk of cyber-attacks and breaches. In July 2022, the Bank for International Settlements said that the financial sector’s increased reliance on cloud computing was “forming single points of failure” and “creating new forms of concentration risk at the technology services level”. The Federal Reserve Bank of New York has also previously warned about the “transmission of a shock throughout the network” should financial services be “connected through a shared vulnerability”.
Firms seeking to or migrating to cloud are well advised to continue to explore all options, including possibly a hybrid approach where they load-balance and distribute their workloads across on-premises, public, private and/or hybrid clouds to reduce and manage cyber risk.
2. CISOs Need Personal Liability Protection
CISOs are responsible for managing corporate exposure to cybersecurity threats and risks. This includes implementing and operating the organization’s cyber defenses and responding to cybersecurity incidents. Over the past few years, as cyber threats and attacks have increased (in frequency and sophistication), baring a few firms, CISO’s are still on the frontlines, with limited resources and budgets.
With this, CISOs are now facing increased personal liability risks for corporate data breaches, including the potential for criminal charges. As a result, CISO contracts will increasingly include liability protection, and CISOs may require personal liability insurance for errors and omissions related to their professional duties.
3. Risk Management Becomes a Focus
Companies face cybersecurity risks that go beyond the threat of data breaches and regulatory non-compliance. Protecting against ransomware attacks and other threats to business operations and data security may require security controls above and beyond those specified by regulations.
All organizations — but especially those in the financial sector — will need to continue taking a risk-focused approach to designing and implementing security controls. Companies need to know their critical assets and processes, identify the risks to them, and implement controls to improve security.
4. Security Awareness Training Is Critical
Social engineering attacks, such as phishing, are common in the largest cyberattack campaigns. The evolution of new technologies — such as deepfakes and AI tools such as ChatGPT — have the potential to dramatically increase the realism and threat of social engineering attacks.
With the growth of threats targeting their employees, companies will increasingly focus on security awareness training and building employee engagement. Gamification and descriptions of how attacks work in a widely accessible way, help to improve employee engagement and retention of training material.
It is important to recognize that Security Awareness Training for most parts has been geared towards meeting compliance requirements. With increasing frequency and sophistication of cyber threats and attacks, it is now critical to shift towards security awareness training that will build a security culture within companies (in addition to it being used for compliance purposes).
How MorganFranklin Can Help
The evolution of the cyber threat landscape makes accurate risk assessment and management critical to business success. MorganFranklin experts can help organizations to identify the leading risks that they face and to design and implement strategies for mitigating these risks.
This is the final article in a three-part series on cybersecurity predictions for 2023. If you haven’t already, check out the first two articles on GRC by Michael Welch and the healthcare sector by Ferdinand Hamada.