Skip to main content

The Building of a Cyber Resilient Financial Services Sector

By Jason Harrell, DTCC Executive Director and Head of Business and Government Cybersecurity Partnerships | June 2, 2020

As we enter the new decade, we stand reminded that technological innovation and cybersecurity threats continue to develop and evolve at an incredible pace. Firms must therefore continue to build the proper defenses to protect consumer confidential data and financial market integrity. Cyber threats have become one of the top threats to the financial services sector and the ability of firms to be resilient in the face of these threats is paramount.

But where exactly does the industry currently stand in regard to the resources dedicated to cybersecurity safeguards and resilience activities? A study led by Gartner, one of the world’s leading research and advisory firms, reported that worldwide spending on information security products and services in 2017 tallied USD 101 billion and predicted that figure would increase to USD 124 billion heading into this year.

At the same time, new technology solutions such as cloud computing, distributed ledger technology (DLT), and artificial intelligence (AI), continue to transform the way the financial services sector operates. We must understand the different risks that new technologies can introduce and how the assessments of these risks require a keen understanding of the technology and the risks inherent with how the technology is implemented. The DTCC white paper, Security Of DLT Networks, provides examples of risks that should be considered when using this emerging technology. As firms continue to innovate, they also need to consider and address the risks that come with technology’s use.

The Impacts of the Changing Threat Landscape

The DTCC Systemic Risk Barometer Survey, first launched in 2013, serves as a semi-annual reflection on existing and emerging risks that have the potential to impact the safety, resiliency and stability of the global financial system. The latest edition found that 63% of survey respondents ranked cybersecurity threats within the top five risks to the global financial industry while 22% cited it as the top risk. With this in mind, it is clear that the industry continues to see cybersecurity threats as one of the most pressing concerns.

Financial firms are not alone in understanding cybersecurity threats; global policymakers have also taken note. The Financial Stability Board, an international standards-setting body that makes recommendations on the global financial system, issued a 2017 report that found that 72% of its jurisdictions were planning to provide additional cybersecurity guidance within the year. It is clear that an attack on one or more institutions can have a domino effect across the financial sector, therefore policymakers and regulators are working to provide principles and guidance to promote best practices to manage these risks. However, protecting institutions is not enough. As firms continue to build resilience into their own operations, cyber threat actors shift and focus their efforts on third- and fourth-party vendors as a means to gain access to financial data. As a result, the financial services sector, supervisors, and standards-setting bodies must continue to be vigilant in addressing these risks and promoting third-party resilience.

Course of Action

There are several strategies that firms can take to mitigate cybersecurity risk. Although these preventative actions can help minimize many threats, it is of utmost importance for firms to know how to respond and recover from a cyberattack when it does strike. Firms should understand and identify single points of failure in the business services provided by the organization. From there, firms can do the following:

1. Develop recovery strategies that will allow for the full or partial recovery of the organization’s business services. Next, it is important to
2. Understand the controls that are or will be in place to mitigate risks to the organization’s business services. And finally, firms must
3. Test these controls and the associated recovery strategies through tabletop exercises and systems testing to address any gaps and ensure preparedness.

By conducting these tasks, financial institutions will be better positioned to understand their operational risks and can develop responses that decrease the operational friction when an attack occurs.

Looking Ahead

Firms must continue to evolve their cybersecurity and cyber resilience practices while considering their individual firm and their potential impact on the financial ecosystem. Firms must balance their resources between innovation- and revenue-generating channels and those used to respond and recover from malicious cyber activity. Firms must also understand the risk and resilience capabilities of its third- and fourth-party vendors and the potential impact these organizations may have on an organization’s services. Lastly, firms must engage with other sector participants to provide and develop sector-wide solutions and responses in the face of an attack against the industry. As we continue to place a priority on these areas, we will continue to boost the industry’s ability to protect against attacks and recover quickly, should one occur.

This article was originally published in Security Magazine on May 7, 2020.



Jason Harrell - 432x576px
Jason Harrell DTCC Head of External Engagements, Operational and Technology Risk, CISM