DTCC Connection

Jun 06, 2016 • DTCC Connection

Is the Financial Services Industry Growing Complacent about Cyber Risk?

By Joseph King


Stephen Scharf, DTCC Chief Security Officer

Cyber risk continues to be the No. 1 concern among financial institutions, although not nearly to the same extent as a year ago, according to results of The Depository Trust & Clearing Corporation (DTCC) Q1 2016 Systemic Risk Barometer Survey.

The Systemic Risk Barometer Survey is a semi-annual pulse check that monitors emerging trends on risks that may impact the safety and resiliency of the global financial system. Among the questions, the survey provided a list of 20 systemic risks, which could all be considered potential high-impact events.

RELATED: Read the DTCC 2016 Q1 Risk Barometer

In the recent survey, cyber risk was cited as the top threat by 25% of respondents, while 56% ranked cyber risk in their top five. Cyber risk has held the No. 1 spot as the chief concern among financial industry professionals since the survey’s inception in 2013.





However, cyber risk’s top ranking has declined steadily over the past three Risk Barometer Surveys:

  • Q1 2016 (April)
    • 25% of respondents ranked cyber threats as the No. 1 systemic risk to the broader economy; 56% of all respondents cited it as a top five risk.
  • Q3 2015 (October)
    • 37% of respondents ranked cyber threats as the No. 1 systemic risk to the broader economy; 70% of all respondents cited it as a top five risk.
  • Q1 2015 (May)
    • 46% of respondents ranked cyber threats as the No. 1 systemic risk to the broader economy; 80% of respondents rated it as a top 5 risk overall.
Cyber risk’s staying power as the top-ranked risk – notwithstanding the decline in its percentage as the top risk - demonstrates the industry’s ongoing concern with the threat of a cyber attack.

“An issue such as cyber risk is highly topical and it can dominate industry conversation for a period of time,” said Stephen Scharf, DTCC Chief Security Officer. “What we see from the results of the most recent Risk Barometer is that other issues, like macroeconomic concerns, have begun to occupy part of that industry conversation.”

Economic Concerns on the Rise

Indeed, macroeconomic concerns have risen dramatically, as an economic slowdown in Asia was listed by 22% of respondents in the recent Risk Barometer as the biggest systemic risk to the broader economy – a dramatic change from just one year ago when only 1% of respondents ranked an economic downturn outside of the E.U./U.S. as the biggest risk.

The increasing focus on macroeconomic risks is further supported by rising concerns over the U.S. and European economy. A U.S. economic slowdown was ranked as a top five concern for 37% of respondents, up from 28% in six months. Similarly, an economic slump in Europe was cited by 24% as a top five concern, compared to 17% six months earlier.

Is this downward trend for cyber risk concerns a sign of complacency? No, said Scharf. “If the industry were complacent, we would see cyber risk drop out of the No. 1 position,” he said. “Cyber risk is never going away. What we see is the major players investing heavily in solutions, like Soltra, to address this risk.”

Indeed, the survey also reports that 63% of respondents said they have increased the amount of resources to identify and monitor systemic risk. That is down slightly from a year earlier, when 73% of respondents reported an increase in systemic risk commitments.

Threat Sharing is Critical

Keeping the entire chain strong is the goal behind Soltra™, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC) created to help secure critical infrastructure entities from cyber threats. Last year, the JV announced the first industry-driven threat intelligence sharing solution, Soltra Edge™, a software solution designed to collect massive amounts of cyber threat intelligence from a variety of sources, convert it into standardized language and enable users to take immediate action.

Sharing cyber threat intelligence is critical to slowing and stopping the spread of a cyber attack. “The faster we share threats the faster we can stop it from spreading,” he said. “By sharing cyber threat intelligence we give firms the tools to proactively develop a solution and share it with others to use as an effective defense against a known cyber threat.”

Industry Must Remain Vigilant

The financial services industry has recently been hit by a number of high-profile cyber attacks. Most notably, in February, hackers stole $81 million from the Central Bank of Bangladesh.

The recent attacks reinforce the need to be diligent with cyber defenses in the back office as much as in the front of the house, according to Scharf, who said that many of the critical money processing systems were not originally designed to address the demands of today’s risk environment.

“Those systems weren’t designed to address the cyber risks we face today,” he said. “You see this issue in other industries, too, such as power and water. They built systems 40 years ago when the concept of cyber attack did not exist. It is not logical to expect this to have been baked into the original designs, which make it even more critical that modern day improvements are deployed into these systems.”

New cybersecurity regulations are driving change by requiring firms to bring their cybersecurity defenses up to current standards. “For firms with mature cybersecurity programs, new regulations do not present an issue,” Scharf said. “But for those who are behind, this is a concern they must address.

“A chain is only as strong as its weakest link,” Scharf added. “If one firm on the chain is vulnerable, then all of the firms are vulnerable.”

dtccdotcom