The number of data breaches reported by UK financial services firms to the Financial Conduct Authority (FCA) increased by 480% in 2018.2
The average annualized cost of cyber crime for financial services firms was calculated at $18.28 million per company while the average cost across all industries is $11.7 million.3
Financial services firms that have reported breaches in 2018 include RBC Royal Bank, Goldman Sachs, Sallie Mae, and Dun & Bradstreet.
A former employee at SunTrust Banks stole the names, addresses, phone numbers, and account balances of 1.5 million customers.4
Hackers gained access to HSBC’s US customer accounts, stealing names, addresses, contact information, birthdates, account information and transaction history.5
Attackers managed to gain access to the Royal Bank of Canada’s travel rewards website and stole payment card data belonging to 66,000 customers.6
Financial institutions manage large volumes of sensitive customer information and the breach of such data can be costly. The Financial Services industry is heavily regulated and companies need to be mindful of how employees handle customer information and communications.
The Markets in Financial Instruments Directive (MiFID) II has imposed tighter regulations on how companies in the EU to record interactions between companies and clients. The directive was updated in 2018 to include ALL phone and electronic communications. The Department of Labor (DOL) Fiduciary Rule is similar for the US, but has been delayed.
Mobile presents a problem.
Mobile communication applications like Whatsapp make it difficult to capture and record messages. This is why some companies, including Deutsche Bank, have decided to ban apps of this nature to save technical headaches. The penalty for non-compliance is high. UBS and Goldman Sachs were fined £27.6m and £34.3m respectively for breaching MiFID II.
FS companies need to have a process in place to manage information sharing with third parties. For example, consider underwriting firms that help companies prepare for IPOs. They are tasked with figuring out issues like how much money needs to be raised and the type of securities that should be issued, as well as the agreement between the underwriter and the company itself. All of this involves highly sensitive information that is transferred between organizations with differing levels of security.
Another common example of sensitive information handled over mobile is when financial advisors use mobile devices to access KYC apps while in transit to client meetings. Without IT management of these devices, client data flowing through those apps might be at risk.
An American multinational investment bank recently did the underwriting for a high-profile, Silicon Valley IPO, so data loss became a major concern for the company. The IT team wanted to ensure that employees were not using their mobile devices to conduct work over public Wi-Fi where they could be subject to a man-in-the-middle attack. The team also wanted to ensure that even mobile devices within the protected network had a conditional access tool to verify the person, the device, and the risk posture of the device accessing corporate resources at all times. They also wanted to ensure employees weren’t exposing or exfiltrating the company data via unauthorized file-sharing services. They implemented Wandera and integrated it with their UEM (Unified Endpoint Management) solution to ensure conditional access was in place, that threats were being detected and blocked in real time, and that unauthorized services such as DropBox were blocked via both the app and the browser.
The Financial Services sector relies heavily on specialized contractors. IT and mid-to-back office professionals in particular are highly sought after. Managing the information security aspects of contractor and temporary workers can be complex, necessitating a clear set of rules to govern and monitor access. Surprisingly, only 18% of businesses require their third parties to adhere to a cyber security policy.
Contractors form part of the extended enterprise and bring a number of unknown, unmanaged variables to IT security practices. As the Financial Services industry migrates to the cloud and moves away from monitoring contractors on premise, IT teams need to better manage access to ensure regulatory requirements are met. Identity and Access Management (IAM) enables companies to better provision, control and revoke access as well as implement role-based access controls to prevent unnecessary privileges. Cloud services like AWS and Microsoft Azure provide the facility to connect IAM with third-party IAMs to better manage external access.
However, the use of mobile devices adds further complexity to third-party access management. In-house teams are reliant on third-party vendors practising good cyber hygiene—not sharing usernames and passwords among team members (and beyond), having appropriate security controls and configurations for devices in place. But, as we know, mobile devices are an unprotected form factor. With conditional access, IT teams are able to set policies that dictate access management based on device and session variables like OS version, network secureness and location,mitigating the risk exposure on mobile.
A UK-based retail bank implemented a triage of security solutions for members of the C-suite that travel often, to trial a zero-trust security model for mobile. The IT team implemented Wandera to deliver dynamic mobile risk assessments that flow into a conditional access policy which is aggregated by their UEM and enforced through their IAM product. Only once the user and device are in compliance will access to corporate apps be granted.
Travel is a necessity for many financial advisors, client advisors, mortgage/loan officers or fund managers. In private equity, it’s quite common for both clients and potential investments to be located overseas. This creates a need for extra security measures to protect organizations from threats over public Wi-Fi or internet surveillance by foreign governments, as well as excessive data roaming bills.
The IT team at one of the world’s largest asset management firms came to Wandera for a mobile security and data policy audit because their cellular data bills skyrocketed almost overnight. Wandera’s audit found an unusually low percentage of traffic going over Wi-Fi. It turns out, the company’s security team had issued an undocumented mandate instructing employees to stay off Wi-Fi due to the risk of man-in-the-middle attacks. The IT team then implemented Wandera so that employees could use Wi-Fi while being protected by Wandera’s fail-safe encryption which launches a secure VPN in the event the user connects to a suspicious hotspot.