Written by: Rodrigo Macias and Johnny Mays, MGO
In 2021, the average cost of a data breach reached an all-time high at $4 million, and according to a study performed by Boston Consulting Group, financial services firms are 300 times more likely to be attacked than companies in other industries. With the abundance of sensitive customer information stored in financial institutions’ databases, it is more important than ever for these organizations to ensure they have proper cybersecurity measures in place to protect private data and avoid hefty costs associated with lost revenue, lost business, and system outages.
While it may seem like the big names in finance might be larger targets, smaller financial organizations like advisory firms are at risk because they don’t usually possess the sophistication of large banks’ infrastructure yet still contain sensitive, personal information hackers find valuable. Some of the tactics used to breach their security include trojans that download data or banking information; ATM malware to steal customer credit and debit card information; and targeting vulnerabilities in the financial institution’s systems to compromise customer accounts.
With data breaches set to become more frequent, it is vital that smaller financial institutions create and implement cyber risk plans and be aware of the decisions that will need to be made in the midst and in the aftermath of an attack.
Have a Plan
With a plan in place, an organization is ready to respond. This includes knowing who will perform each necessary activity and which outside parties to contact. These range from law enforcement, the authorities, cyber insurance, a cyber consulting firm, and legal counsel.
Address Secondary Threats
It’s obvious that financial institutions’ primary goal is to protect their customer data while keeping their clients informed. However, the next step is to regain control and security of the system while preserving any evidence for both recourse and proactive planning in the future. If you do any business with third party vendors, this is the time to make sure they were not affected—or will not be affected later on—by analyzing the security of their systems.
Who needs to contact your clients? What will you say? Determining a threshold and developing a script to ensure the message gets succinctly passed down to those who need to know about the breach is vital. Outside of customers, vendors, and regulators, stakeholders and key organization influencers will need to know too.
Maintain IT governance
IT governance should be in practice all the time, not just immediately following an attack. Make it a habit within the organization to hold monthly meetings that check in on various proactive activities and update the possibility of risk at the current time. Get everyone involved to develop a culture of security.
Create a Risk Committee
With a formal risk committee, you can better keep the organization aligned with important IT practices, especially with large-scale projects and various departmental functions. The committee members will understand what a breach means for the organization as well as the community it serves and help to perpetuate a culture of cybersecurity from the lowest levels to the top.
Perform Cyber Risk Assessments Annually
Performing an annual cyber risk assessment ensures that all members of the organization—especially those who are not IT experts—understand where the organization is in terms of security and what needs to be done to ensure that it is prepared for a potential attack. This helps with planning, prevention, and the organization’s ongoing response to security breaches.
Rodrigo Macias is a partner at MGO, leading the firm’s risk advisory, forensic accounting, management consulting and IT advisory services practice. He is also a Certified Fraud Examiner. Johnny Mays is a Certified Public Accountant and cybersecurity supervisor for MGO.