When such information is compromised—whether by determined cyber criminals or individuals within the organization by accident—the consequences, in terms of reputational damage and monetary losses, could be significant.
Traditionally, investment banks have always been highly aware of the importance of safeguarding customer and transaction data and have taken all the steps deemed necessary to do so. In the current environment, however—with organized cyber criminals running industrialized hacking operations and freely selling and/or sharing information about institutional vulnerabilities—investment banks may be dealing with forces that cannot be addressed exclusively by internal resources.
DOWNLOAD FULL CHALLENGE [PDF, 413 KB]
9%
Proactively run inward-directed attacks and intentional failures to test their systems on a regular basis
67%
Believe the likelihood of an attack is “very” or “extremely” high
68%
Believe there is a high likelihood of privacy breaches of personal data
Source: Accenture Research
In this environment, cyber security becomes not only a major challenge for investment banks, but also a key responsibility of their boards of directors and senior management teams. Boards and management need to consider:
For investment banks, effective cyber security begins at the top with the board of directors and senior management. Firms need a structure that recognizes the business issues connected to cyber security, while providing the expertise needed to deal with specific and ever-changing threats. Security models and tools are proliferating, creating complexity and potentially compromising security, so an integrated approach is needed to make the best use of new solutions.
A 2015 study conducted by Accenture and Ponemon Group found that firms that displayed leadership in cyber security shared certain characteristics, including immediate reporting of security incidents to the CEO and board of directors, clear definition of responsibility and authority pertaining to security, and effective communication of security requirements to all employees.1 At leading companies, the CISO is more likely to report directly to a senior executive, set the security mission by defining strategy and initiatives, and have a direct channel to the CEO in the event of a serious security incident. They also provide sufficient resources for cyber security teams to deal with existing threats, while researching and preparing for new types of attacks.
New technologies—particularly those in the area of mobile communications—are opening new horizons for investment banks and their clients. Transactions are no longer limited to landline telephones or desktop computers; mobile phones and tablets now serve as effective platforms for many activities. However, the functionality of such devices has often outpaced the ability of investment banks and other financial services firms to protect customers’ privacy and prevent unauthorized access to their accounts.
Investment banks that provide secure mobile applications could differentiate themselves, but few have the technological sophistication to do so today. Innovation often takes place at the tactical level, without the benefit of a high-level, holistic view of security concerns. Investment banks, like other financial services firms, need to find a balance between maintaining security and providing an optimal customer experience.
Enable business growth and secure operations |
Defend the business from hostile adversaries |
Enabling business resilience and brand trust by interlocking security strategy with business strategy | Addressing boardroom and C-Suite concerns about the security breaches on shareholder value, revenue and compliance |
Reinventing security to be “digital friendly” by supporting user centricity and Internet scale, and addressing digital concerns such as big data, Internet of things and commerce | Gaining security-situational awareness across expanding business boundaries and developing a rapid-response capability |
Developing solutions to manage technology and process security risks outside of direct organizational control while leveraging security “as a service” | Testing environmental robustness and implementing security automation to offset staff shortages |
Source: Accenture Research
Some players have begun exploring promising new technologies to identify and prevent cyber incursions. Following in the footsteps of retail banks that are using biometric authentication at automated teller machines in certain countries, some investment banks are piloting voice biometrics for added security and a better customer experience during telephone transactions. Others are exploring new authentication methods, such as social log-ins and risk- or content-based identification. Although still in very early stages, such services may soon represent a competitive advantage for firms with tech-savvy clients.
Investment banks can benefit from important features of new security technologies, including the ability to identify anomalies in network traffic, prioritize threats and provide advance warnings of possible breaches. Whether business is conducted on an in-house legacy platform or through the cloud, investment banks should regularly evaluate their vulnerabilities. They can apply threat monitoring to understand potential problems and leverage threat intelligence to understand when cyber criminals (or rogue individuals within the organization) are attempting to take advantage of such vulnerabilities. In some cases, data visualization may help identify problematic behavior—not only by cyber criminals, but also by customers, counterparties and employees.
For investment banks, the need to bring technology to market quickly to maintain a competitive advantage—along with the ever-evolving sophistication and boldness of cyber criminals—has left cyber security struggling to catch up. Investment banks can benefit from applying several “big-picture” principles to cyber security. In addition to a “top-down” view starting with the board and senior management, these include:
Accenture’s research and experience suggests that investment banks should take a proactive approach toward cyber security, continually monitoring, testing and experimenting with new technologies. Reactive cyber defense is no longer sufficient to maintain an effective security program and regulatory compliance.
Cyber risk should be considered alongside traditional enterprise risks to more effectively inform risk management decision making. In the Accenture 2015 Global Risk Management Study, nearly two-thirds (65 percent) of financial services executives surveyed said that cyber and IT risk would have an increased impact on their business in the next two years and that they are making talent and organizational decisions accordingly.2 Demand for cyber security skills is escalating quickly.
Investment banks’ internal cyber security teams may have been capable of dealing with yesterday’s threats. In the current environment, however, investment banks will need not only outside expertise, but also effective collaboration with cloud and other service providers to deal with emerging threats. Investment banks may also need to increase their willingness to share information regarding such threats with governments and industry groups, including the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Many breaches occur as a result of human error, negligence or failure to follow security protocols. Privileged access management is a top risk in this area. Investment banks should have organized and integrated programs to raise awareness of security issues, encourage proper procedures and assign responsibility when individuals are at fault. Insider threat networks should be enhanced and user behavioral analytics should be deployed to manage the human components, whether malicious or accidental.
1 https://www.accenture.com/us-en/insight-cybersecurity-research-report
2 https://www.accenture.com/us-en/global-risk-management-research-2015
This content has been prepared by Accenture and is for information purposes. No part of this content may be reproduced in any manner without the written permission of Accenture. While we take precautions to ensure that the source and the information we base our judgments on is reliable, we do not represent that this information is accurate or complete and it should not be relied upon as such. It is provided with the understanding that Accenture is not acting in a fiduciary capacity. Opinions expressed herein are subject to change without notice.