Booz Allen Announces Top 10 Financial Services Cyber Risk Trends for 2013

  Booz Allen Announces Top 10 Financial Services Cyber Risk Trends for 2013

The New Cybersecurity “Rules of the Road” for the Financial Services Industry

Business Wire

NEW YORK -- November 29, 2012

Ask any customer what they expect from their bank or financial services firm
today, and two words come through loudly and clearly: security and privacy.
Commercial and institutional customers have come to expect seamless service,
properly cleared transactions and fast, accurate information. But news about
major cybersecurity breaches has alarmed consumers, causing banks to redouble
their efforts to protect their technology infrastructure. This means the
stakes have never been higher for banks and financial services firms, and
there are clear trends for cyber risk and security protection in the financial
services industry in 2013, according to the experts at Booz Allen Hamilton.

“When we think about the lethal daily threats to the globally integrated
financial services industry from nation-states and individuals, it is
imperative that Chief Information Security Officers begin looking around
corners, talk with each other and better prioritize the real threats to their
firms,” said Mike McConnell, Booz Allen vice chairman and former Director of
National Intelligence. “Self-evaluation and industry-wide conversations are
the new ‘rules of the road’ to creating successful, integrated cyber defenses.
The CISO can really drive organization-wide change while still championing
efficiency and customer service.”

McConnell is speaking today at Bloomberg’s Enterprise Risk Conference (more
information) where he will discuss the financial services industry’s responses
to state-based and state-sponsored cyber attacks. He added, “There are many
cyber trends – including the sophistication and lethality of the attacks –
that the financial industry should be aware of. Even though it is difficult to
look into a crystal ball and predict the future, these events are happening
now and could cause significant reputational, financial and infrastructure
damage to any ill-prepared firm. Individual companies should not wait for
legislation or an Executive Order to come together with their government
counterparts to find dynamic solutions to these big issues.”

Booz Allen works with financial services firms to identify and benchmark best
practices and challenges for long-term cybersecurity prevention and
protection. This process is part of Booz Allen’s Cyber M3 (Measure, Manage,
Mature) capability, which evaluates the maturity of a firm’s cybersecurity
programs. Both Cyber M3 and the benchmarking program incorporate technology,
business process engineering, human capital development and risk management in
developing a comprehensive picture of a firm’s and industry’s cyber readiness.

The Top 10 Financial Services Cybersecurity Trends for 2013:

1.Business/Information Risk protection is not Just a Technology Issue –
    Spending on new technology alone is not enough to protect a firm’s
    information and business. Firms must also invest in people and in
    fine-tuning processes to ensure, not only the proper use of technology,
    but that the processes that require interfaces between organizations are
    well managed and executed flawlessly. No matter how good a technology is,
    if not used correctly by skilled employees who follow well-defined
    processes, vulnerabilities will surface that can be leveraged by both
    internal and external threat actors.
2.Data disruption attacks may become data destruction attacks – The
    potential of threat actors actually destroying data is a major concern
    among risk and security professionals. Over time, the financial services
    industry will face threats from extremist groups who, when denied access
    to weapons of mass destruction, will use cyber as a “weapon of mass
    disruption.” Additionally, threat actors who mean to disrupt a firm’s
    business operations to make a statement or prove what they consider a
    moral point will also utilize destruction of data to ensure they make an
3.Nation-states and threat actors are becoming more sophisticated – We now
    have to face more sophisticated threat actors such as smaller
    nation-states and terrorist elements obtaining similar capabilities. The
    financial services industry must fully understand the entire threat
    landscape and what this means in terms of employing the right people,
    technology and processes to ensure business continuity and proper risk
4.Legislation could push industry standards around cyber risks and improve
    threat intelligence information sharing – Banks already share information,
    but they will need to do more in light of possible legislation to set
    standards for cyber protection. If Congress allows the sharing of
    important national security information, industry standards could become a
    benchmark requirement that firms must meet before they are given access to
    government information. Additionally, such legislation could help in
    reducing the valid fears of firms in sharing cyber incident information
    due to the threat of penalties and further regulation. The industry and
    government must acknowledge and treat firms as part of the nation’s
    critical infrastructure because a breach at anyone bank or firm can have
    severe, cascading effects on the nation’s stability.
5.Predictive threat intelligence analytics will create a more effective risk
    management capability – Financial services firms must begin to employ a
    more predictive threat intelligence capability to determine who might be
    trying to attack them and how. Focusing on understanding their own
    individual business risks (as well as industry risks) and combating real
    potential threats that could focus on such risks is much more effective
    than trying to create a defense that could cover any possible threat.
6.Vendor Risk Management is becoming an increasingly important concern among
    firms – Most firms buy much of their information technology and services
    from suppliers. Therefore, these suppliers’ vulnerabilities become the
    vulnerabilities of the firms they provide products and services. Firms are
    becoming more focused on the security requirements for these suppliers and
    engaging independent third parties to evaluate the risks around such
    products and services.
7.Cyber risk continues to be a board-level issue – Information, legal
    documents, and communications with clients and employees are all becoming
    more and more electronic every day to include an even greater usage of
    mobile technologies and social media. The boards of financial institutions
    must create and embrace a culture that acknowledges the evolving risks and
    more openly shares incident information across the industry, with
    technology providers and with both law enforcement and the federal
8.Firms must continue to embrace and adapt to the new “boundless network,”
    and must also invest in training its workforce to properly access and
    protect corporate data – Cloud, social and mobile technologies, including
    “Bring Your Own Device” (BYOD), are simply too cost efficient and
    effective for institutions to ignore them. Security and risk professionals
    need to better integrate these technology trends, which will require they
    embrace the fact that the corporate network now has extended beyond their
    control. Risk management and mitigation is evolving to better control how
    corporate data travels these boundless networks and ensuring the education
    of their employees on the responsibilities they have in securing such
9.Identity and Access Management is becoming a key security control area in
    which firms will continue to invest heavily – The days of focusing solely
    on perimeter defense have long since passed. Phishing and other social
    engineering strategies employed by threat actors have been very effective
    in allowing them to penetrate almost any network. Banking institutions
    must assume these actors can get in. Ensuring proper identity of an
    authorized individual is a key area that is being addressed by all firms
    in all industries to address this new paradigm. Most threat actors employ
    a strategy to gain access to networks and information by gaining access to
    valid authorized credentials of a firm’s employee so that they can go
    undetected in their actions. Firms will continue to invest heavily in
    ensuring that an authorized user is actually an authorized user.
    Additionally, firms will invest more heavily in tracking unusual activity
    of a user to detect stolen credentials or an insider threat.
10.The Financial Services industry will rely more heavily on cyber
    benchmarking – The FS industry is investing more and more in protecting
    its information assets and wisely spending these scarce dollars is
    becoming increasingly important, not only from an effectiveness
    standpoint, but to also be able to articulate to business leaders, the
    value of such an investment. The FS industry, therefore, will continue to
    use industry benchmarks to understand how their competitors and suppliers
    are investing in people processes and technology for cyber risk

For 2012 Booz Allen issued its first annual list of cybersecurity trends for
the financial services industry (read the 2012 list). Since then, the industry
has experienced a number of high-profile attacks, such as the DDoS attacks on
U.S. commercial banks and the New York Stock Exchange.

“In the span of one year, we have seen a significant shift in the frequency
and sophistication of cyber attacks on financial services firms. This is
perhaps the biggest trend of them all,” McConnell said.


Booz Allen Hamilton is a leading provider of management and technology
consulting services to the U.S. government in defense, intelligence, and civil
markets, and to major corporations, institutions, and not-for-profit
organizations. Booz Allen combines deep technical knowledge with expertise in
each client’s core mission to deliver proven results. Booz Allen is
headquartered in McLean, Virginia, employs approximately 24,000 people, and
had revenue of $5.86 billion for the 12 months ended March 31, 2012 (NYSE:


Booz Allen Hamilton
James Fisher, 703-377-7595
Press spacebar to pause and continue. Press esc to stop.