Cybersecurity: Doing Nothing Risks ‘Non-compliance’ and Potential Serious Business Damage

Banks, asset managers and hedge funds have made slow start in addressing regulations and guidelines on cybersecurity promoted by the Hong Kong SFC and US SEC. Response by the industry to security has been largely reactive to several breaches published in 2014. Among those companies affected were Sony, Target and Home Depot.

While there might be a perception that security breaches are something that happens to someone else. A study by Risk Based Security revealed that within the first nine months of 2014, 1,922 data breaches were reported and 904 million records exposed. Moreover, the number of security breaches is accelerating. Factoring in what was not reported, statistically speaking the chances of your company being subject to a security breach is now very real.

The price of indifference to cyber security is not just a potential regulation warning or fine, but possible damage to your business through the loss or theft of information. If such security breaches were revealed in the public domain the results can often be catastrophic. CEO’s, COO’s and senior management should be provided with information on the possible consequences of cyber threats. For example, consider the impacts of just these two threats:

• Denial of service attack

That can consume the capacity of your IT network such that no trade orders can be made, emails cannot be sent or received and information on your trading activity cannot be reported. Effectively for a period of time your IT assets may be unusable hindering business activity.

• Cyber espionage from the Internet

Your network is scanned and sensitive data is exported regarding clients or investments is stolen and put into the public domain. That will certainly attract regulator attention and damage your future business. Such types of incidents have tripled over 2014.

In combating the above threats, a first assumption might be that complex defense technology is required. To the contrary, quick preventative measures can be taken to defend against 99% of network security threats by a review of the update/configuration status of operating system, firewall, anti-virus software and enforcement of security procedures. However, to address the 1% of dangerous cyber threats, numerous solutions can be implemented. Yet, knowing where to start can be a problem.

Drawing on industry guidance from standards bodies to implement a comprehensive security gap analysis, followed by a risk based approach to identify the key cyber security threats for your business is a way to control the correct investment. A risk based approach involves performing an IT threat and vulnerability pair risk analysis, a type of analysis already enforced by MAS, the Singapore Financial Regulator. A solid outcome of this approach will put financial entities in an immediate position to defend their key information assets and provides an on-going security implementation plan as a result of gap analysis that addresses regulator concerns.