NEW YORK -- The mounting danger of data breaches and online crime threatens wealth management firms with financial disaster unless they become more cyber-resilient, says Stephen Russell, practice leader of cyber and technology risk management at PricewaterhouseCoopers.
Becoming cyber-resilient can be the difference between successfully containing a threat and financial disaster, Russell told attendees at a cybersecurity conference jointly organized by FINRA and SIFMA.
FINRA and SIFMA's cybersecurity session comes just days after renewed warnings from the industry regulator as well as the SEC.
"There is now wide recognition that financial services organizations will continue to be a prime target for cyberattacks," he said. "Given this reality, we must act now before it is too late."
The average cost of a cyberincident in 2014 was $22 million, including containment, cleanup and remediation, Russell said. And according to a recent report from the SEC, 88% of broker-dealers and 74% of RIAs say they have been targeted by cyber-criminals.
Worse, the damage can extend beyond the financial.
"Public confidence in the financial services industry is in jeopardy as cyberattacks increase," Russell said.
Russell suggested six key steps to become more resilient against cyberattacks.
First, firms should establish cyber-risk governance and oversight so that executive management and technology officers and experts are involved at each level.
"Ultimately the goal is to make sure that cyber risks are managed like other business risk management issues," he said.
Second, firms need to understand their electronic defense perimeter.
"I cannot stress enough to understand the need to understand the cyber organization boundary," Russell said, referring to the massive data breach that hit Target in 2013. "In [that] case, the entry point of attack was a vendor. So it's critical to understand your perimeter. Any weakness in your perimeter is a vulnerability."
Russell suggests firms examine where critical data resides, and with whom it is being shared with. Data is increasingly moving across devices and among more parties, he said, including customers, third parties and fourth parties.
"With the onset of cloud computing and mobile devise usage, financial services organizations find themselves defending a perimeter that is no longer visible and no longer exclusively under their control," he said.
Russell's third and fourth points are related: identifying critical business processes and related assets and understanding how to assess and manage business risks.
"It is essential to understand which business assets, if compromised, would cause significant harm," he said.
This includes recognizing facilities that house critical systems and data. It is necessary to provide adequate protection to these assets, he said, and to also ensure mitigation efforts are aligned to a specific set of business risks.
Russell also emphasized the importance of improving data collection and analysis and the reporting of cyberthreats. Financial firms have complex structures which complicate this process, Russell said. But cyber-risk operations teams should regularly analyze data and provide management with the information needed to make informed risk-based decisions.
Finally, firms need to have playbooks on hand for responding to data breaches. Devising threat scenarios, developing response plans and putting resources in place prior to an attack can be the difference between a successful response and disaster. And above all, rehearse your response plan, Russell said, so that everyone will be familiar with their role in the event of a breach.
"If it is revealed that you were poorly informed, then it can be very damaging to your reputation and shareholder value," he said. "The last thing any organization needs is to be seen scrambling in response to a cyberattack in the eyes of the media and customers."