Friday, August 28, 2020

The State of Compliance – and the Cloud – in the Financial Services Industry

Ghost written after an interview with me as the source. Heck of a job by Dennis McCafferty.

If there is one unifying and indisputable fact about the hackers of the world, it’s this: They go where the money goes.

This makes the financial services industry one of their favorite targets. Once they compromise an organization in the sector, they can make thousands – or tens of thousands or much, much more – by stealing credit card account numbers, committing wire fraud, emptying savings accounts, etc. Or they can profit off of ill-gotten intelligence, selling or buying stock shares based upon non-publicly disclosed insider information contained “within the vault.”

That’s why financial services organizations should view regulatory compliance not as an onerous, “check the boxes” effort, but one that can ensure the continued integrity of their operations and reputation.

In seeking to reduce the risk of debit and credit card loss and limit identity theft, the Payment Card Industry Data Security Standard (PCI DSS) sets 12 security requirements for all companies (including banks and other financial institutions) that process, store, transmit or accept credit card information, regardless of size or number of transactions. The requirements cover firewall configuration, cardholder data encryption, secure systems/applications development, physical access to data and regular testing. Unfortunately, global PCI DSS compliance among firms has fallen for two straight years and now stands at 36.7 percent, down from 55.4 percent in 2016, according to the 2019 Payment Security Report from Verizon. Fines for PCI DSS violations range from $5,000 to $100,000 per month.

It’s worth noting that, in prior annual Payment Security reports, Verizon has revealed that no organizations were found to be fully compliant at the time of a breach, demonstrating lower compliance with ten out of the 12 PCI DSS key requirements. In addition, only 29 percent of companies are still fully compliant with PCI DSS less than a year after being validated. This speaks to a governance problem, as these firms are failing to commit to a sufficient level of continuous monitoring which will effectively manage both risk and compliance over time.

It’s clear that an ever-elevating threat landscape is creating formidable compliance and risk-management barriers: Based upon its analysis of nearly 41,700 security incidents and more than 2,010 breaches, the 2019 Verizon Data Breach Investigations Report (DBIR) indicates that the finance industry accounted for 927 of those incidents (ranked #4 among all sectors) and 207 of the breaches (third overall, behind only the public sector and healthcare). These organizations also suffered the second-highest average cost of a data breach at $5.86 million – 49 percent greater than the $3.92 million global average for all industries, according to the 2019 Cost of a Data Breach Report from the Ponemon Institute and IBM.

What’s more, increasing activity in the cloud is adding to the complexities of data protection and compliance: Financial services organizations are allocating 41 percent of their IT budgets to the public cloud, up from 34 percent in 2018, according to research from Refinitiv. Sixty-seven percent of the industry’s firms either are already invested in Infrastructure as a Service (IaaS)/public cloud offerings or are planning to, compared to 59 percent of companies in general, according to 451 Research. Fifty-five percent of these firms are either already invested in Platform as a Service (Paas) or are planning to, compared to 46 percent of companies in general.

However, despite the abundant activity in the cloud, there is much trepidation: Technologies supporting cloud migrations are considered the top contributor to cybersecurity risk for financial services organizations, as cited by three-fifths of the industry’s security practitioners, according to research from Ponemon. (Blockchain tools ranked #2, as cited by 52 percent of these professionals.)

At Caveonix, we have dedicated ourselves to helping financial services organizations readily comply, thus enabling them to better defend their data and systems – whether on-premise or in the cloud. Our Caveonix RiskForesight platform implements continuous compliance to ensure our customers are meeting regulatory standards across their infrastructure and applications. The solution tracks and reports adherence to compliance requirements, and determines the impact of configuration and vulnerability changes on compliance. RiskForesight detects compliance drift and how to bring it back into compliance.

RiskForesight distinguishes itself because it delivers an ongoing, continuous evaluation of where our customers stand, identifying and assessing compliance and risk wherever their data exists. The Caveonix team firmly believes that, if you can see it, you can quantify it. And if you can quantify it, you can apply the governance required to incorporate effective controls. We understand that satisfying regulations are about more than “checking boxes” – they’re about successfully managing risk and protecting information in the interest of operational integrity and brand reputation. If you’d like to talk about how we can work together to help solve your compliance/cybersecurity problems, then please contact us.