In his annual letter to shareholders, Jamie Dimon, Chairman and Chief Executive Officer of JPMorgan Chase, highlights security as the biggest threat to the financial services industry and the continuation of the focus on protecting the organization and its customers as a top priority.
Mr. Dimon briefly describes “the financial system is interconnected, and adversaries are smart and relentless – so we must continue to be vigilant. The good news is that the industry (plus many other industries), along with the full power of the federal government, are increasingly being mobilized to combat this threat.”
Over the past five years, Mr. Dimon has included security and privacy as a significant risk to his organization, however this year that the first time he addresses security as a risk to the financial system.
Following shortly after Mr. Dimon’s annual letter, the Financial Services Information Sharing and Analysis Center (FS-ISAC) Annual Summit was held in Orlando at the end of April. The theme of this year’s annual summit was Enduring Strength: Trust. Transform. Together. and is indicative of the atmosphere felt during the week of presentations and networking discussions. Communication is the foundation FS-ISAC summit, yet the interpersonal two-way interactions observed amongst the attendees was refreshing and not typical of industry conferences where given presentations are typically one-sided, and the interactions limited due to time constraints.
The issues and solutions at the forefront of the FS-ISAC presentations were revealing of the risks and challenges that financial institutions address daily. The topics seemed to align against the thoughts expressed by Mr. Dimon on the mobilization of the financial services industry to combat the threats to security and protection of privacy for customers. The outcome of the three-day conference provides executives, practitioners and solutions providers the ability to strategize on processes and solutions to combat the growing threat landscape facing the industry.
A few key topics from the week are:
Fraud continues to grow in the financial services industry. Not necessarily a new risk but, over the past decade, fraud continues a transition from the traditional tactics to more technological methods including schemes that incorporate a hybrid of both. Bad actors are rapidly changing evolving to perpetrate fraud, outpacing organizational ability to prevent, identify and recover from their actions. The path of least resistance for bad actors endures the constant change in strategies, moving between customers, institutions, interconnected entities, and insiders for the purpose of financial gain.
Traditional organizational security frameworks are becoming increasingly necessary to ensure that foundational controls are in place and development and application of new programs and technologies are aligned. Established practices such as include Insider Threat Programs (ITP) coupled with new technologies like Artificial Intelligence (AI), Machine Learning (ML) and Advanced Identity Access (IA) which are increasingly being incorporated into security solutions to prevent fraud before it occurs.
On the heels of the GDPR, NYDFS 23 NYCRR 500, and the upcoming California Consumer Privacy Act (CCPA), the industry will continue to see growth in the need for cross-border compliance. The advance of technological means to provide financial services to customers across geographical boundaries has captured the attention of regulatory bodies. As such, regulatory requirements will be enforced on organizations regardless of location but focused on the geographical locations or citizenship of the customer.
The compliance requirements are going to drive increasing levels of efforts on the financial services industry from managing multiple cross jurisdictional compliance related projects or the attention required for the prevention and identification of security incidents in existing or new technology as the transition to cloud-based infrastructure continues. To ensure the protection and privacy of customers, organizational requirements are needed to identify the most restrictive of the applicable regulations ultimately developing the proper controls to ensure scalability to present and future compliance needs.
Viewing security from different lenses
Security continues its evolution from a utility to a business obligation and ultimately to enablement of the enterprise. As the evolution continues, those responsible for the security and privacy of the organization must learn to look at data protection by applying different lenses of the business. An example of a change in viewpoint may be as simple as moving from a compliance-centric view to one driven by data. Through a data lens, organizations can derive an understanding of where their critical assets reside radiating protections through the data flows of the business. Development of end to end knowledge of the organization’s business lines benefits the building of relationships, understanding process constraints, and applying security as a foundation to the protection of how organizations derive revenue.
Finally, as highlighted in our Global Threat Intelligence Report (GTIR), the financial services continues to lead other verticals as a threat target worldwide in 2018 (17% globally) and has been at the top the last six out of seven years. The concentration of threat actors on the industry continues to drive the need to protect data and individual privacy through proactive mitigation, threat identification and development of the capability to identify gaps, mitigate potential loss, and respond when necessary.