Financial Services
Pelle Aardewerk, HP’s cyber security consultancy lead, outlines the key challenge facing financial sector firms: “Threat actors have targeted financial sector firms for as long as they have been connected to the internet. It’s easy to see why: the data financial sector firms hold is a potential treasure trove. What’s more, given that businesses rely on the sector to function, a large-scale breach could have an outsized impact on global markets, raising the spectre of attacks by nation states.”
This in part explains why the sector is so heavily regulated. In addition to general regulations like GDPR, firms in the industry have a long list of sector-specific regulations to consider, many of which impact security. These include Payment Card Industry Data Security Standards (PCI DSS),1 the Sarbanes-Oxley Act,2 the Payment Services Directive (PSD 2)3 and the recent Digital Operational Resilience Act (DORA) among others.
Due to these pressures, financial sector firms have evolved further and faster than other businesses in the implementation of security controls. Indeed, analysis from McKinsey puts the banking sector above all others in terms of cybersecurity maturity.4
However, financial sector firms are still very much at risk. More than 60% of large institutions worldwide were hit by a variety of cyberattacks last year.5 Forty percent reported being targeted by ransomware.6 These threats are exacerbated by the rise of hybrid working, particularly with a greater number of professionals working from public areas like cafes, where criminals can easily look over their shoulder and potentially view sensitive data.
From a regulatory perspective, DORA will add to financial sector firms’ cybersecurity obligations. DORA establishes rules for “the protection, detection, containment, recovery and repair capabilities against ICT-related incidents”.7 The regulation explicitly calls out IT risk-management, incident reporting, operational resilience testing and third-party risk monitoring.
…given that businesses rely on the [financial] sector to function, a large-scale breach could have an outsized impact on global markets, raising the spectre of attacks by nation states.
Financial services firms have got the basics in place and CIOs at financial sector firms are largely ready to take their security capabilities to the next level. Here are some approaches HP recommends:
Third-party risk monitoring. Supply-chain partners represent a significant risk. When shipping devices from manufacturer to user, there’s a period where the hardware could be compromised. The rise of hybrid working means that more devices are being shipped, increasing this risk. As part of their obligation to monitor third-party risk, CIOs should consider working with endpoint manufacturers able to protect devices in transit. CIOs should look for manufacturers that embed security in the hardware with technologies that protect the device’s BIOS settings and operations (i.e., the programme used to start a device once it’s been turned on), such as HP Sure Start. CIOs should also look for tamper lock features. HP’s own TamperLock capabilities provide a general protection mechanism against all classes of physical attacks that involve removal of the system cover.
Secure remote access. Given the sensitivity of the data and applications accessed by financial sector professionals, ensuring secure privileged access is vital. CIOs should aim for zero-trust access on the device level through access virtualisation, leveraging tools such as HP Secure Access Enterprise. In this solution, each access session takes place within a unique virtual machine, isolating the data from the machine itself and any malware or system-board level physical threats.
Secure printers. Given the relative maturity of financial services firms, some are now looking at how they can extend protection into new areas of the business. The security of printers is a case in point. Modern devices are just as connected as PCs or laptops yet have traditionally been overlooked from a security standpoint. While no major incidents have occurred recently, forward-looking financial institutions are carrying out printer security assessments, applying the checklist of security controls used for PCs to their printers. Enterprises can streamline this process through print solutions and services delivered by HP Wolf Security. From implementing security policies to safely leveraging the cloud, HP Wolf Enterprise Security Services take the burden off IT and ensure that security policies are applied across the print fleet.
Protect against ransomware. As one of the industries most targeted by ransomware, financial institutions need to
employ as many layers of security protection as possible. This should start with the endpoint. Threat containment technology built into device hardware can help. HP Sure Click Enterprise, for instance, opens emails, links and USB files in a secure container that is isolated from core systems. As a result, phishing and ransomware are stopped from corrupting PCs or moving laterally.
1 PCI Security Standards Council, “PCI DSS Quick Reference Guide https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf2 Sarbanes Oxley Compliance Professionals Assocation https://sarbanes-oxley-act.com/3 European Central Bank, “The revised Payment Services Directive (PSD2) and the transition to stronger payments security,” March 2018 https://www.ecb.europa.eu/paym/intro/mip-online/2018/html/1803_revisedpsd.en.html4 McKinsey & Company, “Organizational cyber maturity: A survey of industries”, 2021 https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/organizational-cyber-maturity-a-survey-of-industries5 ABA Banking Journal, “Larger financial institutions hit by variety of cyberattacks in 2022,” February 2023 https://bankingjournal.aba.com/2023/02/larger-financial-institutions-hit-by-variety-of-cyberattacks-in-2022/6 Ibid7 “The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554” https://www.digital-operational-resilience-act.com/
