May 23, 2012

The Financial Industry: Cyber Security Laggards

Risk Management Magazine / Risk Managment Montitor a publication of RIMS
Emily Holbrook
Risk and Insurance Management Society, Inc. (RIMS)
Tuesday, July 12, 2011
Communications, Media & Internet / Financial Institutions & Banking
All Federal / All International
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

We have seen it all around us lately — the financial industry’s inability to guard against major data breaches.

Just last month, Citibank, the third largest bank holding company in the U.S., experienced a data breach when hackers obtained information on more than 360,000 credit card accounts of North American customers. And just last week, Morgan Stanley announced that data of 34,000 clients was lost or stolen.

According to two letters sent to clients, and obtained by Credit.com, the information [of Morgan Stanley customers] includes clients’ names, addresses, account and tax identification numbers, the income earned on the investments in 2010, and—for some clients—Social Security numbers. The data was saved on two CD-ROMs that were protected by passwords, according to the letters, but the CDs were not encrypted. The company mailed the CDs containing information about investors in tax-exempt funds and bonds to the New York State Department of Taxation and Finance. It appears the package was intact when it reached the department, but by the time it arrived on the desk of its intended recipient the CDs were missing, Wiggins said.

The Citibank breach has been referred to as the largest direct attack on a major U.S. financial institution. Since the attack, the Federal Deposit Insurance Corporation has been preparing new measures on data security, which proves to be much needed.

The financial industry has become somewhat of a laggard when it comes to data security initiatives and the risks of data theft are rising. According to a June report by IDC Financial Insights, “As financial institutions expose more capabilities to their clients through their digital channels, they must introduce more sophisticated mitigation and control techniques at a similar pace.” The report points to mobile applications as the next new target of cyberattacks. (Check out the next issue of Risk Management for more on this topic — online August 1st).

To approach these inevitable risks, there needs to be a change in the role and focus of enterprise risk functions, according to the IDC Financial Insights report. “Cyber risk is an enterprise risk issue, not an IT issue, and as such needs to be addressed from a strategic, cross line-of-business, and economic perspective. The CFO, not the CIO or CTO, is the most logical person to set strategies and lead the efforts required to address the cyber risk challenge.”

The following is a chart that shows that cyber risk is an operational risk component, according to IDC Financial Insights.



Do you agree with these findings? If not, how do you think the management of cyber risks fits within the realm of business’s risk management plan?

Risk Management Magazine and Risk Management Monitor. Copyright 2012 Risk and Insurance Management Society, Inc. All rights reserved.

About the Author

Emily Holbrook
Editor

Emily Holbrook is the editor of Risk Management magazine and the Risk Management Monitor blog.

www.rmmagazine.com
212-655-5915
www.rmmagazine.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.