Financial Services play a critical part in our economy and, thus, in the daily lives of consumers. Their importance to the functioning of business, insurance, pension systems, and banking means that the systems and networks of Financial Services Institutions store information about pretty much everyone in society, most of it digitalised. Should cyber security for a Financial Services Institution fail for any reason, the consequences could be immediate and substantial. That's why it's important that Financial Service Providers educate their employees on their responsibilities as data processors, and offer them regular cyber-security awareness training.
The prominence of the Financial Services sector and the demands of modern consumers for digital infrastructures (e.g. online/telephone banking accounts) mean that financial institutions are faced with a dilemma: how to, on the one hand, streamline business processes and appeal to their customers' requirement for convenience whilst, on the other hand, avoiding data and security risks.
Information Security Chiefs in the sector stress the import of cyber security first and foremost, calling for its move away from IT teams and security software (although these are still important factors) and into the boardroom, where a unified approach to cyber security ought to be developed. The focus is very much on adding awareness-training and education into the mix, with a culture of compliance made clear, and communicated from the top.
In other words, improving cyber security for Financial Service Providers involves influencing the behaviour of the people who own and work at them.
What does the Financial Conduct Authority (FCA) say?
The FCA is a regulatory body in the UK that ensures financial Service Providers meet (and continue to meet) certain standards in the interest of their customers. Members of the FCA must ensure that they conduct their business with fairness and integrity, abiding by the Authority's rules and principles at all times. It is in the interest of customers to do business with Financial Service Providers that are members of the FCA, as they can expect to receive a good, transparent service as standard.
The FCA expressed concerns over the cyber-security of its members following the instance of a well-known, supermarket-owned bank losing £2.5M of customer money through fraudulent transactions in 2016. Their report highlighted how traditional approaches to security are failing to work, and suggested that banks and other financial institutions may not be taking the threat of cyber-crime and hacking seriously enough.
Seemingly counter-intuitive, the FCA criticised the complexity of the banks' digital systems, arguing that the more complex these networks become, the more points of entry are available for criminals to take advantage of.
One response from the FCA was to develop its 'Scam Smart' campaign; an initiative that targets investment fraud by educating organisations on the importance of awareness training and employee/customer empowerment rather than relying exclusively on security-software and other digital acrobatics to get the job done.
Improving Education within the Workplace
Chief Information Security Officers (CISOs) in the Financial Sector have reiterated the same message: that frequent communication between leadership teams, board members, and other employees can help strengthen and maintain firms' cyber-security practices. The idea is that, if employees are trained to serve as the first line of defence for organisations, they will no longer be just another weak link in the cyber-security chain for hackers to exploit.
It's true, offering even basic awareness training can significantly improve the cyber-security of Financial Services companies, and help prevent the monetary and reputational losses that go hand-in-hand with unauthorised access to devices, networks, and databases.
By spreading the message that everyone is accountable and responsible for cyber security, and by offering regular awareness training that's both up-to-date and engaging, financial Services organisations have the chance to generate self-governing cultures of compliance that go above and beyond the minimum requirements for cyber-security under laws such as GDPR and The Data Protection Act 2018.