Cybersecurity in the Financial Sector

When talking about cybersecurity, the financial sector is undoubtedly the first to come to mind – after all, it’s about our money and its security. The number of financial operations carried out online is growing every year. Today, few people are already handling live cash. The good news is that the financial industry has been at the forefront of implementing data security solutions for years.

On the one hand, banks and other financial institutions need to guarantee security and peace of mind for their customers as this is the cornerstone of their business operations. On the other hand, data security requirements are imposed on institutions through EU and Polish law.

An example of such regulation is the DORA (Digital Operational Resilience Act), a draft European Union regulation that aims to harmonize digital resilience regulations across the Community countries. As defined by EY experts, “Digital operational resilience aims to guarantee continuity and maintain the quality of services in the face of disruptions affecting information and communications technology (ICT) companies. It is the ability to build, test and continuously improve an organization’s technological and operational integrity.” (1) DORA (Digital Operational Resilience Act) – a new approach to cyber security | EY Poland In Poland, the NIS2 Directive (Directive on measures for a high common level of cyber security within the Union), which will replace the current NIS (the first European cyber security law, adopted in 2016), will also come into force any day now.

Financial institutions that fall under the NIS2 directive will have a number of new responsibilities, including management, incident handling, disclosure of security vulnerabilities, testing the cyber security level of their systems, etc. It also expands the scope of incident reporting and introduces company management’s responsibility for “compliance with cyber security risk management measures.”

Until now, responsibilities for ensuring cyber security in the financial sector have almost exclusively concerned banks. Under the draft NIS2, the list of entities will now expand to include insurance companies, for example.

An interesting regulation in the domestic financial market, on the other hand, is the 2020 Cloud Communiqué of the Financial Supervisory Commission, which indicates how to implement the cloud in the industry to ensure security when using the technology. It is technology-neutral, which means it does not explicitly indicate what technology solutions are to be adopted. According to its recommendations, the first step in implementing solutions based on cloud services is to conduct a so-called gap analysis, that is, to check the extent to which the organization is operating in compliance with regulations. The next step is to draw up a cloud strategy before security financiers. Finally, the Cloud Communiqué has made it mandatory to continuously monitor and test the service being used.

Moreover, cyber-security is naturally related to the personal data protection, as this is the primary IT asset of banks and financial institutions. Hence, there is also a whole area of issues regulated by the RODO.

Growing consumer pressure to ensure the safest possible transactions as well as cyber-security requirements imposed by Polish and EU law are causing financial institutions to seek support from technology companies.

The area and activities related to ensuring IT security can be divided into the following categories:

• Risk analysis, IT audit, support in creating procedures in case of incidents
• Business continuity assurance to either prevent failure or act quickly in case of problems
• Security Operations Center (SOC) type services, i.e. 24/7 monitoring and analysis of security events – monitoring networks for vulnerabilities, attack vectors and threats. SOC analysts thus protect against human interference. Their job is to identify, sort through and respond to cyberattacks that could disrupt operations or otherwise harm the company.
• Network Operations Center (NOC)-type services that focus primarily on preventing network disruptions caused by natural or non-human events. These include power outages, Internet outages, natural disasters, etc.

Companies are struggling not only with the shortage of qualified personnel in the area of cybersecurity but also with ensuring their maximum utilization, as the associated costs are significant. More and more companies are therefore choosing to outsource these competencies without having to invest in their Security department.

This approach has recently become very popular among small and large organizations due to its flexibility, efficiency, and relatively low cost. Taking advantage of such a solution also allows companies not to worry about training, maintaining the necessary infrastructure, or expanding the team in case of, for example, an increase in the scope of the company’s operations.

In the service model, it is possible to hire an expert in the role of a security officer on a small part-time basis. The scope of work is strictly defined by the provider and billed according to predetermined rates. Furthermore, if there is a need to add or exclude certain services, this is done immediately and does not cause any disruption or generate additional needs for hiring an additional person or the need for training or team changes.

If you want to see how effective and flexible such a solution can be – contact us!