Giles Inkson, Director of Services EMEA, NetSPI
It’s not news that financial institutions have become a very lucrative target for cybercriminals. With the large amounts of sensitive data they handle, their place in the economy, and their usage of infrastructure such as mainframes, they are experiencing a surge in cyber threats. There’s never been a more pressing time for robust cybersecurity measures across the industry. In response, many regional and national regulatory bodies and industry leaders have introduced comprehensive frameworks aimed at bolstering the enterprise resilience of the financial services sector.
In navigating the intricate landscape of security testing regulations in global financial markets, businesses must adopt an enterprise-wide proactive and strategic approach to effectively manage and comply with these regulations.
As these frameworks mature and roll out globally across territories there are many ways organisations can prepare themselves now, and be ready for upcoming standards, such as the Digital Operations Resiliency Act (DORA). Here are the five areas businesses should consider to help navigate these frameworks and financial services regulations:
Manage threats proactively and find opportunities to change with new regulations
First and foremost, it is crucial for businesses to understand the significance of these regulations in enhancing cybersecurity resilience. Frameworks like CBEST, DORA, TIBER-EU, iCAST and CORIE are essential parts of strengthening defences against cyber threats inside and outside of regional boundaries. Each of these standards focuses on treating either critical business components (the parts that keep the business working), or the entire enterprise as their scope. Viewing compliance not just as a regulatory obligation, but as a critical component of a robust cybersecurity strategy, can help businesses prioritise their efforts and investments accordingly. If an organisation has red teamed before, they might be surprised at the pragmatic and impactful difference in approach, shifting their security mindset to a proactive one.
Review your business’s cybersecurity posture
Businesses need to treat their organisations as a single organism. Many traditional red team or penetration testing methodologies only treat cybersecurity in isolation, and not as a part of the whole organisational risk.Financial institutions need to conduct regular intelligence-led penetration testing or red teaming, coupled with cybersecurity risk assessments and gap analyses across their entire business as part of a holistic suite of risk reduction. In doing so, valuable insights are gained into vulnerabilities, threats, process gaps, weak controls and areas of non-compliance within an organisation that other tests cannot expose. By understanding their strengths and weaknesses across cyber and operation resiliency, businesses can target areas of improvement and enhance their overall security posture.
Create a culture of collaboration and cybersecurity accountability
Collaboration between IT, security teams, and senior leadership is paramount in effectively managing security testing regulations on the world stage. Regional coordination and clear communication on expectations and territorial differences can be complex to negotiate, without centralised administration. Therefore, establishing clear lines of communication and fostering a culture of cybersecurity awareness across all business units is critical. Reinforcing this with processes that encourage accountability throughout the organisation ensure that compliance efforts are aligned with business objectives and strategic priorities without siloing the efforts and investment.
Understand the global impact of security testing frameworks and their impact on your business
As cyber threats cross borders, financial institutions worldwide face similar risks and regulations across their operational sites. Compliance with these testing frameworks isn’t just about state-level or national rules; it’s about adopting global cybersecurity best practices and common standards throughout. With international financial systems interconnected, one institution’s security can impact the entire ecosystem, as does one regional branch or office of a global company. By adopting and aligning the needs of these frameworks, businesses enhance global financial system resilience and may also be combined into wider supersets of tests. Standardised frameworks like CBEST and TIBER and the upcoming DORA enforcement in January 2025, streamline compliance efforts and provide a consistent approach to cybersecurity testing worldwide and across entire businesses, and can reduce the need for repetitive testing.
Invest in technical expertise
Investing in the expertise of accredited cybersecurity partners with global capability, will help financial institutions manage their global testing compliance needs. For example, many finance sector organisations operate legacy mainframes as a part of their critical services. While mainframe testing is a crucial aspect for cybersecurity resilience, it remains overlooked, even though it is a designated area for examination within testing frameworks. This is because many businesses lack the technical expertise to conduct thorough mainframe testing in a safe and realistic manner.
Organisations that can flexibly apply and call upon resources in specialist testing areas like mainframes and red teaming, present the most effective means of truly understanding the operational resiliency across their organisation. Working with experienced professionals especially across multiple disciplines, can provide valuable guidance and support in conducting comprehensive security assessments, interpreting regulatory requirements, and implementing effective cybersecurity measures across an organisation.
Ultimately, navigating security testing regulations across financial services demands a proactive and strategic stance. By adopting a proactive mindset towards compliance and cybersecurity, businesses can effectively mitigate risks, protect sensitive data, and maintain trust and confidence in the global financial markets. Ultimately, embracing these frameworks as opportunities to enhance cybersecurity resilience, can position businesses for long-term success in an increasingly digital world.
