Financial institutions are prime targets for cybercriminals. According to a February 2018 report from management consulting firm Accenture, the number of breaches in the financial services sector tripled in the last five years. Meanwhile, the Journal of Cyber Policy noted recently that 89 percent of survey respondents say their existing information security (InfoSec) tools and policies don’t meet current needs.

During a recent Senate Banking Committee hearing, witnesses addressed both sides of the issue: the increasing scope of cybersecurity threats facing financial institutions and the steps that can be taken to limit the impact. Ideally? Clearer regulations, more accountability and recognition of critical risk.

Risk Is Our Business? Cybersecurity Threats

Cybercriminals are looking for maximum profit with minimum effort. As banks make the switch from storing physical currency to moving and investing money online, attackers have prioritized financial targets. Bob Sydow, a principal at professional services firm Ernst & Young, was straightforward about the state of financial cybersecurity at the Senate hearing, noted Politico.

“Keeping up with known threats and vulnerabilities is difficult enough, but the scope of unknown cyber risks seems much larger than other, more traditional risk domains,” Sydow said.

Financial institutions must also acknowledge the role of employees in securing or exposing networks to risk. According to Financial News, 58 percent of cyber claims stem from employee behavior, with the financial sector facing the highest annual cost per year for cybercrime — intentional or not.

Thirty-five percent of companies say their data protection policies are “ad hoc or nonexistent” and 12 percent have no breach detection solutions in place, according to Ernst & Young’s latest data, Global Information Security Survey.

It’s clear there’s a gap between current financial InfoSec and practices and the impact of cybersecurity threats.

Industry Investment to Protect Personal Data

According to Forbes, Senate Banking Committee Chair Mike Crapo and his democratic counterpart Sherrod Brown both agree the financial sector needs better legislation when it comes to protecting consumers’ personal data. Brown describes a bill with provisions that hold companies accountable for data loss but doesn’t know exactly what form that would take — although he does say record bank profits could be used for more cybersecurity investment.

During the recent hearing, however, Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC) argued that “despite a dynamic and ever-changing cyberthreat environment, the financial sector has invested heavily to protect the sector’s assets and consumers’ information from adversaries and cybercrime,” noted Politico. For Nelson, improved financial sector security includes government action to harmonize conflicting regulations, more cybercrime prosecutions and Congress-defined responses to specific types of cybersecurity threats.

To Spend and Secure

The recent Senate hearing makes it clear: Financial institutions are spending on cybersecurity, but the scope and nature of threats make it difficult to keep up. While more monetary investment remains a priority, increased legislative follow-through and government streamlining of existing regulations also play a critical role in reducing cyber risk.