Skip to Content
Two business professionals reviewing information together on a tablet device.
Article

Three cybersecurity actions every financial institution should take

March 30, 2022 / 7 min read

With cyberthreats on the rise and a steady increase in new regulations, financial institutions need to evaluate their cybersecurity controls and consider taking three key actions to protect their organizations and customer base.

Cyberattacks continue to increase, with hackers seeing potential for profit in essentially any industry. Financial institutions continue to remain a common target, as attackers focus on both an organization and its customer base to potentially wire funds out of the country or hold sensitive data ransom. At the same time, financial institutions continue to expand their technology footprint, requiring increased oversight on security across a wider range of devices, vendors, and cloud platforms.

The state of cybersecurity

Countless companies in various industries have recently received front-page news coverage for cybersecurity concerns, and the attack trends are continuing to grow. As the threat landscape continues to evolve, it’s helpful to look back at how the environment has changed in recent years.

Historically, most organizations had many layers of secure controls in place — such as their trained people, formal processes, and strong technology controls. While some organizations used different tactics than others, the general concept stood that financial institutions had clearly put multiple layers in place to protect the internal environment from external threats.

A few short months into 2020, many companies sent employees to work from home for the first time due to the COVID-19 pandemic. Some organizations had planned ahead (or were fortunate to have recent laptop orders) and could shift quickly to the remote environment. Other organizations had to rush in new VPN setups, roll out new web-accessible applications, or have employees work from home on their personal devices. These projects typically take months of effort in a normal year. Unsurprisingly, security precautions weren’t always taken in these rushed efforts. Similarly, many of these work-from-home options were never anticipated as part of financial institution culture and operations, with gaps in training and procedures now relying on teams making decisions on the fly.

For projects and remote connections implemented over the past year, vulnerabilities still remain. As staff return to offices, personal devices present an emerging risk of transmitting viruses to the secure internal networks. Meanwhile, attackers continue to increase their profits as they send phishing emails tricking employees into clicking links. In addition, the Federal Financial Institutions Examinations Council (FFIEC), Federal Trade Commission (FTC), and third-party vendors continue to raise expectations for security requirements. While these expectations assist with guidance on controls to reduce risk of attacks, the risk of noncompliance with regulatory and vendor contract requirements continues to rise as well.


The key to stronger cybersecurity controls? Open conversation. 

Current threats facing financial institutions

Based on our experience working with financial institutions, we’ve identified the common trends of critical threats impacting the industry. While there are other additional unique forms of attack, the majority of security incidents we’ve seen can be tied back to at least one of the following areas:

Where internal teams are understaffed, risks increase; in many cases, there’s a competition for time and budget to maintain security programs and ongoing technology projects. 

Recent financial institution regulatory updates

Even more frequently than previous years, regulators have continued to update cybersecurity guidance in 2021. Key updates include the following:

Additionally, the Federal Reserve Banks released an Operating Circular in late 2020, which included expectations for “Security and Resiliency Assurance Program” attestations. With the increase in banks crossing financial thresholds that require additional information security control implementation and auditing, cybersecurity insurance providers have continued to increase requirements before offering insurance coverage. Whether requirements are directly being issued by your regulating entity or not, these various updates are all increasing expectations for financial institution security levels.

Actions to secure your financial institution

Especially with the volume of changes over recent years, now is the time to reassess your security environment. Ideally, you’ll have dozens of complex layered controls in place to consider, and there are a few key items that we typically see as gaps leading to security incidents.

Now is the time to reassess your security environment.

Focusing on these three actions are key initial steps to confirm you’re comfortable with the existing setup or to develop a plan to address gaps:

  1. Enforce password requirements — Strong passwords on all accounts with remote access should be required, as well as multifactor authentication considerations. If software updates aren’t under an automated process, a solution may be required. External connections mean the possibility of threat actors attempting to exploit system or application vulnerabilities from afar.
  2. Utilize virus scanners and content filters — To defend against ransomware, institutions should ensure virus scanners and content filters are effectively configured on mail servers. Additionally, institutions should employ a data backup and recovery plan for all critical information, and perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note: Network-connected backups can also be affected by ransomware, so critical backups should be isolated from the network for optimal protection.
  3. Implement contact training and testing — In instances of social engineering threats, attackers often use compelling stories or arguments to gain entry, whether electronically or physically. Contact training of staff is key to maintain an environment of mindfulness against this sort of activity. Testing should be designed to analyze the effectiveness of contact training, as well as chart progression over a period of time.

While attackers continue to evolve their approaches and regulators increase expectations, implementing these key controls and proactively planning to strengthen your cybersecurity safeguards can help protect your financial institution. If you have any questions on cybersecurity best practices, please feel free to contact us.

Related Thinking

Close up of a business professional's face as they read on their laptop about how to prepare their organization for AI.
August 20, 2024

Preparing your organization for AI: Opportunities, risks, and necessary governance

Webinar 1 hour watch
Two business professionals in casual clothing using a handheld tablet device together while standing.
June 18, 2024

Cybersecurity essentials for franchises: Prevent, respond, comply

Article 7 min read
Person holding telescope
May 28, 2024

How to spot a fraudster: Red flags that suggest occupational fraud

Article 4 min read