Financial services companies lost an average of $23.6 million to cybersecurity breaches in 2013—up nearly 44 percent from the prior year. That’s a higher average annualized cost than any other sector. Security breaches impact the bottom line, costing millions of dollars while disrupting business and damaging trust. “If cybersecurity isn’t in your top three priorities, it should be,” says Greg McShea, senior vice president and general counsel of Janney Montgomery Scott LLC, a full-service financial services firm and subsidiary of the Penn Mutual Life Insurance Company.
Cybersecurity is an area where the interests of regulators, the regulated, and clients are all aligned, McShea says. And as a result, regulators and firms are collaborating and sharing information in the area of cyber crime more than ever.
The financial services
industry ranks first among
26 industries most targeted
by cyber criminals.
The average annualized cost of cybersecurity breaches for a financial services firm in 2013 was $23.6 million.
of cyber attacks are
successful in less
than 24 hours.
The Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority often host seminars and invite leaders from Janney and other firms to participate on panels where they can share best practices on combating security threats. Trade organizations also sponsor meetings to help the industry stay current on the latest trends. “If a firm has a problem, the entire industry gets a black eye for it,” McShea says, “so there’s mutual interest to be on top of this and locked arm-in-arm.”
Regulators frequently examine firms to ensure they have the proper safeguards in place. The SEC recently came out with a new list of exam priorities with respect to cybersecurity. Companies can face fines and penalties for failing to comply with regulations or protect customers’ information. Many states have employee and customer protection statutes, and there’s also civil exposure from litigants, something that Janney has been fortunate to avoid thus far. Some of the liability is shifting from banks and financial services firms to merchants. New regulations took effect in October 2015 that hold business owners responsible for fraudulent transactions when credit cards embedded with security microchips are used.
The investing public is slowly recovering from the 2008 financial meltdown and Bernie Madoff crisis, McShea says. That’s why protecting clients’ personal information from cyber attacks is a good opportunity for the industry to restore trust and confidence. The opposite also holds true. “We can ill afford a significant breach of any kind,” he says.
One of the biggest challenges lies in the constantly evolving nature of the hackers. While firms work within their four walls to protect client data, clients themselves can be hacked through personal e-mail takeovers and other fraud. The types of hacks are ever-changing and becoming more sophisticated. Janney works closely with clients whose information may have been compromised. For example, if a client’s e-mail is hacked, the company will work with the client to change account numbers and speak to them about the importance of password protection. “Many times that’s where it begins and ends,” McShea says.
Other best practices include third-party testing of systems and controls, penetration testing, strong access rights inside and outside the firm, and controlling access to information when employees leave the firm. Strong governance and employee training also help firms stay on top of the issue. “It’s an evolving iterative process,” McShea says. “It’s about remaining adaptable and humble because if something looked good and appropriate a year or six months ago, it may not necessarily be the case today.”
Learn more about cybersecurity prevention and response in the legal field with a white paper from Modern Counsel titled The General Counsel’s Guide to Digital Defense. The Legal Side of Cybersecurity. Click below to download this complimentary industry insight report.