Page 112 - Cyber Defense eMagazine October 2023
P. 112
and allows executives to sleep well in the knowledge that they have “checked the box” regarding digital
security.
I recently asked a group of corporate leaders if their IT teams were well-prepared to deal with
cyberthreats. More than 80 percent answered yes. While corporate leaders believe in the security of their
organizations, this is unlikely unless the organization is large enough to have an IT team dedicated
entirely to cyber defense. Few organizations are that large. The mismatch between executives’
perceptions and reality is shocking.
Seasoned cybersecurity professionals, then, recognize the challenge that Walden and her team are
addressing. For too long, many business leaders have refused to accept the need for a transition beyond
mere compliance and toward true risk mitigation. But as the transition to mitigation begins to gain traction
in the worlds of businesses and their regulators, conflicts are brewing.
Facing the threat in finance
Increased commitment to risk-mitigation couldn’t come at a more important time in the securities industry.
There, the number and sophistication of threats from bad actors plainly are rising at the same time that
the Securities and Exchange Commission is nearing release of a regulatory framework that will govern
the industry’s cybersecurity responsibilities. The rapid adoption of artificial intelligence tools is also raising
new questions even faster than regulators and industry security specialists can come up with answers.
Cyberthreats are surging across the financial services sector. In CrowdStrike’s 2023 Threat Hunting
Report, it was found that the financial industry was the second-most targeted vertical last year, overtaking
the former long-time second place telecommunications companies and the always top target technology
industry. In fact, the report found the volume of interactive intrusion activity in the financial sector rose by
more than 80 percent from June 2022 to June 2023, as threat actors launched every possible type of
attack against financial institutions. Phishing attacks against financial institutions alone accounted for
more than 27 percent of the total phishing attacks against all the industry sectors studied by CrowdStrike.
The reasons for the upsurge? Threat actors — including, notably, North Korean adversaries — apparently
believe that the needs of financial-service organizations to maintain uptime and their concerns about
sensitivity of client information make them particularly attractive targets for ransom shakedowns.
Regulations draw pushback
In response to the growing threat, the Securities and Exchange Commission in 2022 proposed stronger
rules on cybersecurity protection as well as the process to report breaches. Registered Investment
Advisers and investment companies of all sizes would be covered by the new standards.
In the measured words of the SEC’s staff, “certain advisers and funds show a lack of cybersecurity
preparedness, which puts clients and investors at risk.” I think that’s particularly true among smaller and
medium-sized Registered Investment Advisors. The big players in the securities industry generally have
Cyber Defense eMagazine – October 2023 Edition 112
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.