Back to blog

When the SEC States that Cyber Security Is the Biggest Risk to Our Financial System, It’s Time to Listen

Pathlock
May 23, 2016

When the SEC States that Cyber Security Is the Biggest Risk to Our Financial System, It’s Time to Listen

The chair of the U.S. Securities and Exchange Commission (SEC), Mary Jo, White, stated that
Financial newspaper

Financial newspaper

cybersecurity is the biggest risk facing the financial system. This statement comes on the heels of the $81 million theft from the central bank of Bangladesh and a second breach involving an unidentified commercial bank. The New York Times reported that this theft occurred because cyber criminals were able to acquire legitimate network credentials, initiate fraudulent transfers, and cover their tracks by installing malware on bank computers. In addition to the theft, White made this statement because the SEC found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced. “What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks,” she explained. Although organizations are investing in cybersecurity, hackers are becoming more sophisticated. They have a deeper understanding of the underlying systems and how to exploit them. In the case of the Bangladesh Bank theft, having security controls, better authentication systems and insider threat analytics would have helped prevent the transfer. Insider threats would have alerted the bank based on user behavior analytics. For example, millions of dollars were transferred from Bangladesh Bank to a dormant bank account in the Philippines that only contained $500. An alert could be configured that detects behaviors like this which are anomalous to historical trends. Organizations also have to go beyond cybersecurity solutions that may detect security events but are typically siloed and disconnected from the business risks. These solutions typically create countless low impact security alerts that drain IT resources as they address them. Unfortunately that time is wasted because the majority of these alerts have nominal business impact. They need to be able to correlate the business risk to security events and alerts in order to determine which ones need to be addressed. To learn more about available solutions, click here to view the on-demand Webinar How Does Your Cyber Posture Compare.