The U.S. Federal Reserve Board (the Board) has published its annual Cybersecurity and Financial System Resilience Report for 2023.
As well as setting out measures that the Board has implemented to strengthen cybersecurity within financial services, the Report outlines the Fed’s critical concerns for current and emerging threats to financial system resilience.
“Interconnectedness” appears to be this year’s emerging theme within the Report. As the financial services sector relies increasingly on critical service providers (CSPs), the Board notes that “all participants in the financial system face cyberthreats”. In short, as financial organizations widen their digital net for operational effectiveness, potential threats increase.
While some threats are political, and some perennial, all threats could be substantially minimized with the use of compliance technology.
1. Third party proliferation risk
The theme of “interconnectedness” is best exemplified by the increasing reliance on third parties for “significant business functions”. Many financial organizations rely on a suite of third-party vendors to deliver myriad critical services – from compliance tools through to cloud storage or payment processing.
While these third parties significantly increase business efficacy, and allow firms to remain competitive in a fast-innovating market, according to the Fed’s Report they also multiply cybersecurity risk. Logic suggests that the wider the net of third and fourth-party reliance, the greater the risk of potential harm.
There are many reasons for this, one being that, as the web of providers grows, so too does the administrative task of ensuring that each third-party solution is operating in a secure, reliable way. As well as increased administrative oversight, there is also greater risk of data being lost or misplaced. If one provider is passing business data to another, and then to another, the risk of corroding valuable metadata is increased. So too is the risk that those data pathways could be interrupted or intercepted by cybercriminals – the longer a chain is, the greater the risk of there being a weak link.
How can compliance technology help mitigate third party risk?
The key to success here lies in reducing your organization’s web of third-party reliance. As well as minimizing the amount of administrative work and relationship management needed, this will markedly reduce your third-party risk profile.
It is inevitable – if not essential – that financial organizations will use third party vendors to deliver critical services. However, when looking to a vendor to provide a solution, consider whether one vendor could assist with an end-to-end process, rather than only one piece of the puzzle.
In the case of compliant communications, for instance, some firms may opt to have different vendors: one for compliant archiving, another for surveillance, and yet another for a third-party, compliant app. This net of reliance greatly increases the chances that data will be lost or made vulnerable. It also doubles (if not triples) the number of people you’ll be speaking to when orchestrating your compliance process, and in the event that you need to establish accountability.
Instead, look for a provider that can deliver the entirety of the end-to-end process. As well as reducing legal and administrative burden, you can ensure complete, compliant operations with minimal risk of data loss or exposure.
2. Supply chain or third-party attack
Third-party risk is further increased with the consideration of supply chain or third-party attack. Once third-party reliance has been minimized, there must also be a consideration of the vulnerabilities that your third parties present.
If, for instance, one of your critical third parties were to fall prey to a cyber-attack, would your company have processes in place to respond effectively? “Supply chain compromise”, according to the Report, “can impact the financial system through the software provided by third parties”.
The proliferation of third-party reliance – especially that on software-as-a-service – has created a fertile breeding ground for cybersecurity risks. The Report notes that this increased risk only bolsters the importance that firms review the resilience of their supply chain and third parties. Are you confident that your third parties are well equipped enough to stand up to cyber-attacks?
How can compliance technology help minimize third-party attack risk?
The solution to mitigating third-party attack risk will undoubtedly lie at the feet of the vendor you employ. As seen in >enforcement action against TSB for a failed data migration project, the reliability of your third party can be the difference between success and catastrophe.
Choose a technology vendor who has demonstrable experience of carrying out the service that you’re relying on them to provide. Due diligence is essential here, and should not be overlooked for the sake of speed. Does the firm have clear security credentials? How seriously do they take cybersecurity? For optimum operational resilience, this relationship should be stress tested to ensure that the vendor can deliver, even in the event of unpredicted turbulence.
The report notes that:
“The most common cause of data breaches noted was misconfiguration of the services by the client financial institution, which occurs when the client financial institution and the vendor share responsibility for configuring various aspects of the services and the client does not understand its responsibilities.”
For ultimate success, ensure that your third-party vendor is a reliable, supportive partner to assist you in clear configuration, so you can be certain that your processes will be both operational and effective.
3. Insider threats
Insider threat is a perennial risk, and one that can often cause the most harm to your organization. It only takes a single bad actor with access to internal systems to bring an organization to a grinding halt. Preventing insider threat is an age-old conundrum, and one that holds human behavior at its core.
The Report notes that, since the global pandemic in 2020, the normalization of “remote access over the internet into core banking services and operational support systems” as well as the expansion of “access permissions to allow for remote work” has increased the risk of “incidents attributed to personnel”. It is also true that, oftentimes, firms can face threats from disgruntled ex-employees who continue to have access to certain systems or information.
This is a challenge that financial institutions will “continue to need to monitor and address”. After all, if a firm isn’t able to see how its employees are operating, how can it expect to weed out those looking to act maliciously?
How can compliance technology help mitigate the risk of insider threat?
The benefits of compliance technology in reducing the harm caused by potential bad actors are twofold.
Firstly, most data-centric tools should provide you with the ability to see which individuals have access to what tools and information, and provide easy configuration to add and remove users. This technology allows you to keep track of leavers and movers, to ensure that data and technology doesn’t fall into the wrong hands.
The second benefit offers a more sophisticated means of tackling insider threat. Surveillance tools, such as those built by Global Relay, allow compliance teams to monitor the communications of all employees, across any channel. Lexicons and artificial intelligence build a risk profile of your business, and will alert you to conversations that appear to be risky or indicative of impending insider threat. This ensures that you’re able to enact proactive compliance and stay one step ahead of harmful behavior.
4. Artificial intelligence and machine learning
It is undeniable that technology can play a significant role in minimizing risk within financial services. However, as the Report highlights, on occasion this technology can “provide greater opportunity for malicious actors to gain access to private data”. This is especially true of application programing interfaces (APIs) which provide “accessible gateways into firms’ information”.
Technology risk can also be expanded to consider the realm of artificial intelligence (AI) and machine learning. The Report notes that AI can increasingly be manipulated to perform social engineering, phishing, or text message attacks – which can compromise access into firms’ systems, emails, and technology services. As such, the Fed notes the importance of “collective actions across government and strong collaboration with the private sector in advancing measures to understand and mitigate risks”. Perhaps following in the footsteps of The City of Boston, the Fed appears to advocate for “responsible experimentation”.
How can compliance technology help mitigate AI risks?
Compliance technology, as the Report acknowledges, can offer the “potential for access to new or better services”. It is now common for compliance technology tools to offer a layer of AI, whether it’s for determining relevance, sentiment, or identifying suspicious behavior.
However, the extent to which compliance technology can help mitigate risks will be widely determined by the approach that it takes to harnessing artificial intelligence. For instance, tools that offer an “out of the box” AI solution will likely lack the tailoring and fine-tuning needed to effectively suit your business. This can create gaps, inconsistencies, and allow threats to fly under the radar.
Another consideration is that of ‘explainability’ – as recently highlighted by SEC Chair Gary Gensler as a priority. If you implement AI-based tools, is there a sufficient level of oversight to enable you to provide clear audit trails in the event that something goes wrong?
Firms should look to the regulators for guidance here. Adopt “responsible experimentation”, whereby your compliance technology uses AI technology that is reliable, responsible, and easily understood. Moreover, when implementing compliance communication tools, ensure that they verify users so that it is clear that the person you’re talking to is the person they say they are.
