Why do cybercriminals attack? Most of the time it’s to line their pockets, by blackmailing organisations through ransomware attacks or stealing and selling sensitive data. Criminals know that they can extort banking, financial services, and insurance (BFSI) organisations for more money, and so it’s no surprise that they go after them at a higher rate than almost any other sector.

According to IBM data, the average cost of a data breach in the financial sector last year was $5.72 million. When attacked, businesses get hit by potentially existential unexpected costs, their operations are paralysed, and they need to address a long tail of cascading future problems like raised insurance premiums and loss of business. 

Consider how the Bank of England’s annual Systemic Risk Survey of 2022 found that 74% of financial sector respondents view cyberattacks as the highest risk to the sector, in both short and long term. Yet companies are worried about reputational damage associated with a data breach, therefore they rarely disclose attacks when they occur; only a minority of cybercrimes make it to the public domain. However, more and more, investors, boards, and the public want transparency on cyberattacks. Boards and investors want visibility on how well BFSI organisations perform at preventing breaches before they occur. Ransomware attacks can hurt a company’s bottom line and crash its share price. Investors and boards want clarity about how well their companies are performing when it comes to cybersecurity.  

Market demands often spur legislative action, and the rules are catching up. UK legislation already requires listed companies to publish a cybersecurity ‘resilience statement’ that includes information about specific risks to the company, and the Bank of England’s CBEST Threat Intelligence-Led Assessments requires evidence-based profiles of cyberthreat actors and the financial information that hackers could uncover. The European Central Bank, building off innovations in in Holland, has similarly adopted a set of regulatory testing requirements for financial institutions, calling on banks to “test attacks to achieve resilience.” 

In the United States, the regulatory environment is tightening as well. In the spring, the Security and Exchange Commission (SEC) will force cybersecurity disclosures that will standardise cybersecurity governance rules for U.S. organisations. Listed companies would be required to divulge information about cybersecurity risk management, strategy, and incident reporting. Following the 2018 introduction of GDPR rules in the UK, and considering the SEC’s upcoming legislative changes, it’s only a matter of time before companies in the UK are required by law to provide notification of data breaches. 

Regulators want to guide BFSI boards towards a more evidence-based cybersecurity posture to protect investors and customers from opportunistic criminals. This is partly why the UK government in tandem with the U.S. cyberdefense agency and U.S. department of the treasury recently began recommending that organisations continuously test their security controls using the MITRE ATT&CK framework to validate controls effectiveness. If banks want to be better equipped to answer stakeholders’ questions, they need to continuously test their existing defences to ensure nothing is misconfigured. At least 53% of cybersecurity experts are uncertain about whether their controls are properly set up, and so investing in more cybersecurity capabilities will not solve the problem. Banks need to continuously test their systems against the tactics, techniques, and procedures (TTPs) used by cybercriminals. 

Chief Information Security Officers have ample access to information about adversarial TTPs. Intelligence is collected by the cybersecurity community and stored in the freely available MITRE ATT&CK framework. Once businesses have a good idea of the adversaries’ TTPs, they can use breach and attack simulations to automate attacks on their security controls to test  their defences. Security teams can mine a wealth of real-time performance data to improve their preparedness for a real attack. They can then share that data with financial regulators, investors, and insurers to clarity their positions and facilitate auditing.

This past year, in the face of three serious attacks every day, the head of Norges Bank, the world’s largest sovereign wealth fund, announced cybersecurity had overtaken turbulent financial markets as his top concern. This trend will be replicated in BFSI boardrooms across the UK and the world in the months and years to come. With regulation forcing the C-suite to answer to auditors about their cybersecurity performance, a threat-informed defence strategy will help deliver real data. By implementing data-driven, evidence-based cybersecurity strategies, financial institutions will be safer and more accountable to their stakeholders.