One of the many frightening aspects of our modern existence is the ever-expanding scope and frequency of cyberattacks. Individuals, public and private companies, and government agencies around the world are fair game for cybercriminals.
Over the past several years, many high-profile brands including Adobe, Experian, Facebook, Home Depot, Sony, and Target have suffered cybersecurity breaches compromising personal customer data or internal employee communications. Furthermore, the global interconnectivity of our markets, media, and technology systems enable cyberattacks to cause rapid international damage and panic.
Remember the WannaCry cyberattack in May 2017? That worldwide ransomware worm was followed just one month later by a similar attack which first infected computer systems in Ukraine, and then quickly spread to the U.S., Denmark, Australia, and many other countries.
Even Government Regulators Aren’t Immune to Cyberattacks
Cyberattack sophistication continues to grow so rapidly that even government regulators, responsible for setting cybersecurity standards, struggle to stay one step ahead of hackers.
For example, the U.S. Securities and Exchange Commission (SEC) announced in September 2017 that its EDGAR corporate-filing database had been hacked. Charges against the alleged perpetrators were filed earlier this year, and as part of its ongoing effort to strengthen cybersecurity and risk management practices, the SEC recently tapped Gabriel Benincasa as its first-ever Chief Risk Officer.
The hacking of the SEC demonstrates just how big the cyber threat has become, but the SEC’s response to the crisis serves as an example for companies in financial services, technology, and other industries victimized by cybercriminals.
After uncovering the EDGAR breach, the SEC conducted an internal forensic investigation to determine the extent of the damage, alerted the parties whose data was compromised, and publicly disclosed what had occurred. Upon going public with details of the breach, the regulator emphasized its determination to correct the loophole exploited by hackers, as well as its dedication to enhancing cybersecurity throughout the financial services industry.
‘Resilience and Recovery’ are Key to Cyber Risk Management
In a written statement from 2017, SEC Chairman Jay Clayton said: “Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic. We must also recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
Companies should write out step-by-step procedures for resilience and recovery as part of a detailed cybersecurity plan—and all protocols in that plan should be rehearsed in firm-wide drills held more than once a year, in order to ensure all employees—whether they work in software development, accounting, marketing, or investor relations departments—know what to do in the event of a successful cyberattack.
The SEC continues to make cybersecurity a top priority, having recently announced that cybersecurity is one of its primary areas of focus for compliance inspections and examinations this year. This means that financial services companies must keep their cybersecurity programs and systems in line with SEC guidelines, and frequently enhance them to repel new cyberthreats. They must also work closely with their third-party fintech providers to ensure all channels are protected.
While a cyberattack can lead to regulatory investigations and fines, the damage it can inflict on a company’s reputation is far costlier. The goal of any cybersecurity program should be to prevent a data breach, but in the event that one occurs, acting quickly to 1) contain the problem, 2) alert those who have been affected, 3) communicate what happened to customers and other constituents, and 4) work with regulators and others to figure out what went wrong and ensure it doesn’t happen again, is the first step toward recovery.
Be prepared for a crisis. Download our free ebook for tips on what to do if your reputation is at risk: