Survey Indicates Need for Stronger Cyber-Risk Response
Compliance society poll shows gaps are greatest at financial firms below the top tier; in D&B report, a supplier-risk and compliance convergence
Friday, March 29, 2019
By Ted Knutson
Financial services C-suite interest in cybersecurity, while on the rise, doesn't always translate to on-the-ground action, the National Society of Compliance Professionals (NSCP) says.
A recently released survey that NSCP conducted with the ACA Aponix division of ACA Compliance Group found widespread agreement among more than 200 financial industry respondents that cybersecurity concerns are a serious risk.
However, there were gaps in areas such as third-party risk management and in cyber insurance coverage.
“Smaller firms typically only target one or two vendors [for due diligence], some only at contract time. This is an area in need of improvement,” the report said.
Dun & Bradstreet's first Compliance & Procurement Sentiment Report of 2019 - citing a survey of 620 compliance and procurement professionals in 12 industries including financial services - explored a convergence of supplier risk management and compliance functions. But attitudes toward it were mixed.
Fifty percent of those most likely to be affected by that convergence “believe it would have a 'very' or 'fairly positive' outcome,” compared with 13% saying “negative” or “very negative,” the report said.
“While it is unclear if the two functional groups will actually merge, their shared goals and concerns continue to demonstrate the convergence that exists,” it added. “Within any third-party risk management program, procurement and compliance professionals remain focused on mitigating risk, reducing costs, and establishing a comprehensive due diligence program . . . At Dun & Bradstreet, we don't anticipate the two functional departments fully integrating, but there is certainly a gained efficiency from aligning and working together.”
Another D&B finding: “As supplier, customer, and third-party relationships become more complex and data more prolific, fraud becomes harder to detect.”
Fifty-six percent mentioned technology and policy as top contributing factors to fraud, and 24% stated such concerns specific to “automation, artificial intelligence and data population.”
Many Are Uninsured
Just over 50% of the financial services firms in the NSCP survey said they have cybersecurity insurance, leaving the rest - which tend to be small - to self-insure. However, the amount of coverage is on the rise, with 39% maintaining more than $5 million in coverage.
“The greatest damage is often reputational, leading to a loss of business that can't be covered by an insurance policy,” the study noted.
There was a divide between big and small firms: 78% of those from organizations with more than 1,000 employees said their boards were engaged on cybersecurity issues, double the proportion of those with only 11 to 50 workers.
“The ability for a smaller firm to absorb the economic and reputational impact of a cybersecurity incident is less than that of a larger firm,” NSCP cautioned.
The survey revealed that regulators are increasingly delving into cybersecurity matters. Since 2017, cyber exams were said to have increased 21% by the Securities and Exchange Commission, 30% by the Financial Industry Regulatory Authority (FINRA), and 50% by the National Futures Association.
The broader population in the D&B survey was found to be challenged by regulation in a general sense: “Often, we hear how the impacts of regulatory change leave the functions uncertain about how to respond. In this survey, 56% said that regulations are a barrier to doing their job effectively.”
According to the NSCP, while most financial firms conduct network penetration and vulnerability testing, more incident-response exercises are called for. “Table-top exercises enable preparedness in the event of a real cyber incident,” the compliance group said. “If faced with a real incident, will firms be prepared to respond?”
Firms said they are spending more this year on cybersecurity testing and vendor management, mobile device protections, identity and access management, and endpoint data-loss-protection software.