Cyber attackers aren’t about to stop targeting Canada’s financial sector
Hackers, criminals and spies. These are the people who are targeting the financial sector. And unfortunately, it’s no longer a question of if, but when your financial services business will be breached.
That is to say, cybersecurity risks for financial sector businesses everywhere in the world and in Canada are on the rise. Citing specific examples such as banks in Chile and Seychelles and a financial technology company that supports Asia-Pacific banking systems, anew Carnegie Endowment report provides some valuable insights.
In late 2020, the Carnegie Endowment for International Peace took the unprecedented step of publishing a new Carnegie FinCyber paper about the world’s cyber threat landscape only 18 months after its last paper.
The co-authors note, “But a lot has happened since, most notably the largest-scale public health emergency in a century. Cyber threat actors have not stood still in this period. Many groups have been capitalizing on the turbulence in order to up their game and exploit their victims. Stepping back from this, however, the predominant motivations have not changed (see table 1).”1
And with mobile banking apps, remote working and outdated legacy infrastructure adding layers of exposure to the financial services sector, the need for cyber insurance has never been greater.
Across Canada, financial services and Fintech businesses are facing unprecedented risk exposures. And that’s why they are turning to brokers who are commercial insurance experts when it comes to finding and securing the best possible cyber coverage for their operations.
Here at ALIGNED, we exclusively serve the needs of Canadian commercial business. With a team that supports clients across Canada, we know how to assess your exposures and source the best cyber insurance options for your organization. We are in growth mode, adding commercial insurance advocates and expanding our relationships with more than 65 of the top insurance companies in Canada. In short, we are aligning the best value and solutions specific to each clients unique needs and infrastructure every day.
Prefer to speak with one of us? Call us toll free now at 1-866-287-0448
What the Canadian government is doing to assess technology risks in the financial sector
It’s not just financial services feeling the heat. The federal government is well aware of the threat that hackers, criminals and spies pose to the industry and to our economy. That’s why the Office of the Superintendent of Financial Institutions requested industry insights for “Developing financial sector resilience in a digital word”, a new discussion paper.
Here’s what the government is looking to build with this intelligence:
“OSFI’s strategic objective to ensure that federally-regulated financial institutions and pension plans are better prepared to identify and develop resilience to non-financial risks before they negatively affect their financial condition. While technology is a key enabler for financial institutions and financial consumers, its widespread use and rapid adoption can pose risks in many different areas of the business if not properly understood and managed.
Understanding the financial sector’s use of technology and how technology risks are managed is central to this consultation. OSFI’s discussion paper focuses on the risk areas of cyber security, advanced analytics (artificial intelligence and machine learning), and the use of third party services such as cloud computing.”3OFSI-BSIF.gc.ca: OFSI launches consultation on technology risks in the financial sector
And ultimately, “OSFI’s Strategic Plan 2019-2022 aims to ensure that Federally Regulated Financial Institutions are better prepared to identify and develop resilience to non-financial risks before these risks negatively affect their financial condition.”4
How cyber insurance can help…
Cyber insurance not only provides the financial resources to deal with potentially catastrophic events, but also provides access to some of the industries top professionals to help you deal with everything required and needed after a breach occurs.
What any Canadian organization can do to manage cyber risks now
“For organizations, cybersecurity is about risk management. You can’t manage risk if you don’t have a plan based on a cybersecurity framework. Briefly, list what applications and data you have, list the security weaknesses and plan for fixing them. The goal is to create a detailed strategy for the IT staff to follow, and an easier to follow quarterly report for senior management ranking issues in seriousness by numbers — say, 1 to 5 — or by colours — say red, yellow and green. Understand that rarely will everything be green. Cyber risks regularly change. But this will give management a better idea of what’s going on.
If you’re a small or medium-sized Canadian firm the federal government suggests using the Canadian Centre for Cyber Security’s Baseline Cyber Security Controls framework. Start by making an inventory of all the hardware, software and data the organization uses. Consider regulatory requirements for data security, including privacy laws. Create a risk assessment: How likely is data to be exposed by an attack? What impact will that have? Then set goals.”ITWorldCanada.com: Cyber Security Today – Make these cybersecurity New Year’s Resolutions
In addition to the above the following are also tangible and pracical things Canadian organizations can do to better secure their data and entire organizations:
- Determine how to best secure applications, data and websites through defences like firewalls, anti-malware software, virtual private networks, user behaviour monitoring software and the like.
- Create application security settings that become the corporate standard. Create an application patching strategy.
- Pay close attention to protecting administrative accounts with multi-factor authentication.
- And create an employee data access policy with the principle of only giving employees access to the data they need for their jobs.
- In addition, create a policy for protecting data — what data needs to be segregated, what needs to be encrypted. And create an implementation plan for those policies.
- Above all, create a data backup policy — does data need to be backed up hourly, daily, weekly. Test that backup plan. Create an incident response plan for cyber attacks. Create a disaster recovery plan. Test those plans.