Norman Kromberg

Norman Kromberg serves as a Managing Director at NetSPI, bringing over 30+ years of expertise in the cybersecurity, information assurance, risk management, and software quality and compliance arena. Previously, he served as CISO, regulator, and IT auditor consultant, implementing and improving security maturity at three global companies. Norm’s background includes security leadership, security operations, and regulatory compliance in the financial sector.
More by Norman Kromberg
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "117"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "117"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "117"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "117"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "117"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "117"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "117"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "117"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
			SELECT   wp_posts.*
			FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
			WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{f990c064b1b516ba373b3b7a9119bf73fb008cbceec484fa0620af251e423859}\"117\"{f990c064b1b516ba373b3b7a9119bf73fb008cbceec484fa0620af251e423859}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{f990c064b1b516ba373b3b7a9119bf73fb008cbceec484fa0620af251e423859}\"117\"{f990c064b1b516ba373b3b7a9119bf73fb008cbceec484fa0620af251e423859}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
			GROUP BY wp_posts.ID
			ORDER BY wp_posts.post_date DESC
			
		
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 28435
                    [post_author] => 117
                    [post_date] => 2022-09-20 09:00:00
                    [post_date_gmt] => 2022-09-20 14:00:00
                    [post_content] => 

On September 20, Payments Journal featured NetSPI Managing Director Norman Kromberg's article on Three Actionable Metrics Banks Can Track to Stay Ahead of Cybercriminals. Read the preview below or view it online.

+++

If asked what the top industry for cyberattacks is, everyone would likely mention financial services. Banks, specifically, continue to be one of the top targets for cybercriminals, due to the critical assets financial institutions possess – primarily personal customer data and money.

It is one of the most targeted sectors for a reason, with the cost of cybercrimes being the highest in the banking industry, reaching $18.3 million annually per company. But, the financial industry is also known to have some of the most mature cybersecurity programs, which equates to quick remediation.

In recent years, we’ve seen a rise in digital banking, which was largely accelerated by the pandemic. This has led to an increased, more complex attack surface for cybercriminals, and more entry points.

In fact, in the first half of 2021 alone, the industry reported 30% more ransomware attacks than in all of 2020. As a result, regulators and cyber insurance underwriters have become stricter, making it vital – and often required – that banks, and the financial industry as a whole, have offensive cybersecurity strategies in place that are tailored to their unique threat landscape.

As financial institutions grapple to adhere to these mandates, many have seen the value in metrics in meeting such strict requirements. There are many ways to utilize metrics for business success, including determining a company’s IT footprint, time to breach remediation, and revenue being prioritized for security measures, just to name a few. In this piece we’ll dive into three of the top metrics cybersecurity experts can use to adhere to regulatory demand.

Read the full article at Payments Journal!

[post_title] => Payments Journal: Three Actionable Metrics Banks Can Track to Stay Ahead of Cybercriminals [post_excerpt] => On September 20, Payments Journal featured NetSPI Managing Director Norman Kromberg's article on Three Actionable Metrics Banks Can Track to Stay Ahead of Cybercriminals. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => payments-journal-actionable-metrics-for-banks [to_ping] => [pinged] => [post_modified] => 2022-09-27 09:48:33 [post_modified_gmt] => 2022-09-27 14:48:33 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28435 [menu_order] => 6 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 28168 [post_author] => 117 [post_date] => 2022-07-29 10:56:00 [post_date_gmt] => 2022-07-29 15:56:00 [post_content] =>

On July 29, NetSPI Managing Director Norman Kromberg was featured in an article in VentureBeat called Cyber Insurance is On the Rise, and Organizational Security Postures Must Follow Suit. Read the preview below or view it online.

+++

Despite best efforts to the contrary — ransomware, hacks and data breaches are more prevalent than ever.

Close to 75% of global cyber-risk decision makers report that their company experienced at least one cyberattack in the past year — and just 3% of respondents rated their company’s cyber hygiene as “excellent.” Furthermore, recent research puts the average ransom payout at $211,529.

Naturally, to protect themselves, more organizations are investing — often significantly — in cyber insurance, particularly as cybersecurity breaches, hacks and ransomware attacks are often not included in traditional policies.

Cyber insurance companies, in turn, are increasing premiums and becoming ever more selective about the companies they’re willing to insure. 

Insurance at a premium

Cyber insurance is much like other insurance coverage. It is a means to manage risk and loss from certain events — in this case, cyberthreats. 

Although it varies by insurer and amount carried, policies can cover costs associated with business email compromise, ransomware attacks, phishing attacks and other social engineering attacks, explained Jennifer Mulvihill, business development head for cyber insurance and legal at cyber defense platform company BlueVoyant. Policies can also provide both first-party and third-party coverage, she said. 

All told, the cyber insurance market is expected to be $25 billion by 2026, according to an annual cyber report by The Howden Group. The National Association of Insurance Commissioners also reports that cyber insurance premiums collected by the largest U.S. insurance carriers in 2021 increased by 92% year-over-year. 

This trend will only continue, predicted Norman Kromberg, managing director at cybersecurity company NetSPI. Today’s unpredictable threat market makes it challenging for insurers to accurately evaluate an organization’s IT management and security control maturity. He anticipates that it will be more and more difficult to receive payouts for claims, particularly if there is a breakdown in controls. 

You can read the full article at VentureBeat!

[post_title] => VentureBeat: Cyber Insurance is On the Rise, and Organizational Security Postures Must Follow Suit [post_excerpt] => On July 29, NetSPI Managing Director Norman Kromberg was featured in an article in VentureBeat called Cyber Insurance is On the Rise, and Organizational Security Postures Must Follow Suit. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => venturebeat-cyber-insurance-on-the-rise [to_ping] => [pinged] => [post_modified] => 2022-08-04 14:47:54 [post_modified_gmt] => 2022-08-04 19:47:54 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28168 [menu_order] => 33 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 27999 [post_author] => 53 [post_date] => 2022-06-28 10:54:22 [post_date_gmt] => 2022-06-28 15:54:22 [post_content] =>

According to McKinsey & Company, the banking sector is one of the most advanced in cybersecurity maturity, due to the regulatory environment, consumer expectations, and competitive pressures. However, the industry also remains a top target for cyber adversaries – It’s the second most attacked industry, according to the 2022 IBM Security X-Force Threat Intelligence Index.

The push and pull of cybersecurity threats and maturity creates a unique threat landscape for financial institutions. To help navigate the landscape and thwart emerging threats, offensive – or proactive – security is essential.

In this webinar you’ll hear from Travis Hoyt, NetSPI CTO and former cybersecurity and technology executive at TIAA and Bank of America, and Norman Kromberg, NetSPI Managing Director, a former CISO, and technology risk auditor for financial institutions.

Join our conversation to learn about:

  • Pressures and risks banks face today
  • Offensive security best practices
  • What’s next for financial services cybersecurity 
[post_title] => Financial Services Cybersecurity Best Practices: Part 2 – Offensive Security [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => financial-services-cybersecurity-part-two [to_ping] => [pinged] => [post_modified] => 2022-07-22 10:42:46 [post_modified_gmt] => 2022-07-22 15:42:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=27999 [menu_order] => 5 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 27811 [post_author] => 53 [post_date] => 2022-06-01 10:13:56 [post_date_gmt] => 2022-06-01 15:13:56 [post_content] =>

Financial institutions are a major target for cyberattacks. After all, criminals gravitate to where the money is. 

Due to the highly regulated nature of the financial industry, the demand for cybersecurity insurance has grown substantially over the past few years to help manage and reduce risk in the event of a security incident. As attacks increase in sophistication and impact, there are unique considerations and circumstances business and security leaders at banks must understand in order to attain secure coverage. 

In this webinar, we sit down with Ethan Harrington, Founder and Principal at 221b Consulting and former H&R Block Director of Enterprise Risk Management and Security Insurance, and Mary Roop, a 15-year insurance and risk management veteran, to explore everything financial institutions should know about cybersecurity insurance. They’ll answer all your burning questions, including:

  • What is commonly covered in cybersecurity insurance for financial institutions?  
  • What do I need to do / track to earn my certificate of insurance?
  • How do you see the cyber insurance landscape changing over the next few years? 
[post_title] => Financial Services Cybersecurity Best Practices: Part 1 – Cyber Insurance [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => financial-services-cybersecurity-insurance [to_ping] => [pinged] => [post_modified] => 2022-06-23 15:05:13 [post_modified_gmt] => 2022-06-23 20:05:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=27811 [menu_order] => 7 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 27756 [post_author] => 85 [post_date] => 2022-05-17 08:00:00 [post_date_gmt] => 2022-05-17 13:00:00 [post_content] =>

This is part two of our blog series that delves into cybersecurity for the financial services industry.

In part one, we discuss the current state of financial services cybersecurity, the challenges the industry faces, and opportunities for banks and other financial institutions to better protect their organizations.

In this part, we explore measurable and actionable metrics banks can track to craft a powerful cybersecurity story tailored to their regulators and leadership peers. We’ll also discuss opportunities to improve those metrics and address key challenges CISOs experience when building mature programs.

Let’s dive in.

Three Cybersecurity Metrics to Help Financial Institutions Tell Their Story to Regulators

The rise in cyberattacks against financial institutions means heightened scrutiny from bank regulators and more stringent compliance requirements. So, how can banks provide a thorough assessment of their security program to show regulators that they’re meeting regulatory requirements – and are keeping consumers and their data safe?

We can achieve that by identifying and keeping track of cybersecurity metrics that tell a powerful story.

These metrics are critical in two scenarios: to communicate your security program maturity and compliance to financial services industry regulators and to your leadership team/board to make the case for additional budget or resources.

When using metrics, keep in mind context over time is a key success factor for communication on trends. And consider the alignment with other metrics used to measure overall business success.

Cybersecurity metrics are historically challenging to determine as they don’t correlate directly to revenue or profit gain and are often proactive in nature. However, if you choose wisely they can help you benchmark your current cybersecurity program and show how your investments have impacted your organization over time.

To set a solid metric foundation, consider these three key cybersecurity metrics:

  1. Asset footprint: Anything that gives an accurate depiction of all your assets may be considered your asset footprint. This includes ephemeral assets (e.g., auto scaling compute or containers) and the number of endpoints per dollar of assets under control. For example, in endpoint management, you’re managing the number of devices, servers, or systems that are trying to access your company’s network. Taking inventory of all endpoints provides you with a better view of your security posture and how much it costs to manage your assets. The caveat is that this method works now, but not ideal for measuring your assets moving forward.
  2. Time to remediation: How long does it take to fix your critical vulnerabilities? What is the time it took to identify critical issues from discovery to vulnerability remediation? Being able to track this context over time provides an overall assessment of your risk profile. A scenario to consider: if your company doubles in size but the number of vulnerabilities remains the same or has increased, you need to investigate that.
  3. Percentage of revenue that makes up your cybersecurity budget: What percentage of the overall organizational revenue is being spent on cybersecurity? Is that spend increasing, but the number of vulnerabilities, security incidents, fraud reports, etc. remaining the same? Keeping track of your budget relative to your security outcomes can indicate the health of your program and areas that may require reevaluation.

For metric number three, you’ll need to partner with your CFO and finance team to track your progress over time. But for metrics one and two, it will be critical to formulate a plan to capture and improve these metrics to prepare for your next audit or budget meeting. Here are three ways to accomplish this:

  • To measure and improve your asset footprint, leverage Attack Surface Management (ASM): ASM identifies and detects all known, unknown, and potentially vulnerable assets across your attack surface whenever there is exposure – not just what’s internet facing but in B2B network connections or peered cloud services too. ASM enables a comprehensive view of your environment from the outside in.
  • To measure and improve time to remediation, leverage Penetration Testing as a Service (PTaaS): PTaaS combines technology with human expertise to find critical vulnerabilities that tools and traditional pentesting processes miss. The key here will be to work with a partner that can orchestrate and manage your vulnerabilities in a dynamic platform that allows you to track your remediation progress over time (see: NetSPI Resolve).

Check out these case studies to learn how two banks leveraged penetration testing to address the unique challenges financial firms face:

How to Articulate the Need for Budget

One of the challenges that we personally experienced in our roles as in-house security leaders and CISOs is the need to articulate budgetary needs to the leadership team and the board.

You need money and resources to employ the right people and acquire the necessary tools to protect your organization, right? This is correct, but you also need to recognize that the metrics you’re currently sharing may not align with the priorities of the CEO or the board. This gets even more challenging when the CEO or board hasn’t funded these initiatives historically.

So, what are ways you can effectively approach this?

First, understand that it’s not about confronting the board or the CEO. It’s about empowering them to articulate the risks they’re willing to take (e.g., risk of a possible breach, exposing consumer PII, etc.)

It’s important to engage with your leadership team and spend the time building this relationship so you both are aligned with the security or control posture of the organization. Security leadership should never operate in a silo.

Second, don’t tell half the story, tell the whole story. Explain how your budget decisions align with the company’s priorities: generating revenue, achieving company goals, maintaining a positive public reputation, etc. Articulate your metrics in the terms and language they understand to effectively tell you cybersecurity maturity story and make the case for additional support.

For more on this topic, read How To Eliminate Friction Between Business and Cyber Security.

Strategic Cybersecurity for Financial Institutions

More than ever, it’s important to be strategic when improving cybersecurity in the financial industry. Here are two things to consider to set you on the right path toward security program maturity:

  • Tool overload and alert fatigue. Be mindful of purchasing capabilities you can’t manage or extract the value from. Why? Because you’re going to have to find the people to address all the data you aggregate. This lack of alert coverage and response could result in hesitancy from your leadership team or regulators.
  • Technical leaders vs. security leaders. When you hire, ensure that your technical team also understands security and why it matters to your business. Someone with a technical background may not truly grasp security concepts and strategy. Ensure you have a balanced team that can help you articulate your metrics as outlined above.

If there is one thing we want you to take away from this blog post, it is this: financial cybersecurity is an ongoing effort – it is a not a point-in-time commitment. Continuous improvement is essential to telling your cybersecurity story – and the metrics you choose to measure and the way you communicate them will be the backbone of that story.

NetSPI is the industry leader in pentesting and currently partners with 9/10 top US banks in the nation. Connect with us today for your bank pentesting solutions and needs.
[post_title] => Cybersecurity for Financial Institutions—Part 2: Metrics [post_excerpt] => Explore measurable and actionable metrics every bank should track to craft a powerful cybersecurity story for their regulators. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-for-financial-institutions-part-2-metrics [to_ping] => [pinged] => [post_modified] => 2022-05-16 09:31:30 [post_modified_gmt] => 2022-05-16 14:31:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27756 [menu_order] => 61 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 27742 [post_author] => 53 [post_date] => 2022-05-04 10:17:11 [post_date_gmt] => 2022-05-04 15:17:11 [post_content] =>

NetSPI Managing Director Norman Kromberg moderated a panel of CISOs and cybersecurity leaders at FutureCon Omaha. During the “Omaha CISO Panel” they discussed the cyberthreats that security leaders face today and the practices they are implementing to address the threats, among other topics.  

Watch the recording below to learn the approaches First National Bank of Omaha Deputy CISO Sara Flores, Lindsay Corporation CIO Melissa Moreno, Metropolitan Community College CIO/CISO Chad Lynch, Hudl VP CISO Robert LaMagna-Reiter use to manage cybersecurity risk amidst the ever-changing threat landscape.

https://youtu.be/_ksWDzgmyk0

Want to continue the conversation? Connect with our team to learn how you can better defend against real-world cyber-attacks using our platform-driven, human-delivered approach to offensive cybersecurity.

[post_title] => FutureCon Omaha 2022: Cybersecurity Leaders Discuss Current Cyberthreats and Practices [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => futurecon-2022-omaha-ciso-panel [to_ping] => [pinged] => [post_modified] => 2022-05-04 10:18:35 [post_modified_gmt] => 2022-05-04 15:18:35 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=27742 [menu_order] => 9 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 27725 [post_author] => 85 [post_date] => 2022-05-03 08:00:00 [post_date_gmt] => 2022-05-03 13:00:00 [post_content] =>

The financial industry is a top target for cyberattacks. Just behind healthcare, the financial industry is the second most targeted sector, accounting for 12% of all breaches. But what makes banks such a high-profile target for cybercriminals?  

The critical assets that financial institutions store – customer personal data and money – make them a lucrative target for cybercriminals. In recent years, we saw a steady inclination towards digitization in the financial industry, and the onset of COVID-19 only accelerated this momentum. Employees transitioning to remote work and customers relying on online transactions mean an ever-expanding attack surface.   

Although cybercrime is attempted frequently, the financial industry is known to implement some of the most mature cybersecurity programs.  

According to consulting firm McKinsey & Company, the banking sector is one of the most advanced in cybersecurity maturity, due to the regulatory environment, consumer expectations, and competitive pressures. These nuances alone create a unique threat landscape for banks across the globe.  

In this two-part blog series, we will dive into cybersecurity for financial institutions. This first blog will explore the current state of financial services cybersecurity, the challenges the industry faces, and opportunities for banks and other financial institutions to better protect their organizations – and in turn, their customers.  

In part two, we explore measurable and actionable metrics banks can track to craft a powerful cybersecurity story tailored to their unique threat landscape.    

For additional reading on financial industry cybersecurity, check out these resources: 

The Current State of Financial Cybersecurity 

Cybersecurity decisions are driven by security professionals, technology leaders, business executives, vendors/partners, board of directors, auditors, and regulators. The groups work in partnership to provide some of the most mature security programs.  

Banks must comply with established regulators – often run by agencies such as the FDIC, OCC, NYDFS, and FRB in the US; the FCA in the UK; and OSFI in Canada – to oversee banking operations. Regulators ensure that banks comply with industry standards and consumer protection laws, and they oversee the soundness of the financial institution.  

Banks that undergo a cybersecurity breach suffer from financial, reputational, and regulatory impacts. In addition to that, banks that receive a MRA (Matter Requiring Attention), or worse a MRIA (Matter Requiring Immediate Attention) from a previous examination or inspection will find themselves under intense scrutiny. This drives up operating costs and distracts resources away from other initiatives.  

A medium-sized bank with smaller and less mature cyber functions is more likely to suffer a more impactful impairment. Larger banks that have had significant investments are not immune to compromise. But, because they’ve had the necessary investment to develop robust programs over the last two decades, they are less likely to experience a substantial impact.  

This highlights that the current state of cybersecurity is situational and truly depends on various organizational factors and the accompanying unique cybersecurity considerations. For example, the size of your organization, type of banking services provided, who your examiners are, and location, among other factors.  

Keeping that in mind, here are five things we know to be true today regarding today’s financial cybersecurity landscape: 

  • Large banks invest more resources and money into their cybersecurity programs to accommodate for the complex and costly processes needed to avoid risks.   
  • The larger your organization, the more complex your environment is to secure. 
  • Evolving regulatory frameworks account for the size and systemic risk a given institution has on the entire financial system.
  • Banks with an international presence face the increased complexity of dealing with regulatory requirements globally. 
  • There is a significant investment in cybersecurity for financial institutions. 

To understand these concepts in depth, let’s look at four key cybersecurity challenges the banking industry faces today. 

Keeping up with Banking Cybersecurity Regulations 

Different banks have different regulatory imperatives based on where they operate. For instance, in the US, the Financial Industry Regulatory Authority (FINRA) operates at the multinational level, the Office of the Comptroller of the Currency (OCC) at the national level, and the New York State Department of Financial Services (NYDFS) at the state level.  

To keep up with the regulatory requirements domestically and internationally, security leaders must work closely with their risk and governance leadership to establish an effective compliance strategy to ensure security protects the enterprise while meeting the expectations of regulators. A strategy that maps regulatory requirements back to the business’ reporting processes is essential since banks work with different countries that implements their own compliance laws.  

Furthermore, evolving privacy standards, such as General Data Protection Regulation (GDPR), have a tone of security built into their compliance requirements. It’s important to understand how your security practices can help you comply with privacy standards, although they do not explicitly evaluate cybersecurity. 

At the national level in the US, there is a mix of consumer privacy laws to regulate what financial institutions can do with specific types of consumer data, but there is no single legislation that all privacy laws fall under. In fact, only California, Virginia, and Colorado have comprehensive consumer privacy laws. Many states enact their own privacy laws, but they are either incompatible or the data overlaps. For instance, a state may define a breach and what constitutes as personal data differently from another state.   

Retaining Financial Industry Cybersecurity Talent 

Across the spectrum, financial institutions struggle to attract and retain cybersecurity talent. Although this changes from organization to organization. For instance, larger banks have the funding to attract talent compared to smaller banks that experience more difficulty in this arena. And non-traditional financial institutions may have better luck attracting talent if they have flexible work-from-home policies. As other sectors like healthcare improve their cyber posture, competition for talent is increasing. 

The COVID-19 pandemic has created significant demand for remote or hybrid roles. Unfortunately, many financial institutions are not opting to allow this given the traditional nature of the industry. This can deter security candidates from seeking roles in the industry especially since other industries offer competitive pay with the added benefit of being remote.  

For smaller banks that lack cybersecurity experts with the necessary background, third-party service providers can help solve hiring challenges and serve as an extension of their team. NetSPI specifically leverages its penetration testing experts and technologies to perform offensive security testing and help financial institutions discover, prioritize, manage, and remediate their security vulnerabilities.  

Providers that take a partnership approach can also help organizations meet their objectives and offer services with a bench strength that they are unable to attract or retain themselves. 

Regulators Are Your Partners, Not Your Enemy 

Regulations are put in place to protect financial institutions and their customers. In cybersecurity, you’re only able to safeguard your critical assets to an extent if you’re not keeping pace with the ever-changing threat landscape. 

The independent nature of regulators is a resource many other industries don’t have. They’re able to provide unique perspectives based on the independence and years of experience an organization has. Having the ability to bridge the gap through the market and within the organization makes them an ideal partner to protect your organization and customers. Transparency and actively reaching out to your assigned auditors will be key in this process.  

Start by engaging with them in conversations about the future of your organization. Engaging in conversations early in the pipeline and gauging their opinion will open opportunities for more discussion and insights that will help you with compliance.  

You also want to work in tandem with your regulator to leverage regulatory requirements against existing controls and efforts to address control gaps in the organization. This enables the regulator to gain a better understanding of the company’s risk culture to effectively map the regulatory requirements back to the business’ operating systems. Then, the board and executive leadership team can make sound decisions relating to budget and risks.    

Ultimately, your cybersecurity team and the regulator share the same goal – to protect your customer - so it is important to realize that your regulator is not your enemy, but your partner in maturing your organization.     

Prioritizing Investments Within Financial Industry Cybersecurity 

We predict that the banking community will continue to invest more in its cybersecurity programs compared to any other industry. Estimates forecast this industry will account for more than 30% of all security spending worldwide.  

But how should financial organizations prioritize that spending? By focusing on risk. 

What vulnerabilities, if exploited, would cause the most harm to your organization and customers? Fix those first.  

What part of your business is responsible for most of your revenue? Increase your investments in securing this portion of your business.  

Implementing new technologies or architectures (see: blockchain security)? Understand the cybersecurity implications before deployment.  

Just because you are compliant, does not mean you are secure. That’s worth repeating: just because you are compliant, does not mean you are secure. Shifting to a risk-based mindset will set financial institutions up for future success and elevate your program maturity. 

NetSPI is the industry leader in pentesting and currently partners with 9/10 top US banks in the nation. Connect with us today for your bank pentesting solutions and needs.
[post_title] => Cybersecurity for Financial Institutions—Part 1: An Overview [post_excerpt] => Read an overview of the state of cybersecurity in the financial industry and three considerations to better protect your organization and customers. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-for-financial-institutions-part-1-an-overview [to_ping] => [pinged] => [post_modified] => 2022-06-21 13:51:17 [post_modified_gmt] => 2022-06-21 18:51:17 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27725 [menu_order] => 67 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 7 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 28435 [post_author] => 117 [post_date] => 2022-09-20 09:00:00 [post_date_gmt] => 2022-09-20 14:00:00 [post_content] =>

On September 20, Payments Journal featured NetSPI Managing Director Norman Kromberg's article on Three Actionable Metrics Banks Can Track to Stay Ahead of Cybercriminals. Read the preview below or view it online.

+++

If asked what the top industry for cyberattacks is, everyone would likely mention financial services. Banks, specifically, continue to be one of the top targets for cybercriminals, due to the critical assets financial institutions possess – primarily personal customer data and money.

It is one of the most targeted sectors for a reason, with the cost of cybercrimes being the highest in the banking industry, reaching $18.3 million annually per company. But, the financial industry is also known to have some of the most mature cybersecurity programs, which equates to quick remediation.

In recent years, we’ve seen a rise in digital banking, which was largely accelerated by the pandemic. This has led to an increased, more complex attack surface for cybercriminals, and more entry points.

In fact, in the first half of 2021 alone, the industry reported 30% more ransomware attacks than in all of 2020. As a result, regulators and cyber insurance underwriters have become stricter, making it vital – and often required – that banks, and the financial industry as a whole, have offensive cybersecurity strategies in place that are tailored to their unique threat landscape.

As financial institutions grapple to adhere to these mandates, many have seen the value in metrics in meeting such strict requirements. There are many ways to utilize metrics for business success, including determining a company’s IT footprint, time to breach remediation, and revenue being prioritized for security measures, just to name a few. In this piece we’ll dive into three of the top metrics cybersecurity experts can use to adhere to regulatory demand.

Read the full article at Payments Journal!

[post_title] => Payments Journal: Three Actionable Metrics Banks Can Track to Stay Ahead of Cybercriminals [post_excerpt] => On September 20, Payments Journal featured NetSPI Managing Director Norman Kromberg's article on Three Actionable Metrics Banks Can Track to Stay Ahead of Cybercriminals. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => payments-journal-actionable-metrics-for-banks [to_ping] => [pinged] => [post_modified] => 2022-09-27 09:48:33 [post_modified_gmt] => 2022-09-27 14:48:33 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28435 [menu_order] => 6 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 7 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 43b0a29296f66d46c20247f277745ee5 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )