A Guide to Risk Assessments for the Financial Services Sector

Every business that uses the Internet today is susceptible to cyber risk. But few face the same volume of incidents and breaches—or the same mountain of regulatory hurdles—as financial services. 

The well-known Verizon DBIR 2023* “examined 16,312 incidents, of which 5,199 were confirmed data breaches.” The financial and insurance sector experienced “1,832 incidents, 480 with confirmed data disclosure.” This made them the third-highest identified sector for security incidents and the second-highest for breaches. 

It’s no surprise that financial services firms are a popular target for security breaches, given the kinds of data they possess and process. Personally identifiable data and financial data are among the juiciest. 

Additionally, financial services firms must meet a bevy of compliance regulations related to the usage of data, which may include:

• PCI DSS
• Sarbanes-Oxley Act (SOX)
• Gramm-Leach-Bliley (GLBA)
• GDPR
• ISO 27001

There are also many U.S. state regulations, such as the New York DFS Cybersecurity Regulation and California Consumer Privacy Act, the latter of which has similar rules in other states throughout the country.

Although achieving absolute risk-proof status is impossible, proactive measures can be implemented to minimize risk and protect the business against security breaches and non-compliance. 

Armed with the knowledge and strategy from a risk assessment, appropriate steps can be taken to mitigate financial services cyber risks more effectively.

Why risk assessments matter for financial services institutions

Risk assessment should be fundamental to any financial institution’s security strategy. Financial institutions must continuously assess their unique risks, balance them against potential rewards, and base their security decisions on these evaluations. Risk assessments are crucial to meeting regulatory requirements such as those described above.

Financial services organizations should focus on three main types of risk when conducting risk assessments: cybersecurity and technology, operational, and regulatory and compliance risks. Addressing these risks helps meet regulatory frameworks and requirements intended to ensure security for investors, shareholders, customers, and the broader market.

Of course, assessing and mitigating these risks can also help decrease the cost of cyber insurance.

So, where to start? The first step is to select a risk assessment framework to apply to your organization.

Key objectives of implementing any risk management framework include:

• Establishing a risk profile and conducting quantitative risk assessments
• Identifying strategies to mitigate risks and justifying associated costs
• Creating an inventory of assets
• Documenting and documenting identified risks
• Understanding the return on investment for risk mitigation efforts.

How to choose a risk assessment framework

Risk assessment frameworks provide a systematic approach to identifying potential threats to your business and evaluating their theoretical severity. The good news is there’s no need to start from square one.

Numerous well-known risk assessment frameworks (with punchy acronyms to boot) are available, including:

• NIST Risk Management Framework
• OCTAVE
• COSO
• ISO 31000
• COBIT
• TARA
• FAIR

Unless your organization has a specific reason to choose one of the frameworks above, such as a customer request or guidance from an external risk assessor, the NIST Risk Management Framework is well-regarded and an excellent place to start, especially for leaner IT teams. 

How and how often to conduct a risk assessment

Regardless of the risk assessment framework you choose, these are the key steps you’ll need to take:

• Identify Risks: Identify potential threats to your business, such as natural disasters, pandemics, cyberattacks, system shutdowns, power failures, or utility outages.
• Assess Impact: Prioritize risks with significant potential impact. Analyze each risk’s severity and effects on stakeholders, including reputation, infrastructure, safety, data, or operations.
• Evaluate Risks: Assess risks and create measures to reduce their impact. Financial loss, legal issues, property damage, and business interruptions are potential damages.”
• Record Findings: Document findings comprehensively and ensure stakeholder accessibility. Record identified risks, damages, affected parties, and mitigation plans.
• Review and Update: Regularly update risk documentation to ensure strategies stay effective in dynamic business environments.”

So, how often should you conduct and update your risk assessments? It depends on your organization and risk profile, but some guidelines exist.

The Financial Crimes Enforcement Network (FinCEN) in the United States recommends that financial institutions update risk assessment frameworks at least every 12 to 18 months. Learn more about how this applies to your organization here: https://fincen.gov/resources. 

Here are some critical steps to be sure you follow when conducting risk assessments:

• Tailor it to your specific financial institution

1. 1. • Be specific with the information you process, transfer, store, etc.
      • Don’t generalize or be overly vague.

• Find copies of any previous risk assessments conducted

1. 1. • Understand what has been done in the past.
      • If possible, don’t start from scratch, but ensure that you update the assessment with any changes to your business or risk profile.
      • Talk to anyone involved in past risk assessments.
      • Identify gaps in past risk assessments.

• Conduct background research

1. 1. • You should speak with industry peers about their approach to risk assessments.
      • Consider bringing in a consultant for a one-time consult or ongoing support.
      • Consult online forums and search engines to fill in any gaps for your unique use case that need to be covered here.

• Understand potential exposures

1. 1. • Use any security tools available at your organization (or invest in new ones as needed) to research what exposures you may already have. 

• Put appropriate mitigation measures in place 

1. 1. • For any current exposures or likely / highly possible exposures, ensure you have a risk mitigation plan in place, including investing in security tools where needed.

• Document your decision-making process

1. • External examiners will want to see a documented decision-making process that includes your analysis and decisions. 
   • Ensure you document clear reasoning and support for all decisions.

For steps four and five, we highly recommend using a risk assessment matrix or tool, such as this template from TechTarget.

Risk assessments can be categorized as either quantitative or qualitative. In a quantitative assessment, numerical values are assigned to the probability of risk occurrence and its potential impact. This enables the calculation of a risk factor with a tangible effect on revenue.

On the other hand, qualitative risk assessments lack numerical values for probability or predicted loss amount. Instead, risks are simply classified as more or less harmful without specific numerical quantification. Our advice? Use quantification wherever you can, but don’t skip over risks simply because you don’t have a way to quantify their potential impact. Document as much as you can.

How Blumira can help decrease financial services risk and boost security

Blumira’s SIEM platform for threat detection and response can fulfill many areas of risk mitigation and support your risk management plan. For example, our SIEM + XDR platform offers one year of data retention to meet compliance (and insurance) requirements; these are key to include in your risk assessment documentation.

Additionally, with Blumira on board, it’s simpler to demonstrate and manage your risk mitigation plan, no matter your team’s size. You no longer have to worry about having a big enough staff to constantly monitor every potential threat and risk.

As the systems architect Todd A. Tetzlaff at Greenleaf Trust, a Blumira customer, put it: “​I’m pulled in a lot of different directions, so I don’t have the time to really devote to investigating all the threats that are out there… So Blumira really, really offsets that so much for us, which allows me to do all the other things that I need to do in my daily work life.” 

As Keith Knisely, Assistant VP/IT Specialist of SouthTrust Bank, another Blumira customer, states, “Blumira is really easy to understand – you don’t need a degree to be an expert to operate and understand what the system is doing. It provides a lot of value for the cost, including all of the features you get and having one centralized area to send everything to detect very quickly; we can easily track what’s happening, what’s being affected, and how to mitigate. It makes our response time really quick.” 

Mitigate complex risks today for a simpler tomorrow

Regular financial services risk assessment frameworks are critical to protecting your organization’s health. Risk assessments are often required to meet compliance and fulfill the various security frameworks needed to conduct business above board.

With a strong risk mitigation plan and the right tools to mitigate risks, your financial services institution can get back to doing what it does best: serving its constituents.

CTA: Blumira helps you reduce financial services security risks without unnecessary complexity. Adopt a streamlined approach to cybersecurity in financial services.

Get your free account today.

*https://www.verizon.com/business/resources/reports/dbir/2023/industries-intro/financial-services-data-security-breaches/

# NIST, siem, financial services, customer reviews, risk assessment, PCI