Tim Chase, Global Field CISO, Lacework

As financial institutions accelerate cloud adoption, cybersecurity risks have become a top priority for financial executives and board members. Rightly so. Nearly all financial services organizations use some form of cloud computing. The average cost of a data breach in the financial services industry is $5.9 million. Today, leaders must balance the risk and rewards that come with digital transformation, make the changes needed to comply with new security regulations, prepare security strategies that keep pace with escalating threats, and effectively manage risks.

Here are some key security trends that financial firms need to know in 2024.

Prepare for expanded regulations

Financial institutions trust and rely on the cloud with their sensitive data — 59% of financial institutions use the cloud to store or process regulated banking information, and 72% expect to do so in the next year. As a result, governments are responding with expanded regulations aimed at oversight and accountability.

In 2023 alone, major new regulatory guidance was globally enacted. The SEC's cyber risk disclosure rules require “material” cybersecurity incidents to be disclosed to the appropriate regulatory body or authority in a timely fashion. The U.S. also released the Cybersecurity Maturity Model Certification (CMMC), a new Department of Defense (DoD) rule that requires contractors to certify that their cybersecurity controls meet federal requirements. Europe's NIS2 directive — an expansion of their Network and Information Security (NIS) Directive established in 2015 — introduced tighter disclosure requirements for cyber threats with strict timelines and penalties.

According to Deloitte, industry experts anticipate further requirements in 2024 and beyond, especially surrounding responsible AI usage. This increased governance certainly has benefits and will propel organizations to take security more seriously. But it also makes things more complex, as security teams must balance agility with stiffer reporting rules and audit standards.

My advice is to ingrain security and compliance as strategic priorities right from the start. For smaller firms, make an early investment in a senior security leader to instill a culture and controls that set the stage for future growth. Have regular board-level reviews to ensure security risks are weighed properly against business goals. And empower your security leader with executive support and sufficient resources to proactively identify and mitigate regulatory exposures.

The regulatory road ahead will have twists and turns. But financial institutions that embrace security as a competitive advantage and business priority — not just a compliance checkbox — can navigate it smoothly while building trust with both customers and governments.

The human factor: Your strongest and weakest link

Breaches in financial services carry an astronomical price tag. The root cause of these attacks often traces back to compromised credentials. Stealing credentials is an accessible and cost-effective way for attackers to gain access to cloud environments; the approach is usually effective because of our tendencies to reuse the same usernames and passwords across numerous websites. While many are aware of the risks involved with reusing passwords, according to LastPass, 62% of professionals use the same password for multiple accounts.

Identity attacks can be hard to catch because the attacker appears to be an authorized user. That’s why it’s important to monitor behavior in your environment to detect anything unusual that could signal an attack occurring. Security tools that incorporate automation, continuous monitoring, and AI-enabled detection provide critical safeguards when our human defenses falter. But realistically, some slip-ups are inevitable in an enterprise environment.

As threats advance, we can't fall into the trap of over-relying on technology as a magic bullet. That's why executives should invest equally in security education. Establish comprehensive security awareness training, incentivize secure practices, and continually coach employees on spotting the latest phishing lures. Promote a no-blame culture where reporting suspicious activity is rewarded rather than penalized.

Additionally, adopt strong multi-factor authentication across all access points. Make the human element your first line of defense, and support that approach with layered security controls when employees need it most. Your people are both your greatest cyber risk and your greatest asset.

Securing trust takes time; losing it happens in an instant

In financial services, acquiring customers requires immense investment. But breaches can cause those companies to lose that hard-earned trust quickly.

Unfortunately, the cyber road is littered with hazards from social engineering to ransomware to credential theft. Despite best efforts, some attacks inevitably succeed, given the sophisticated adversaries financial firms face. This is why it’s important to take a realistic approach to security. When breaches do occur, companies need to have measures in place to identify the impact they could have. That information must then be used to effectively and efficiently prioritize and address the breach.

Trust hinges on more than just avoiding breaches. It’s about having resilient plans and a culture of accountability and resilience. Leadership sets the tone, and when they prioritize security and compliance on par with growth, preparedness and effective response becomes ingrained in the culture.

This foundation takes years to build, but can crumble overnight when tested. Financial institutions must take a long view on trust, avoid complacency and continuously strengthen defenses across technology, process and people. Though difficult, building an organizational culture focused on collective resilience provides the best path forward in today's turbulent climate.

Cloud security in finance: A balancing act

Financial organizations face immense pressure to accelerate cloud adoption while also remaining highly vigilant against cyber threats. It's a tough balancing act, but a few focused steps can help strengthen cloud security posture:

Prepare to address potential risks and active threats in your cloud and gain the context needed to prioritize remedial action.

Stay up to date with cybersecurity threats and guidance issued by government agencies and follow their recommended best practices. For example, this U.S. Cybersecurity and Infrastructure Security Agency (CISA) guidance was recently issued about living off the land (LOTL) techniques.

Build a security-minded culture by gaining leadership support and encouraging security awareness training.

Implement strong identity and access controls, enabling just-in-time, least privilege access. Verify all users and devices attempting access.

Gain visibility across your hybrid environment through unified logs and analytics.

Automate security hygiene tasks like config drift prevention and vulnerability management to reduce risks caused by human error.

Validate compliance continuously and address issues before they become audit findings.



