Key Takeaways from Cybersecurity Awareness Month

On Our Radar

As Cybersecurity Awareness Month starts to come to a close, we reflect on the three major themes we’ve heard from business leaders, policymakers and industry experts.

1. Third-Party Vendor Risk: The threat landscape is complex and dynamic, characterized by a range of potential vulnerabilities and attack vectors, driven by technological advances, regulatory changes, and evolving global business environment.
2. Data Governance: As cybersecurity regulations become more stringent and enforcement increases, businesses are forced to prioritize cybersecurity not only as a risk management tool but also as a strategic imperative to build trust with and meet expectations of customers, partners and regulators. This includes adopting higher standards for data protection and investing in new technologies to avoid regulatory penalties.
3. Proactive and Continuous Risk Assessment: Businesses need to take a holistic, adaptive approach when evaluating and assessing cyber risk and response protocol.

What are some best practices companies should consider implementing when it comes to data governance?

While there is a lot of ground to potentially cover, strong data governance would at least include policies and procedures that are reasonably designed to do the following:

• Identify all data the business is using.
• Evaluate and classify data according to its business purpose and risks.
• Oversee data usage across the business.
• Safeguard the firm’s data and ensure its quality and resiliency through technical controls, policies and procedures.

In practice, building a strong data governance would include:

• Signaling a commitment to data governance from senior: Data governance requires a strong signal from senior leaders to help ensure employees are actively engaged in protecting the firm and understand the potential risks/benefits associated with protecting the firm’s data assets.
• Establishing a diverse data governance team or committee: To help ensure that data governance policies and procedures align with the firm’s business goals, companies should identify key stakeholders from across the organization and gain their input at the early stages. This can include decisions and discussions about topics like data classification, data custody, due diligence and monitoring of third parties with access to sensitive data, and general data safeguarding practices.
• Inventorying the firm’s data assets: A critical – and often difficult step – in data governance is creating an inventory of the firm’s data assets, its sensitivity, business purpose, access controls, etc. This would include data assets that are controlled by a third party. This inventorying activity will be essential in helping the firm understand how it can best manage the risks related to its data, and it will be an easier task if the firm has completed the previously mentioned steps.
• Assessing the risk and characteristics of the firm’s data: Based on the data inventory, the firm should assess, monitor and periodically re-evaluate key elements of the firm’s data assets, including data criticality, data quality, data sensitivity, regulations around data and data resilience.
• Implementing strong data controls that protect the firm’s data while meeting business needs: The data governance team should collaborate on formal standards and procedures that define the proper use, handling, transmission and storage of data based on its risk characteristics. These controls should be designed to:
  • Allow data to be easily available to individuals within the firm that need it, while reasonably safeguarding data from individuals or third parties without a legitimate reason to access the data.
  • Establish policies, procedures, and controls to protect the data from loss or corruption. This includes access controls, encryption, limitations on the transfer/transmission of data across devices or accounts and other data loss prevention controls.
  • Monitor and test data controls to look for potential issues like improperly configured access controls or data that may have been manipulated.
  • Create an incident response plan that provides clear steps for responding to data breaches and incidents, as well as operational disruptions that might make key data assets unavailable.
  • Diligence and monitoring of the firm’s third-party network to ensure that the third parties are appropriately safeguarding and disposing of data.   

How are new technologies, such as AI and machine learning, affecting data governance?

AI both complicates data governance and offers opportunities to improve it.

First, there is an increasing effort for governments to regulate the use of AI. For example, the Department of Justice’s recently revised guidance for corporate compliance programs around the use of AI, the U.S. Securities and Exchange Commission’s proposalon managing the conflicts of interest in the use of predictive analytics, etc. While it is too early to understand the impact of AI regulations will be, it is another aspect of data governance that firms will need to manage.   

Additionally, the use of AI can create unique data risks for firms that must be managed. These include:

• Corrupting data sources (“poisoning”) or deceptive inputs
• Issuing false output (hallucinations/bias)
• Stealing/loss of intellectual property (e.g., source code of proprietary AI models, training data sets)
• Permitting unauthorized users to access the data informing the AI model, such as sensitive or personal information that is normally restricted (whether by hack or just by accident).

On the other hand, firms cannot ignore the productivity gains that AI technologies offer. When used correctly, AI tools offer compliance leaders unique opportunities to improve data quality and data security with less effort.

Why Cyber Awareness Takes Many Forms

We discuss the evolving cyber threat environment, crypto agility integration, and why cyber awareness takes many forms with:

• Mark Ferrari, CEO of Latitude Information Security
• Sara Sendek, Managing Director of Cybersecurity & Data Privacy at FTI Consulting
• Cameron Dicker, Director of Global Business Resilience at FS-ISAC

How Financial Institutions Are Utilizing AI and Machine Learning Technology to Combat Fraud

We discuss how financial institutions are utilizing AI and machine learning technology to combat fraud with:

• Micheal Sheehy, Chief Compliance Officer of Payoneer
• Cleber Martins, Head of Payments Intelligence and Risk Solutions at ACI Worldwide
• Heman Daswani, Principal Consultant - Payments Group at Temenos

What Bond Volatility May Be Signaling

We discuss what bond volatility may be signaling regarding how the $VIX is acting and if it is election-related with:

• Scott Nations, President of Nations Indexes
• Mark Sebastian, CEO of Option Pit

This article was originally our TradeTalks newsletter. Sign up here to access exclusive market analysis by a new industry expert each week. We also spotlight must-see TradeTalks videos from the past week.