The financial industry in short is one of the top targets for criminals, facing a constant onslaught of banking trojans and botnets, large-scale denial-of-services attacks and data breach attempts against global banking giants, community and regional banks, credit unions, money transmitters and third-party service providers. But federal regulations meant to improve its security profile are actually having adverse operational effects, according to new research.
A survey from Radware and IDG has found that 87% of those surveyed in the financial service industry agree that current regulatory changes are very important or critical to keeping their companies and industry secure. And, 80% of respondents place a critical or very high degree of importance on the federal government imposing stricter regulations around application and network security. In total, 84% said that they expect network and applications security to be more tightly regulated by the government over the next 12 months.
However, complying with those regulations comes at a cost. Survey respondents revealed that revenue loss (58%), business disruption (57%) and productivity loss (54%) ranked highly as the biggest consequences of new federal guidelines for the financial services sector.
In fact, four in 10 respondents stated that federal regulations were adversely affecting bottom line results, causing a significant impact to IT CAPEX and OPEX. In order to manage new guidelines, respondents cited investing in new or specialized technologies as the most common approach (53%) to currently dealing with these issues, followed by changing security processes, protocols and mandates (49%) and creating new security models (47%). And 43% said they assigned extra budgets, with an average increase of 14%, to address new federal regulations.
However, all of that said, organizations are aware that the investments have to be made. The survey uncovered that 35% of respondents expect the frequency of cyber-attacks to increase over the next year, while 44% anticipate the number of attacks to remain the same. Unauthorized access (48%), theft of IP (47%), sabotage (47%), and worm and virus damage (46%) were cited as the most harmful attacks to the business.
Overall, loss of revenue (39%) tops the list of expected negative outcomes resulting from a cyber-attack, followed by loss of customers (38%).
"Companies are implementing numerous strategic changes in order to remain compliant with new regulations and guidelines," said Janet King, senior vice president at IDG Research Services, in a statement. "Despite the significant cost to their businesses, most respondents agree that regulatory changes are critical in keeping data and personal information safe from the wrong hands."
In fact, 58% of survey respondents have filled out a Security and Exchange Commission questionnaire for compliance in the past 12 months. And, interestingly, 63% of respondents indicated a willingness to adopt application and network security best practices from another industry.
"It is imperative that companies, not just the financial services industry, do everything in their means to not only mitigate cyber-threats, but also to comply with emerging industry regulations in order to optimally protect their networks, applications and data – and most importantly, their customers," said Carl Herberger, vice president of security solutions for Radware, in a statement. "Although these responses quantify the growing importance of network security and indicate a clear desire for regulation, there is still more needed to be done in terms of cybersecurity education and implementation across all industries. By learning from other industries and working with peers, companies can implement technology and protocols that reduce the risk of a cyber-attack while limiting the impact to their bottom lines."
On the education front, it’s clear that there’s more work to be done. The survey also uncovered that while nearly all claim to be very or somewhat familiar with new guidelines, a substantial number, both in financial services and other industries, are still unaware of the specific regulations that would impact their business, such as the Federal Financial Institutions Examination Council (FFIEC) Joint Statement on DDoS Cyber Attacks and Risk Mitigation.
"Radware conducted this survey to investigate what organizations are doing in response to current regulatory changes that essentially were enacted to safe-proof their networks from future, potentially even more detrimental attacks," said Herberger. "While companies are taking the right steps to adjust to the ever-changing regulatory landscape, institutions need to be better informed on the specifics of new laws in order to implement the most cost- and resource-efficient measures."