DebtX Analytics Insights: Holistic Approach to Cybersecurity

On March 21, 2022, the White House warned that Russia could be planning to launch cyberattacks against U.S. infrastructure, having previously warned about the Russian government’s ability to attack U.S. companies. While Russia’s invasion of Ukraine has put the entire world on alert on many levels, this headline news amplifies cyber security threats that have existed and been growing for many years, whether from Russia or other bad actors.  According to Trend Micro, a global cybersecurity leader, during the first half of 2021 it blocked 47% more threats year-over year, including a 1,318% increase in ransomware attacks in the banking industry, which it listed as the number one targeted business segment.[1]

Now more than ever, it is critical for financial institutions and their partners, including vendors, to follow a holistic approach toward cybersecurity to protect against existing and new threats. A holistic approach means embracing a security-first culture and incorporating best practices through governance, business policies and procedures, personnel training, and of course, advanced technology security infrastructure and tools.

DebtX Analytics works with banks and other financial institutions. A decade ago, only the largest institutions conducted vendor assessments. The review scope was limited and typically satisfied by sharing results of basic third-party audits such as application vulnerability assessments (AVA) or penetration tests.  The pendulum has swung dramatically, and this is no longer acceptable. Today, virtually every client has a robust vendor management and assessment process and requires us to satisfy a broad spectrum of requirements prior to doing business. 

On the technical end this includes assessing issues such as multifactor authentication (MFA), encryption methodologies for data at rest and in transit (e.g., FIPS 140), accessibility (WCAG), static and dynamic code review, penetration testing, disaster recovery testing, ethical hacks, and other technical infrastructure reviews. But it’s not enough to satisfy just these technical requirements. Vendor assessments delve deeper into corporate policies and procedures, personnel training and monitoring, and other internal risk management controls, monitoring and reporting. The starting point is typically a SOC2 report, which defines criteria for managing client data based on five trust service principles (security, availability, processing integrity, confidentiality, and privacy). Simply put, our clients have invested in their own holistic cybersecurity compliance regimes, and we are required to mirror their culture so our clients can rely on us as a trusted partner.

The days when a business unit head at a bank or other financial institution could simply choose a vendor and move forward are gone. Whether our client is a large global institution that conducts three different security-related audits per year, or a smaller client engaged in a one-off transaction, demonstrating a robust cybersecurity regime is now the table stakes for doing business with banks and other financial institutions.


More Insights