Investment Banking and Cybersecurity; People, Process and Technology Tips
Corporate & Investment Banking are high-profile industries prone to sophisticated cyber-attacks related for example to business negotiations on pending M&A transactions or large deals. Physical theft, computer fraud, cyber-attacks and attacks on servers to obtain customers’ personally identifiable information (PII) are the threats that tend to be more common in this sector.* Additionally, with the increased use of technology, the volume of data that can be misused or stolen has expanded, as well as the information access points that cyber-criminals can leverage. Mobile devices, tablets and other technology gadgets especially Internet-enabled or connected devices are now even greater targets to steal data held by senior management and others who have access to sensitive data.
People, process and technology are the linchpins of robust cybersecurity and information security programs, with the human firewall being one of the most important elements. And, it is important to support these foundational elements with an appropriate set of cyber controls that align to a company’s risk profile and based on the industry they are in. For example, companies engaged in financial activities may have higher levels of risk given access to money and client data and therefore may need more robust cyber controls in place to reduce this risk.
Shown below are some best practices to consider across people process and technology to help keep you and your business safe, which is especially important for complex, data-rich Investment Banking activities and transactions.
Ten Tips (People, Process and Technology)
- 1. Provide secure, encrypted methods for sending and receiving sensitive data and don’t send sensitive documents (e.g., M&A materials) to personal email domains and/or upload to unapproved document sharing platforms such as Dropbox.
- 2. Think carefully about who is provided access to sensitive data and systems; is this access truly needed for the role? Less access is better.
- 3. Ensure you have a business continuity plan in place in the event of a data leakage event or cyber-attack with effective backup and recovery processes, especially for critical functions; ensure this plan is updated and socialized with key stakeholders.
- Leverage strong authentication tools and multi-factor authentication (e.g., biometrics, pin code via text) on both personal and work mobile devices.
- Implement endpoint security measures on IoT devices (e.g., voice assistants), mobile, and other digital platforms.
- While it seems basic, strong password management is critical to avoiding a cyber or data incident; passwords should be more than eight characters, easy to remember but hard to guess and not be based off information readily available on your social networking sites. Consider using a password manager to keep your passwords organized.
- Remote work is more common than ever along with the use of personal mobile devices for work. Educate employees on saobile devices updated with the latest software updates).
- Ensure employees know how to escalate/report issues on suspicious activity and that there is a robust and widely communicated framework to do so.
- Train employees to identifyfe information security practices at home (e.g., limit use of work computers in the household, set guidelines for remote printing, turn off Internet of Things devices during sensitive meetings, ensure you log off when stepping away from your computer, keep your m phishing emails; clicking on malicious links or opening attachments may provide a cybercriminal unfettered access to sensitive information (M&A information, client PII).
- Be careful what you post on social media; cybercriminals can use information about you, your friends and your family found on social media to create realistic, highly targeted phishing emails.
In the end, when it comes to keeping your data safe, the human firewall is one of the best protections, no matter what type of business you are in. Since 90% percent of breaches are due to human error, collaboration, intention and negligence,* when it comes to keeping your data safe, investing in the human firewall is one of your best protections. No amount of process or sophisticated technology can offset the simple act of an employee clicking on a malicious link or accidentally sending sensitive information in an email.
*Source – Investment Banking Council of America
This material is not, and should not be, construed as or deemed to be, advice on legal, tax, financial, investment, accounting, regulatory, technology, security, or other matters (collectively, “Advice”). You should always consult your own financial, legal, tax, accounting, technology, security, or similar advisors before changing your business practices or entering into any agreement for our products or services. Your organization is responsible for securing your systems, networks, and data, for determining how to best protect itself against information security threats, and for selecting the best practices that are most appropriate to its needs. MUB assumes no responsibility or liability whatsoever to any person in respect of such matters. No statements made in the meeting presenting this material, or in this or other materials, should be construed as Advice or as pertaining to specific factual situations.”
MUFG Americas
1251 Avenue of the Americas
New York, NY, 10020-1104, United States