According to Ponemon Institute’s 2015 study, all industries fall victim to cyber crime – but some fare far better than others. Unfortunately for financial services organizations, they top the list as the biggest victim, paying an average cost of $13.5 million on cyber crime in 2015.  

Cyber crime risks that are still keeping security officers up at night include: 

  1. The growing sophistication of cyber criminals to not just steal people’s information, but also mold it to create completely new identities so they can conduct fraudulent transactions. 
  2. The impact of de-risking – a risk-based approach to assess customer relationships rather than exit entire business lines – given the new anti-money laundering rules forcing banks to make tough choices about where they decide to do business. Essentially, more time must be taken to understand customers and weed out the potential criminals.  
  3. The push to combat terrorism financing – banks must make more effective use of available data to identify so called “heightened risk” individuals. Compliance staff must be more vigilant than ever not just to follow the rules, but understand how regulators are interpreting the rules.   

Given that this isn’t just a problem in the United States, there is a lot of customer data on the line. A breach at J.P. Morgan Chase & Co. compromising the data of 76 million households is just one harrowing example of how far reaching a cyber attack can be.  

With sensitive customer information flowing amongst branches of banks and potentially third-party partners and vendors worldwide, what should you do to ensure you’re not next?  

Looking across the response of other financial services organizations, two pieces of the data security puzzle – mapping and measurement – have come to the fore.  


At the ALM CyberSecure conference in December 2015, Ed McAndrew, assistant U.S. attorney specializing in cyber crime investigations at the U.S. attorney’s office for the district of Delaware, urged attendees to create data-flow maps to show where hand-offs to outside partners occur.  

Sometimes, you have to mirror what criminals may do in order to fill any gaps. This is exactly the intention here. McAndrew said on a panel at the conference this kind of mapping “is exactly what cybercriminals do”.  

The lessons of the Target breach, where data belonging to approximately 70 million customers was accessed by infiltrating a refrigeration contractor’s systems, was in the forefront of conference attendees’ minds.  

Bank of America’s merchant services group, which handles transactions with Visa and MasterCard, requires detailed information from third-party partners. While time consuming and intricate, JoAnn Carlton, general counsel for the merchant services group, told attendees that it was an important exercise for managing security and risk related to sensitive customer information.  


Bank of America also developed a set of metrics to improve cyberattack prevention, detection, and mitigation. While data analytics aren’t a cure all, measuring specific security areas can better position the bank to stop or respond to problems, Catherine Bessant, chief operations and technology officer for Bank of America, recently told the Wall Street Journal.  

The bank’s cybersecurity metrics include tracking how frequently system scans are performed, counting the potential problems that are found during those scans, and the amount of time to identify and get rid of trouble. Studying the correlations among these metrics allow the bank to better tune its processes.  

It’s a dangerous assumption to believe you are in the clear if you are ticking the boxes for Payment Card Industry (PCI) compliance. While implementing mapping and measurement is a good start, it is imperative you create and execute a comprehensive strategy – including risk assessment, defensive posture, response plans, and more.   

Learn what you need to add to your data security playbook – and how we can help – by downloading the free banking report on our website today. 

Written by Rob LaMear, CEO, US Cyber Vault

Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community.  Receive our next issue by signing up here.