This OODA special report focuses on the Financial Sector. It is written both for firms that are in the sector who are seeking competitive advantage and for firms in other sectors that can use this awareness for strategic planning (all our market based special reports are available on our OODA network resources page).

As a market-based assessment, this special report will be of most use when read in conjunction with the functional and technical research we provide OODA network members, and we provide contextualized recommendations for related research throughout this report.

The Financial Sector contains companies involved in activities such as banking, mortgage finance, consumer finance, specialized finance, investment banking and brokerage, asset management and custody, corporate lending, insurance, financial investment, as well as companies engaged in real estate management & development.

The largest firms in this sector are highly recognized brands like JPmorgan Chase, Wells Fargo, Bank of America and Citigroup. Insurance firms in this sector include American International Group and Chubb. But large or small all firms in this sector are connected by a concept of trust. When firms in this sector violate trust they are penalized by the market and, in cases where laws are violated, by governments.

Innovation in Financials Today:

For the last 30 years the financial systems of the world have been digitizing, moving towards a world were all value can now be represented by ones and zeros. It is like they took the script from the movie “Hackers” and turned it into a blue print. From the Movie, Cosmo described the financial system this way: “The world isn’t run by weapons anymore, or energy, or money, it’s run by little ones and zeroes, little bits of data. It’s all just electrons.” The screen writers also used Cosmo to deliver a warning to us all: “There’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information!”

The good news is that the early move to digitizing everything has put the financial sector on a footing to accelerate innovation. The bad news is there is a continuing need to seek out and mitigate risk from cyber attack.

• Accelerating technological change has enabled creativity in how customers are supported. Banking is now mobile and accessible anywhere in the globe. Moving value can be done with little friction.
• Financial firms have traditionally been hard for tech firms to work with, but the community has very consciously been seeking ways to accelerate innovation, including with FinTech firms. Startup FinTech firms can disrupt old models and parts of old businesses and savvy competitors will seek ways to leverage these disruptive firms.
• The innovations in the sharing economy came about because of trusted financial systems that enable multiple parties to strike rapid deals for value exchange.
• Most financial services firms today leverage cloud based software as a service for applications like CRM, HR and financial accounting. Many have at least done proof of concepts with core applications in the cloud, but this move has just begun.

Cybersecurity in The Financial Sector:

The entire financial sector needs trust in order to operate. This fact means there has always been attention paid to cybersecurity. The largest firms are known to spend huge amounts on security (in 2019 JP Morgan CEO Jamie Dimon said they are spending $600M per year on mitigating cyber risks). Adversaries are still seeking ways to attack them and there is still a chance the big players will be surprised, but this is causing adversaries to shift tactics and move more of their focus to mid sized and smaller financial institutions.

Our recommendations for cybersecurity in the financial sector:

• Every firm in the sector really needs to be a member of the FS-ISAC. This is a tremendous source of information and also provides a means of trust based networking with other professionals in the industry.
• Data from assessment of breach reports via the Verizon Data Breach Investigation report indicates top vectors of attack in this sector are via web applications, privilege misuse and exploitation of common errors. This just underscores that complex system like those in the sector will always have vulnerabilities. Organizations should have good response plans in place.
• Data also indicates credential theft leading to privilege misuse is frequently done via malicious bots. Phishing is also a key concern. Organizations in this sector need to think through how they can mitigate risks of these attacks even when they occur on devices owned by clients.
• The financial sector has issues with insiders exploiting access for crime. This will probably always be the case, but to put it in context, there were only 45 confirmed breaches associated with misuse of privileges.
• Organizations should monitor and log access to all resources as a deterrent and also for forensics.
• All businesses in the sector should ensure executives have a baseline understanding of cyber threats as well as geopolitical threats and technological risks. We provide a plain english daily threat brief designed to improve this awareness. Sign up at The Daily Pulse
• All firms, large and small, should leverage outside experts to evaluate security. This type of external assistance can include review of plans, policies and architecture. External red teaming efforts should also be leveraged as an independent way of evaluating comprehensive security programs. Contact us for more insights into all aspects of assessments including red teams.

Enhancing Innovation in the Financial Sector:

• Although the sharing economy started with cars and hotel rooms, expect this type of approach to spread to many other segments of our life. Innovators in the financial sector will find ways to support these new financial based innovations for consumers.
• Decentralized asset ownership is a trend all firms should evaluate for support.
• Models for blockchain use are at play right now and we expect continued innovation using distributed ledger technology.
• Financial firms will leverage better customer intelligence to enable enhanced service. All firms will have at their disposal insights into what products and services every customer wants. This will include insights from customer use but also heuristics and AI and external data feeds.
• Financial services firms should track other sectors and the drivers shaping their future since greater customer service can come from a deeper understanding of customer needs.
• Expect advances in robotics and AI to drive more “re-shoring” of manufacturing and expect a need for financial instruments to enable this.
• All financial firms should accelerate transition of workloads to public clouds. This technology has had some hiccups (including the 2019 loss of data by Capital One through an AWS engineer who exploited complex configurations). However, COOs and CIOs will find ways to mitigate risks and improve configuration control and accelerate the move to the cloud.
• Cybersecurity has been a topic in this sector for over 30 years. It will continue to be so.
• Financial services must prepare for a world where change in technology is constant.

For Businesses Seeking To Serve the Financial Sector:

• In most every case, businesses in this sector have a very low tolerance for risk. They want products and services that work and do not increase risk. They should reduce risk. Be sure you are able to articulate how you do that. Additionally, after you provide clear information that indicates you can reduce risk vice introduce new risks, you should not expect a fast and easy sell. You should expect to conduct a proof of concept or prototype level engagement to see how your capabilities works for the firm you seek to support.
• Serving this sector will require an understanding of the important compliance rules in the sector.
• Firms selling IT or security capabilities should understand the importance of cultivating a champion in the firm. A person who really understands your offering or technology can help.
• Be fluent in the technologies of high interest in this sector including Cyber Security, Robotics, Cloud Computing, Quantum Computing, Quantum Security, and Artificial Intelligence.

These are additional references that can help accelerate digitization in the Financial Sector:

AI Topics:

• AI Security: Four Things to Focus on Right Now – This is the only security framework we have seen that helps prevent AI issues before they develop
• A Decision-Maker’s Guide to Artificial Intelligence –  This plain english overview will give you the insights you need to drive corporate decisions
• When Artificial Intelligence Goes Wrong – By studying issues we can help mitigate them
• Artificial Intelligence for Business Advantage – The reason we use AI in business is to accomplish goals. Here are best practices for doing just that

Quantum Computing:

• The Executive’s Guide To Quantum Computing: What business decision-makers need to know now about quantum superiority
• The Executive’s Guide To Quantum Safe Computing: Take these steps to make your enterprise quantum proof
• Is Quantum Computing Ushering in an Era of No More Secrets?: Context from OODA’s Matt Devost on the very near future of quantum computing.
• What To Do About Quantum Uncertainty: Guess what, besides uncertainty at a quantum level there is great uncertainty among business and policy makers regarding Quantum Computing.

Cybersecurity Topics:

• OODA’s Cyber Threat Analysis Report : OODA’s Cyber Threat Analysis Report provides the “so what” behind the news and events we track on a daily basis.
• A Traveling Executive’s Guide to Cybersecurity: No-nonsense actions to take to reduce risk for executives on the go
• Best Practices for Agile Cybersecurity: Kickstart your cybersecurity improvement program
• Essential Management Strategies for Cybersecurity: Management lessons learned and essential actions to mitigate risks

OODA network members can find these and all other research reports at our OODA Network Resources page