ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Cybersecurity - Sponsored Content

As hacks rise, cybersecurity risk management should be top priority

April 1, 2023
Reading Time: 6 mins read

SPONSORED CONTENT PRESENTED BY WORKIVA

According to IBM’s Cost of Data Breaches Report 2022, the global average total cost of a data breach has reached new heights—$4.35 million (but a whopping $9.44 million in the United States)—and 83 percent of organizations will experience a data breach, usually more than once.

Events driving these metrics have swayed the Securities and Exchange Commission to broaden oversight of organizations’ cybersecurity risk management. With finalization of the SEC’s cybersecurity proposal forthcoming, stakes are raised for chief information security officers (CISO) and other risk officers to ensure cybersecurity hygiene is up to speed. To adapt to broadened regulations and keep pace with a shifting cyber-risk landscape, controls need to be embedded into the entire fabric of the organization, not just at the IT level.

Cybersecurity operations are under further watch
Although the SEC is increasing requirements for cybersecurity reporting, broadly speaking, CISOs aren’t concerned about meeting the SEC’s requirements—in fact, they’re looking forward to the proposal’s finalization. The new requirements will not only force executives to examine further insights into enterprise-wide vendor management practices but also increase the practice of presenting cybersecurity-related compliance information to the board, regulators, and investors. Not to mention, the rules may pressure boards to recruit directors with cybersecurity backgrounds.

However, the details are somewhat murky. As written, public companies would need to disclose material breaches even if they’ve been instructed by law enforcement to not do so. And even if breach management is ongoing, companies may still be required to report the incident. Moreover, public disclosure of the current incident may cause the hackers to pivot and launch an even more crippling strike.

CISOs should focus on their risk management programs first because they need to be disclosed in all reporting. However, the proposal’s disclosure requirements for programs are fairly broad. Companies have some leeway in how complex their programs need to be as long as they’re mapped out according to industry-standard frameworks.

Incident response is also critical. Regulators and shareholders will want to see strong opinions on what designates a material breach, when one would be reported, and how that information would be tracked for disclosure purposes.

The tone comes from the top
Cybersecurity threats are as material as operational and financial risks and, to a basic degree, are similar to them. However, board directors don’t traditionally have cybersecurity backgrounds. The acumen to gauge what a risk entails, how to resolve it, and what’s needed from CISOs from a spend perspective often falls short at the board level.

Expanding the board’s knowledge beyond the fundamentals with the help of internal and third-party advisors is essential. CISOs currently present to the board but have limited windows given the scale of evolving complexities and reliance on their digital literacy. A portion of this time should be dedicated to compliance work, program assessments, and training programs. However, these efforts should be a two-way street—teaching directors how to think so they know what to ask.

Equally important is reaching the right cyber-risk appetite with the board in the context of broader strategic goals and shareholder value. CISOs need to continue to validate the role cybersecurity plays in the interests of investors and operational goals and demonstrate the ROI that can be gained.

Diagnose ransomware vulnerabilities
At the governance level, attaining buy-in from executives for prevention resources can be a challenge although it’s critical. Reining in a ransomware attack and building a path back to operations, especially in a cloud environment, require efforts across the entire IT department. And as operations continue to migrate to the cloud, ransomware gangs will hatch more strikes on cloud assets—a threat that companies have been largely insulated from. Having sufficient controls in place and implementing them effectively is key.

As the cloud slowly becomes more of a target, ransomware strategies have evolved. Leadership is now being forced to make more calculated decisions about whether to pay the ransom or not. In the past, ransoms were paid and files were unlocked. But case studies reveal that some ransomware strategies involve exfiltrating data—in other words, even if you pay to unlock the files, your data may still be with someone else, which is an entirely different set of problems.

From a preventive and technical side, containing the blast radius of a ransomware breach is one area that needs improvement. A ransomware virus can spread aggressively through the entire enterprise. Micro-segmentation is a promising solution in patching identity management that can help stifle the threat. With micro-segmentation controls bolstering security, a ransomware breach may invade only one business unit or isolated laptops as opposed to a central source system.

Vet your value chain’s SaaS services
Adopting cloud and SaaS technologies has fundamentally changed data management because data is now spread much broader and deeper throughout an organization’s value chain.

Firms use deployed SaaS and cloud software across the enterprise, so they rely on their vendors’ quality control processes. However, those same vendors and service providers may also use SaaS and cloud solutions, meaning companies are at risk of fourth-party data management flaws. This vast spread of essential data obfuscates visibility into it. Thus, CISOs and other risk officers need to vet a larger volume of data to a safe and acceptable degree.

Still, vendors may not provide the requested data. Small- or medium-sized businesses may only receive compliance documents. Larger organizations with bigger contracts may be able to throw their weight around and demand more data from vendors, but they may charge for the additional checks and balances. In this scenario, whether to acquire the data or not becomes a value proposition based on how vital it is.

There’s recently been a push for vendor ratings provided by rating agencies, such as SecurityScorecard or Panorays, which assess vendors and attribute a risk score to them. Report cards not only provide an indication of service providers’ overall level of security but also open up the market for companies if their current vendors’ risk scores are subpar.

In place of software vendors, firms could opt to build proprietary programs. Nevertheless, developers need to source third-party, open-source libraries to build software, but the open source world wasn’t built for today’s governance standards. A small library plucked from a repository, such as GitHub or NPM, may actually be malicious code that developers could inadvertently introduce to the enterprise, so extra vigilance is needed in this area.

Cybercriminals are adapting
Cybercriminal gangs are exhibiting advanced proficiencies that were once associated with nation-state hackers. They’re not reaching this level on their own but rather through what can be called “Ransomware as a Service” attacks. In this scenario, a separate ransomware gang develops a robust ransomware platform that can be exploited by other cybercriminals, who then deploy the software onto the target’s environment and collect the majority of the profits. The ransomware gang that created the software then receives a portion of the ransom. This new tactic increases cybercriminals’ reach, introducing a novel danger.

As cybercriminals adopt new strategies, there appears to be cross-pollination between cybercriminal gangs and nation-state hackers. These criminal bands operate independently, but when called on by government regimes, they might offer their services, as with the 2021 Russian hacking incident.

Companies are mostly victims of opportunity
From a controls standpoint, breaches often occur because of inadequate segmentation. If a hacker compromised one user’s credentials and everyone has access to the same database, it doesn’t matter whose credentials were stolen. Yet if permissions are appropriately set to limit access based on a user’s role, then the scope of a breach could be muted. But if a central system housing customer financial information is penetrated through a phishing campaign, and a company needs to publish the breach, then this scenario becomes a loud material issue. Your internal response to the threat is paramount, and it can turn a potentially catastrophic situation into a minor incident.

From a user perspective, humans will always be the weakest link. Social engineering and phishing strategies can be quite convincing. Similar to Ransomware as a Service, CISOs are seeing what can be called “Bypass as a Service,” which mimics authentic multi-factor authentication push notifications. The notification pops up repeatedly asking users if they’re trying to log in. After hitting “no” several times, users get annoyed and eventually push “yes” to make it disappear, allowing hackers to infiltrate the host environment. Even with proper employee training, these scams can invite easy access to hackers.

Don’t wait for regulations

The forthcoming SEC proposal will provide a new basis for cybersecurity disclosures, but companies ultimately need to chart their own course. In tandem with developing hacker sophistication, investors’ protections and their disclosure demands will continue to orient regulations. Meanwhile, threats are too myriad and immediate for organizations to rely on clear guidance before acting. Maintaining frequent ties with CISOs and other risk chiefs to drive cybersecurity awareness will help companies preserve a protective moat.

ShareTweetPin

Related Posts

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

Compliance – Sponsored Content
June 11, 2026

SPONSORED CONTENT PRESENTED BY NEXCESS Formal risk programs cover the core. The systems built around it — customer portals, fraud tools, digital platforms, AI models — are outside scope. Examiners are now looking there. Since January 1, 2026,...

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Sponsored Content
June 1, 2026

SPONSORED CONTENT PRESENTED BY SOLIFI Ask any commercial lending officer who manages a dealer floorplan book how their audit data connects to their credit decisions, and you'll usually get a pause. Maybe a wry smile. Then something like:...

A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

Sponsored Content
May 28, 2026

SPONSORED CONTENT PRESENTED BY SS&C BLACK DIAMOND For today’s high-net-worth families (HNW), financial complexity is a given. They expect every aspect of their finances — trusts, investments, tax strategies, philanthropy and more — to connect seamlessly in a...

Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

Compliance – Sponsored Content
May 20, 2026

SPONSORED CONTENT PRESENTED BY NEXCESS The cloud contracts most community and regional banks are running on today were designed for predictable, transactional workloads. AI does not work that way. Every bank now runs AI in some form. Most...

Credit Memos at the Convergence Point

Credit Memos at the Convergence Point

Sponsored Content
May 1, 2026

SPONSORED CONTENT PRESENTED BY MOODY'S There is a persistent paradox at the center of wholesale banking. Institutions have invested heavily in risk models, regulatory infrastructure and data platforms spanning hundreds of systems. And yet one of the most...

Digital Account Opening: Think Outside the Box for Maximum Business Impact

Digital Account Opening: Think Outside the Box for Maximum Business Impact

Community Banking
April 29, 2026

SPONSORED CONTENT FROM JACK HENRY For budget-conscious, resource‑strained community banks, adopting a modern digital account opening platform isn’t just a tech upgrade —it’s a strategic imperative. To secure internal buy‑in, leaders must clearly articulate the operational, financial, and...

NEWSBYTES

ROAD to Housing Act becomes law

July 11, 2026

ABA DataBank: Rates and oil diverge

July 10, 2026

Regulators close Indiana’s Kentland Federal Savings and Loan

July 10, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.