SIFMA Execs Reemphasize Best Practices for Combatting Cyber Risk

SIFMA technology and financial operations directors warn of rising concerns over cyber risks "tied to remote work, AI-powered deepfakes, and overseas contractors."

In a Pennsylvania + Wall blog post, SIFMA's Head of Technology, Operations, and Business Continuity and its Managing Director of Financial Services Operations emphasized that insider threats—whether "accidental, negligent, or malicious"—continue to pose serious risks to financial institutions. They stated that "most incidents (up to 80%) are unintentional", but recent examples illustrate the rising complexity and sophistication of such threats.

The executives cited FINRA's 2024 publication: Insider Threat Best Practices Guide as a still "timely roadmap for building resilient programs." 

• On Governance and Culture: SIFMA recommended building cross-functional teams across HR, IT, Legal, and Security, with board involvement and a "security-first culture." SIFMA stated that tools such as anonymous reporting channels and enhanced vetting of remote hires are encouraged.

• On Detection and Monitoring: SIFMA advised firms to use technology and behavioral analytics to monitor "high-risk users" and detect anomalies, including "AI-enabled threats like deepfakes."

• On Incident Response: SIFMA emphasized the importance of clear classification, escalation, and post-event audits to improve readiness and recovery.

• On Metrics and Reporting: SIFMA said firms should establish insider risk metrics, conduct regular audits, and report trends to risk committees or boards.

• On Legal Compliance: SIFMA reminded firms that programs must align with US privacy laws (e.g., ECPA, FCRA) and adapt to global frameworks, including the GDPR and India’s DPDPA.

• On Staying Ahead of Threats: SIFMA flagged AI’s "dual role" as both a potential threat vector and a defensive tool and urged stronger third-party oversight.

The SIFMA executives advised that firms must move from "reactive to proactive" security strategies.