United States

Cybersecurity focuses on the cloud, insurance, third-party risks

10th Annual RSM New York Investment Industry Summit


Cybersecurity focuses on the cloud, insurance, third-party risks

Among the most pressing cybersecurity issues facing financial managers is the decision whether and to what extent to move data to the cloud.

The cloud effectively lets companies rent computing power without the need to update software, maintain hardware or plan for surges in use. The cost savings are significant enough that some 30 percent of financial services firms have migrated at least some back-office functions to the cloud, a figure expected to rise to 65 percent by 2020.

When it comes to fixing cybersecurity breaches, however, the cloud actually increases costs—by 20 percent to 25 percent if the firm shares a public cloud with other companies, and by 10 percent to 12 percent for a private cloud. The reason is that the company and the cloud provider both must investigate the breach and reconcile their controls.

Managers considering the cloud should consider keeping mission-critical operations such as authentication mechanisms in-house.

Prevention beats insurance

With the average cost of a breach at $400,000 for firms of $500 million to $1 billion in sales, according to the 2017 NetDiligence Cyber Claims Study, many companies are buying cybersecurity insurance.

As breaches multiply, however, insurers increasingly require extensive documentation to demonstrate that security infrastructure is up and running. Payouts can take at least 18 months.

While insurance is good to have, it should be the last line of defense. Companies can go a long way toward preventing breaches and minimizing their impact by consistently applying a few basic preventative controls:

  • Ensure timely security scans and software patches
  • Train employees to recognize threats; use surprise random testing to drive the lessons home
  • Review authentication and authorization controls every three to six months
  • Practice integrative risk management (e.g., establish a dashboard to connect internal auditors, the cybersecurity team and information technology staff)
  • Know who is touching company applications

Third-party risk

Companies must safeguard customer data accessible by third parties, as highlighted by the recent $1 million settlement of the SEC’s first enforcement of identity theft protection rules.

That judgement was the result of a 2016 incident that could serve as a guide for how not to handle authentication and authorization. Criminals impersonating third-party contractors persuaded staff to reset passwords and security questions over the phone, ultimately gaining access to full Social Security numbers or government IDs for at least 2,000 customers.

The breach dragged on for three days because of insufficient training and failure to follow written procedures, the SEC said. While no theft of funds apparently occurred, the criminals had obtained the ability to withdraw cash.

Among the lapses listed by the SEC: The advisory firm had not substantively updated its identity theft prevention program since 2009, despite evolving threats, changes to its risk profile and similar previous breaches. As for the third-party contractors, the SEC found that they often failed to click on the activation links for security scans emailed to them by the advisory firm’s third-party security provider.

How can we help you??

To discuss how our team can help your business, contact us by phone 800.274.3978 or

Events / Webcasts


Year-end accounting and tax issues update for financial services

  • December 08, 2020


Enhancing family offices – webcast series

  • September 30, 2020