By Toby Sibley, cyber security expert at PA Consulting.

Financial services firms that have struggled with security challenges over the last few years should buckle up for even greater trials in 2022.

It is a staple of reality TV that nearly every show includes a voiceover saying that this week the hapless contestants will face their biggest challenge yet. There will then be a shot of a distressed looking contestant being put through their paces. Many IT leaders in financial services might share this feeling as they progress through 2022, which will encompass navigating diverse issues such as nations using cyber to snipe at each other, to a lack of staff to fix security issues. Yet leaders will need to master these trends to steer their organisations into calmer waters. Here are the trends in cyber security that might provide the biggest challenges to financial services firms next year.

Hybrid warfare 

Nation-states engaged in antagonistic relationships are increasingly using cyber warfare as a means to apply pressure, coerce or subvert their adversaries. Cyber warfare is often opportunistic, looking for weaknesses to exploit rather than focussing on specific organisations. Banking and finance organisations associated with a particular country might find themselves targeted simply through being perceived as representatives of a state. With global tensions ratcheting up between Russia, China and the West, this could be a source of threat for many in the finance community. Organisations need to update the threats they prepare for to take account of hybrid warfare.  Just because you don’t think you are political target does not mean that an attacker has the same view.  Firms faced with well-resourced adversaries’ intent on causing blunt damage as a means of applying pressure should focus on their operational resilience maturity to help mitigate risks.  For example, firms will want to ensure they understand what business services are important to them and their clients and have robust recovery processes in place to cope with malicious incidents.

Helping the workforce to be even more cyber-savvy 

With cyber-attacks against individuals intensifying and hybrid working here to stay, criminals are having to use more sophisticated ways of spoofing communications in order to obtain access or payment details, leaving financial services organisations under pressure to put more effort in place to train and support users. This will see greater use of synthetic learning environments, where training will feel more real than ever before and with the use of decision support tools that help spot fake communications. Firms will also need to expand on their security awareness training to adapt to a workforce operating from a home environment that lacks many of the security controls associated with the office.

Cyber-skills shortages  

In July 2021, the Information System Security Association annual survey reported that more than three-quarters (76%) of organizations admit that it is difficult to recruit and hire cybersecurity staff, with nearly one-fifth (18%) stating it is extremely difficult. The future demand for specialist security skills will force up wages and limit the capacity of firms to bring in new IT in 2022. Firms will be forced to engage in a ‘war for talent’ if they want to secure critical IT or compete for the services of cyber security firms offering professional services or solutions. Firms should also expect to have invest more in nurturing junior staff to create a pipeline of experienced professionals in the future.

Everything as a standard 

Rising costs of security infrastructure, a lack of skilled staff and a need to simplify compliance will drive firms to seek out standard-based solutions. Banking and finance organisations will no longer engage with a DIY approach to security but will seek to adopt standards that will reduce costs and increase interoperability across the organisation. In the vanguard of this trend will be cloud providers that will continue to commoditise security services and compliance activities to offer a viable solution to industry problems. Financial services organisations should also expect to see greater levels of network, systems and data segmentation which limits the “blast radius” of an attack across their organisations.

Pricing cyber risk

Many firms already struggle to price cyber risk or to gauge the level of insurance protection required. To help manage this issue, financial services organisations should expect to see the risk assessment industry take a step up in terms of its sophistication in determining losses. Next year may also be a good year for specialist insurance companies, as many firms will seek to back the risks of major cyber incidents onto insurance companies. Insurance firms will take an interest in assessing cyber security maturity of firms, as well as their third parties, as a means of calibrating the premiums that they will need to pay. For many CISOs, this will be an opportunity to finally demonstrate to the Board that good security is cost effective.

Financial services firms know that risks related to cyber security is growing. There is also a growing recognition that firms need to build up new security capabilities, train up their workforces and forge links to organisations that can help to quickly shore up their defences. Yet the question will be, how many of them will rise to the new security challenges in 2022?