In the wake of Morgan Stanley's recent massive data breach, one detail became clear: the financial institution had the technology and systems in place to quickly detect and trace the breach, but an employee was still able to access confidential customer information he should not have been able to.
For vendors in the data security realm serving asset managers, banks and other financial institutions, the incident serves as a reminder of the greater roles they now have.
With cybersecurity generating so much attention, vendors say they cannot be simply purveyors of service or products, but rather continuously involved in educating a company's policies and cyber defense.
"I think vendors have a huge role to play in educating the financial industry about best practices in the information security," says Sid Yenamandra, CEO and co-founder of Entreda, a San Mateo, Calif.-based IT firm. "Too often vendors try to sell a product rather than focus on solving a customer problem."
In the last few months, there has been a shift among firms away from procurement to trying to get a risk strategy in place with the help of vendors, says Tom Patterson, head of cybersecurity consulting at global firm CSC.
"They've purchased a lot of stuff, and unfortunately a lot of it is the equivalent of shelfware," he says. "It is not set up right, it is not monitored well. These are real world problems, and it is part of the responsibility of the entire ecosystem - product vendors, service providers and strategists, to all come together. We look at becoming long term partners with clients, because that is the only way to manage risk."
The reason for more engagement with firms is two-fold, says Ray Pompon, director of security for Linedata Capitalstream. Not only because cybersecurity vendors have the expertise to share, but to ensure that they remain competitive.
"After a breach, a bank's customers are going to be made right, business goes on," he says. "But for vendors, a breach means business is over for us, we'll lose all our customers."
According to American Banker, an executive at Morgan Stanley who did not want to be named said the employee gained access to client records by finding a way to run reports in the bank's wealth management software.
The executive said the employee did not hack into the system, but used it in a way he wasn't authorized to. "He figured out how to run internal reports on our systems and he downloaded them," the executive said. The information included names and account numbers, as well as some asset value and transactional information.
Yenamandra says Morgan Stanley is obviously different in its resources and scale than a small broker-dealer representative or money management firm and can afford better protection. Still, he adds, even at a high level there are reasons that breaches occur:
1. Lack of a cohesive work flow when dealing with information (or cyber) security risk management and governance.
2. Inadequate access controls and monitoring services when it comes to critical infrastructure.
3. Revisiting the workflow periodically and training the IT staff and employees.
"There are a number of technologies available to deal with several aspects of security," Yenamandra says. "For example, there are some powerful tools available in the market to perform network access control functions or cyberthreat detection.
"However, technology can only go so far and ultimately to ensure a cohesive end-to-end information security work flow, manual intervention is still required. That's the weakest link in the chain."
Among the areas where a breach postmortem should happen is within company leadership and the relationship the relationship it has with its security vendors, Pompon says.
Having investigated a number of breaches, Pompon says that often in financial institutions, "education is missing at the top. The security person's job is to inform upper management about any serious problems, and inadequate controls."
What sometimes happens, he adds, is that upper management takes a chance with cybersecurity policies and tech. "they ask, 'What's the chance of this happening?'" he says. "But cybersecurity is very difficult to understand. You have all the problems of technology and under adversarial conditions."
What Pompon recommends is that financial firms insist on audits of cybersecurity vendors, and that vendors welcome the opportunity to be tested and verified.
"The best way is to audit, and the earlier in the process, the better," he says. "The audit process should now be part of procurement. Have a third party audit done. The biggest question should be, has someone tested your security thoroughly?"
Pompon adds that smart vendors will welcome the extra scrutiny, since, unlike the financial firms they service, cybersecurity vendors are not directly regulated.
"We see it as a tremendous business opportunity," Pompon says. "It allows us to show we can go above and beyond. When customers come, we have years of audits that we can throw down."
CSC's Patterson says among financial institutions, the conversation with vendors is shifting away from hardware purchases and into boardroom strategies.
"The biggest change has really been the attitude shift from governance committees," he says. "Cybersecurity has always been an IT issue, about what products should a company buy, but not nearly enough attention was devoted toward who's going to watch it over weekends and during shift changes."
Vendors have the opportunity to capitalize on the trend by changing their approach with clients to more preventative strategies, Patterson adds.
"Large banks and organizations will continue to have security events. But firms will be graded less on how person got in, and more about what they did once in. Preparing a response saves jobs, saves money and beats prosecutions."