The New York Stock Exchange stands in lower Manhattan on April 15, 2021, in New York City. (Photo by Spencer Platt/Getty Images)
The recent Log4j vulnerability has caused widespread concern across every industry, and the financial industry is no exception.
Recently, SC Media published discussions with top banking executives at Texas Capital Bank and Finance of America, as well as cybersecurity vendor Cybereason. Many financial service institutions (FSIs) are recognizing that Log4j is the gift that will keep on giving this holiday season for weeks to come. Hence, industry experts have much input on how FSIs will work on mitigating the damage of this recent threat, and what it bodes for the future.
Gary McAlum, currently on the board of directors for TAG Cyber Group and a former longtime chief information security officer (CISO) for USAA, pointed out that in the wake of the attention-grabbing SolarWinds attack, Log4j is also, “Ubiquitous… it impacts everybody in some form or fashion, especially since open source is so commonly used.”
“For the financial sector, it’s a particularly serious issue,” McAlum said. “And I wouldn’t say there’s room for over-confidence.” FSIs of all sizes should be implementing an incident response program to mitigate the potential impact of Log4j, keeping in mind that this cyber event could have ripple effects through third- fourth and fifth-party providers. “There is an environment of overlapping controls… which means that [IT security professionals] need to be methodical, and focus a lot of their attention here.”
“The hardest thing is to work through complex supply chains,” McAlum said, adding that financial regulators will also be calling on FSIs as they are going through this, seeking updates and looking to potential exposure and mitigating actions.
“The financial sector has responded well, quick and focused and understanding of the urgency of [Log4j]. Most of the time, when news like this hits, it’s not the first that FSIs are hearing about it,” he added. “They’re getting data from all sorts of sources about vulnerabilities.”
“By the time it’s hitting CNN, the wheels are already turning for most FSIs,” McAlum