_ _ Infobelt
Why Smaller Firms Are Getting Hammered: Myths of Scale
There is a bit of folklore in most heavily regulated industries, and especially in the financial services industry, that goes something like this: Larger players should worry the most about regulatory compliance and security.
The reasoning is simple: Larger, well-known firms are the ones most likely to be targeted by both cyber criminals and government agencies. Smaller firms—even moderately sized ones—will tend to “fly under the radar” of both, and so can put off investing in technology (RegTech) or training until the time when they have grown big enough to attract attention. In short, worrying about compliance or cybersecurity is a matter of scale, but only in the roughest sense: There are two size classes, bigger firms that need to worry about these things, and everyone else.
The term “folklore” is apt here because this kind of thinking never is written explicitly, but it is assumed by many. And while it might have applied in the past, it is surely not the case now—which means that too many regulated firms are toiling under a false, and risky, assumption.
With Automation, Everyone is On the Radar: The Ransomware Example
So what has changed?
Let’s look at the logic with a specific example: Ransomware gangs that try to gain a foothold in a business to take a chunk of the firm’s data hostage.
Not too long ago, gaining access to critical business systems took some time and diligence on the part of the hackers. They had to either undo the company’s security and encryption, or else dupe an employee into giving up their credentials (easier to do, the more employees there are). Because an attack took time and effort, it made sense for hackers to go “big game hunting”—that is, to try to get the best bang-for-their buck by targeting larger firms with bigger cash flows. That is where the best payoff would be.
What has changed since those days is automation. A ransomware gang can now target hundreds of firms of various sizes, all at the same time, looking for vulnerabilities and beginning spear-phishing attacks to gain system access. They can then focus their energies on those that prove vulnerable, even if the payoff is much less for any one successful attempt.
And which firms tend to be the most vulnerable? It is exactly the small-to-medium-sized firms, because they have bought into the folklore that says hackers won’t bother targeting them. Having bought into the folklore, they don’t take the necessary steps to protect themselves.
Think of it as a contrast between a cat burglar and a gang of street thieves: The cat burglar spends his time trying to pick the lock on a single door, hoping there is a stash behind it. But what the gang of thieves lack in skill and finesse, they more than make up for in manpower: They simply try every door, hoping that, eventually, one will be unlocked. The unlocked rooms might not be as lucrative, but they are also much less likely to have adequate security measures in place, too. Today’s hackers are no longer cat burglars, they are gangs looking for easy scores—and smaller firms are exactly that.
Regulatory Compliance is Playing the Same Game
Ransomware is just one example of a risk to which firms of all sizes are now exposed. A similar logic now applies to regulatory compliance, too.
Government institutions, for a long time, went after bigger firms, believing they would be the most egregious offenders when it came to compliance. Smaller firms would not attract much scrutiny, unless something was directly brought to the attention of regulators.
This is no longer the case, and again, automation is part of the story. For example, government firms are now using automation and artificial intelligence to “find the needle of market abuse in the haystack of transaction data,” using various algorithms to scrape the web for deceptive advertising and capturing red flags that might indicate wrongdoing. They are also using these tools to zero in on accounting and disclosure violations. Regulators can now spot potential problems more quickly and quietly than ever before, and now more small firms are getting MRA letters from regulators, surprised that they are no longer invisible.
This is an importantly different phenomenon from regulatory tiering. It has always been the case that many regulations carve out exceptions for smaller businesses, when strict compliance would be an undue burden on them. For example, health insurance mandates and employment laws have clauses that exclude firms of a particular size. While it can be debated how and when such tiering should occur, the fact is that many businesses fall under the more regulated tier by law, but have traditionally escaped scrutiny because they were “small enough.” Those days are now over.
Beware, Data Scales Quickly
Part of the issue for financial services firms is not only the sheer amount of data they generate, but the kinds of data they generate.
The volume of data generated correlates pretty well with the size of a firm. This makes sense: The larger the firm, the larger the customer base, and the more transactions happen every day.
But the compliance nightmare comes more from the huge variety of data generated by financial services firms, and that variety does not scale: It’s huge, whether you are a small local firm or a large international one. For example, on top of transactional data, a financial services firm might have
- Client personal data (name, address, birthday, Social Security number, etc.)
- Credit information
- Mortgage and loan information
- Contract information
- Email and other logged communications
- Employee personal information and pay information
- Analytics data (based on customer spending patterns, segments, new products, customer feedback, etc.)
- Marketing data (email open rates, website visits, direct mail sent, cost of obtaining a new customer, etc.)
…and much more. That data often resides on different servers and within an array of applications, often in different departments.
This means that, when it comes to complying with data privacy laws, or protecting data with the right cybersecurity measures, size doesn’t matter. The variety of data is a problem for firms of all sizes.
Moral of the Story: Smaller Firms Need Protection, Too. Yes, You.
The folklore says that smaller regulated firms can put off investment in cybersecurity and RegTech simply because cyber threats and regulatory scrutiny will “pass over” smaller firms and land, instead, on the bigger players.
That is no longer the case. Both cyber criminals and government regulators are using tools to spot problems more quickly and easily, and it is worth their while to set those tools to investigate everyone. (We’ll let readers decide which they would rather be spotted by first.) Indeed, small- and medium-sized firms are having a more difficult time now, because it is much less common for these firms to have proactively invested in preventive solutions.
So what do you do if you are a smaller company in a heavily regulated industry? The first step would be to look into technology that can give you the most protection for your dollar. After all, if cybercriminals and government agencies are going to use advanced digital tools, you should too. Having an immutable data archive, automated compliance workflows, and application retirement tools are all a good beginning.
The alternative would be to do nothing, and hope that your turn will not come up. But strategies based on folklore have never been very good at reducing risks—quite the contrary.