Examples of these damages come in a troubling array of flavors:

• Direct losses from theft of funds.

• Distributed denial of service attacks that make all or part of a financial institution's web or mobile presence inaccessible.

• Costs from customer or member notification and remediation, such as credit reporting and identity recovery.

• Damage to brand equity and reputation.

• Violations of data privacy regulations, which can result in increased regulatory scrutiny and/or fines at the federal and state levels.

• Lost opportunity costs from time spent addressing or remediating security threats.

So, in December 2013, the Federal Financial Institutions Examination Council issued guidance regarding financial institutions' use of social media (Social Media: Consumer Compliance Risk Management Guidelines). These guidelines note that financial institutions are increasingly using social media to generate business and interact with customers or members. Then, in June 2015, the FFIEC released its Cybersecurity Assessment Tool, stating any financial institution with a meaningful online and mobile presence should be assessed as having a high inherent risk level, and thereby should obtain the maximum level of cybersecurity maturity.

This April, the FFIEC released a new appendix to its IT Handbook called Mobile Financial Services. The new appendix provides guidance that examiners will use in assessing the security programs of financial institutions that use MFS. Taken together, the recent string of FFIEC guidance signals a trend for financial institutions: As your businesses increasingly extends beyond your firewall, your security responsibilities likewise extend outside the firewall – beyond merely fortifying your perimeter and securing your endpoints.

The FFIEC recognizes mobile channels are critical to increasing customer and member access to financial services. At the same time, the FFIEC notes MFS pose a unique and elevated set of risks related to device security, data security, application security, compliance and third-party management.

Why? Many financial services organizations have greater exposure to mobile threat vectors than one might expect. Members are unlikely to activate security controls, virus protection and personal firewalls on their mobile devices. Also, inherent vulnerabilities exist in the mobile ecosystem, i.e. the decentralized collection of carriers, networks, platforms, operating systems and app stores.

As financial institutions' consumer banking groups, internal business units and institutional banking divisions – not to mention third parties for institution-branded marketing events and sponsorships – continually create new apps and maintain existing ones, app identification and management become almost impossible. With this massive proliferation of apps – both legitimate and fraudulent – that leverage an institution's brand to gain exposure to its customers or members, there is no way of knowing if the apps available in mobile app stores are legitimate or if they've gone through the proper security checks before release.

To navigate this new landscape, security teams for financial services companies need complete visibility and control of their critical financial data so they can respond quickly to external threats built to defraud their accountholders so they can protect assets outside their firewall. For proactive compliance with FFIEC guidelines, a strong external threat management program can help combat modern adversaries. Success with external threat management requires a four-step closed loop process:

External visibility: Financial services companies must first discover all their external-facing assets by creating a dynamic digital footprint of what their organization looks like online, from the perspective of their attackers.

External control enforcement: They have to know what's at risk of breach and where it's vulnerable. The speed of modern internet attack campaigns means detection controls must automatically support remediation.

External threat incident response: They must be able to investigate these threats to expose adversarial infrastructure, with access to comprehensive internet datasets to investigate attacks on digital assets. Modern adversaries deploy sophisticated and complex infrastructure to obfuscate attacks as they pivot across multiple attack nodes.

Mitigation and remediation: Remediating external threats rapidly helps avoid the worst-case scenario: Being alerted to attacks by members.

Arian Evans is vice president of product strategy for RiskIQ. He can be reached at 888-415-4447 or [email protected].