Responding to the evolving cyber threat landscape in the financial services sector

Introduction

Financial institutions have been facing increasing levels of cyber-attacks for a number of years. For cybercriminals this makes complete sense. Banks have money. Banks hold huge volumes of rich data. No pun intended. And only the largest banks have the resources to maintain leading edge cybersecurity levels during a period when cybercriminals are constantly evolving sophisticated methodologies and leveraging new powerful technologies like cloud computing to launch their attacks. According to research by ITSP Magazine, financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries and the average data breach cost was $7 million per breach in 2017. Add that it only takes one successful attack to cause enormous damage, and it is obvious why banks will quite naturally worry about that big breach incident. Customers bank with institutions they trust and they leave banks when that trust is broken.  

The biggest change to the cyber threat environment for the financial services sector is not only the increase in the scale, frequency and sophistication of attacks, but also the identity of the actors and their objectives. Hackers are now longer maladjusted teenagers, hacktivists or even organized crime syndicates, but more frequently state-sponsored entities. Global geopolitical tensions are clearly on the increase, and with them, the accompanying cyber threats targeting critical national infrastructure - causing geopolitical disruption and negative reputational impact - are on the rise.

What is ultimately required to protect against cyber threats and ensure greater resiliency is a proactive, holistic, risk-based approach that systematically and rigorously assesses the risks and mitigates them across the enterprise, both for core and peripheral operations, as well as throughout the chain of supply-chain partners, third parties and market participants. It involves approaching cyber security with humility, knowing that security can always be improved, especially when facing a determined, unpredictable adversary.

The impact of digitization and customer expectation

A 2017 survey conducted by PwC indicated that 46% of bank customers were “omni-digital” - those who prefer to interact with their bank digitally, whether by desktop computer, laptop, tablet, or mobile phone. This means that there is a trend to deliver innovative financial services products through digital channels with intuitive customer interfaces, supported by AI or auto-complete functions, accessed through the user’s mobile device or tablet. These developments like contactless payments using smart phones and wearable devices, or bill payments using single-click technology, certainly offer benefits to customers and satisfy a financial organization’s competition and innovation agenda, but they also introduce multiple end-points and increase the so-called “attack surface”.

Cyber security trends

While the threat landscape continues to evolve, in a recently co-authored white paper we identified the following trends that have started to develop[1]:

1. Increased use of AI, machine learning and automation to identify, manage and respond to cyber security threats;
2. The development of password-less systems and biometric tools to reduce the risk of human error and the plague of password re-use;
3. The use of Blockchain and Smart Contracts to increase trust and certainty between counterparties and reduce vulnerability of applications and platforms;
4. Deploying intelligence-driven threat protection – using data to identify, categorize, prioritize & report vulnerabilities, remediate risks and learn from previous events;
5. The constant evolution of international standards to define a uniform, consistent approach not only for IT infrastructure but also for IoT and automation;
6. The growing need to share threat-data between financial institutions and market infrastructure providers, as well as government agencies;
7. Recognizing the key role which people and culture play in a sound security strategy;
8. The growing legislative and regulatory framework driving increasingly prescriptive requirements across the Middle East, Latin America, Asia and Africa (to mirror those in Europe and the US).
9. Adopting security as a key design principle in the development of applications, networks and systems (not just a bolt-on or afterthought);
10. Taking a risk-based approach to cyber security and data management.

Security and privacy

Despite ever growing concerns surrounding the security of data and critical market infrastructure, very few jurisdictions have passed specific cyber security laws. Data privacy laws tend to focus on the privacy, security and availability of “personal data” and do not necessarily regulate the integrity of systems or platforms which underpin core banking and treasury applications, payments, trading, order management, clearance or settlement systems which are critical to the effective operation of banking and financial markets.

There is a school of thought that argues that the current double-click focus on privacy, including GDPR and CCPA compliance, and their global variations, is taking some of the organizational focus away from cybersecurity. I personally see them as complimentary disciplines. This perspective is reinforced by the new international standard Privacy Information Management System ISO/IEC 27701[2], or PIMS, which is built on top of ISO/IEC 27001, the mostly widely adopted international standard for information security management. If we broadly accept that privacy depends on security, then similarly, ISO have made it clear that PIMS depends on ISO/IEC 27001 for security management; requiring that certification for PIMS cannot be obtained independently.

Conclusion

Financial institutions need to implement a sound cyber strategy which keeps pace with the constant drive to innovate and disrupt, with the increasingly prescriptive demands of regulators and the rapidly escalating geopolitical threat. This strategy must embed a holistic governance model which recognizes that people (not just software and systems) are a key part of the defence strategy. At the same time firms need to recognize that cybersecurity is a shared threat and work closely with one another, and with regulators, government bodies, trade associations and international organizations to share threat intelligence and best practices.

If you would like learn more about the evolving cyber threat landscape in the financial services sector, including the changing legal and regulatory landscape, operational resilience and our thoughts on the topics of concentration risk and security in the public cloud, please access the white paper co-authored with global law practice Eversheds Sutherland here. 

Written by Dale Waterman

[1] https://www.eversheds-sutherland.com/global/en/what/practices/commercial-it-law/whitepapers-application-of-cloud-services.page

[2] https://www.iso.org/standard/71670.html