Cybercrime has been relentless in the financial services industry, but the pandemic created an explosion of opportunities for financial services companies to rapidly accelerate digital transformation
Cybercrime is a massive issue for the financial services industry. Financial services are prime targets for criminals, whose goal is to gain access and control over transactional systems, confidential data and user account information. However, the COVID-19 pandemic has created opportunities for companies to enhance their digital transformation.
Security is an issue that continues to exist because criminals will carry on with their work as long as something is worth breaking into or stealing. In today’s cyber age, robbing banks with balaclavas and weapons is no longer necessary. Cybercrime is a major risk for many industry players as it can harm someone’s security and financial health, and it can all be carried out over the internet.
It is therefore not surprising that people believe cybercrime to be one of the top three risks for the financial services industry. In the most recent DTCC Systemic Risk Barometer Survey, 54 per cent of respondents cited cyber risk as a top five risk facing the financial services industry, adding that cyber risk is “always an underlying threat”.
Numerous respondents also highlighted growing cyber risk due to increased remote working environments as a result of the pandemic.
Andy Schmidt, global industry lead for banking, CGI, suggests that it is incumbent on banks and vendors to identify the best security stance and understand what their key assets are.
By understanding this, banks and vendors are then able to understand where their key entry points are, and the vulnerabilities of the infrastructure.
“If done correctly it lets everyone sleep at night and gives clients confidence that their accounts are being looked after and the infrastructure is sound. It’s as much of an opportunity as it is a necessity. My hope is that security capabilities will continue to advance, and my expectation is that security will always be a top three concern for the foreseeable future,” says Schmidt.
BT’s Alex Foster, director, insurance, wealth management and financial services, reaffirms this. She says: “Cybercrime is without a doubt one of the top three risks for the financial services industry.”
“During the pandemic, cybercrime increased in all sectors, with phishing, brute force and ransomware attacks increasing by 600 per cent, 400 per cent and 200 per cent respectively.”
“Within the financial services industry, cybercrime has been relentless. The pandemic created an explosion of opportunities for financial services companies to rapidly accelerate digital transformation onto evermore IT-centric platforms as they transitioned to remote working. This alongside the increase in electronic transactions, mobile banking and the use of cloud has led to vectors for cybercrime multiplying,” explains Foster.
A catalyst for changes
Despite the relentlessness of cybercrime, the pandemic has arguably been a catalyst for changes in cybersecurity practices. As many people are having to work remotely, and from different locations, the need for cybersecurity has come to the fore.
During the pandemic, many companies had to put in place safety measures to mitigate the risk of a cyber attack.
However, DTCC says it had already developed pandemic resilience plans and conducted table-top and other exercises which allowed it to react and respond quickly.
“We were pleased that the security procedures, practices and approaches we had in place held firm. The training and the systems we implemented were particularly important because 95 per cent of our colleagues were working remotely,” comments Jason Harrell, executive director, operational and technology risk at DTCC.
For CloudMargin, the COVID-19 pandemic did not necessarily change access patterns to its platform for clients, as they tend to already make use of CloudMargin’s capabilities to filter where their employees can connect from.
CloudMargin works with some of the largest financial institutions in the world — with highly sensitive trade data — and continues to strengthen a platform to service companies of all sizes. Therefore, meeting rigorous standards is of strategic importance.
“We have improved and established patterns for more security validations in our processes, started a security community of practice where we openly discuss security news, capabilities and other themes, and are further strengthening our email security,” says Mario Platt, vice president, head of information security, CloudMargin.
Additionally, amid the pandemic, the role of the chief information security officer (CISO) has changed. Whereas before CISOs were viewed primarily as an organisational control function, CISOs now play an integral part in business enablement and the strategic adoption of new technologies, as they are accountable for managing one of the most critical risks on any board’s agenda.
BT’s recent whitepaper, ‘CISOs Under the Spotlight’, shows that 58 per cent of business leaders say improving data and network security over the past year has been crucial to their organisation and continues to be a key priority this year.
In order to implement new measures and procedures, as a result of the pandemic’s impact on cybercrime, cybersecurity must be embedded in all the business and technological processes of any organisation, including the back-office.
“As the saying goes, it takes a village to build insecure software. It is not just an engineering problem,” says Platt.
The two key elements in the back-office are traceability and visibility. Traceability relates to requirements to trace and meet standards applicable to each firm. This includes regulatory, contractual and business requirements. Then it is about ensuring they can be traced from conception through to continuous validation, leveraging system integration and metadata.
Meanwhile, visibility means a focus on reducing feedback loops, not just for engineering teams (providing immediate feedback on code security, secrets scanning or insecure dependencies) but also on how that connects up to backlog management by product owners and risk aggregation for senior management.
Platt suggests we should be focusing on building an information environment which is conducive to informed decision making relating to cyber risks.
Over at SmartStream, Harsh Choudhary, global head of risk, affirms: “The issue of security in the context of deploying and running more and more solutions and services in the cloud for back-office operations is gaining prominence with our customers.”
“We understand and hear from financial institutions about their strategic objectives in achieving better outcomes for their end-customers, saving costs and lifting productivity from efficient processes, all in line with making a secure back-office.”
“These goals are high on the agenda for back-office functions with a heightened sense of system security, reliability, availability and scalability.”
Defence against cyber crime
The pandemic has amplified the need to ramp up security measures and there are a number of ways to do this.
Many firms have implemented a cyber security programme that should be proportional and based on the size, type and complexity of a firm’s business operations, markets and products traded, and interconnectedness within the financial markets.
According to DTCC’s Harrell, financial institutions should consider a number of factors when implementing a cybersecurity programme, including supervisory and regulatory obligations, the threat landscape, and their alignment with industry-accepted cybersecurity frameworks.
Meanwhile, there is a range of risk monitoring tools to help combat cybercrime such as intrusion detection tools. Even basic tools like authentication fails (how many times this person has used an incorrect code to get in) can prove to be invaluable.
“Proper authentication at the front end can solve a lot of challenges within the infrastructure,” says Schmidt.
Schmidt cautions that blockchain is still a bright shiny object and the industry needs to figure out what problem they are looking to solve and whether or not the solution is scalable.
“You need to ask ‘how big is the need? How complex is the need? What tools already exist? Who am I looking to share it with, and what types of permissions do I need?’. It could be something as simple as sending an encrypted file through an encrypted portal and sharing information that way, which works fine. But if the information needs to be shared with a consortium, a portal might not be as fast or easy,” he says.
Weighing in on this, CaixaBank’s chief technology officer Alberto Rosa states: “There are certain cases in which new technologies have helped implement cybersecurity techniques but there is still a very important part of the work that is based on maintenance and continuous ‘fix the basis’. It is important to blend both approaches.”
Foster adds: “In theory, blockchain has the potential to bolster cybersecurity by being a decentralised and immutable ledger of transactions. However, while in theory blockchain itself remains a system that is thus far immune to hacking, the processes around cryptocurrencies utilising blockchain are vulnerable.”
An evolving future
Cybersecurity will continue to evolve in the future because crime is likely to always remain a top issue.
Some experts have predicted that the cloud will be one key way of combating crime.
Schmidt says: “There is one fantastic misconception that the cloud is cheaper; often it is more expensive, at least initially. When you look at the ongoing cost of making changes to code, updates, scalability, resilience, you can, however, get a lot for your money. This is why you are seeing so many solutions being deployed in the cloud. For example our payments solution is cloud-native and already has a dual-cloud deployment for resiliency reasons.”
For DTCC’s Harrell, the cybersecurity pillars — identify, protect, detect, respond, and recover — will continue to be relevant as we move into the future.
“We anticipate increased global collaboration between the public and private sector to ensure a consistent baseline of protection and mitigation strategies against sophisticated threat actors,” says Harrell.
Rosa predicts: “It is foreseeable that cybersecurity will grow in importance, being a strategic aspect for all companies, not only due to the direct costs that cyberattacks can pose, but for their indirect effects.”
“Cybersecurity covers aspects that go beyond technology and involve the whole business. Cybersecurity has also become an enabler of new projects and business. Most recently, it has become evident that customers demand it in all the bank’s products and channels.”
From Platt’s perspective, security practices and applications are moving to a model which is integrated into operational and development practices, which must be supported by different types of skills and approaches.
Collaboration, facilitation and enablement need to be the central themes in taking advantage of these evolving patterns.
“The criminals will keep attacking our systems with evolving threats, and as such, adoption of resilient technology patterns with short-lived systems, distributed architectures and adoption of serverless architectures are patterns which will do more for security improvements than most of our security tooling combined,” concludes Platt.
With a range of tools and methods to select, the industry has become increasingly aware of the dangers of cyber crime and the ways in which to prevent it. Taking a preventive approach is key.
