Cybersecurity is much more than the technology buzz that surrounds it. What
does it take to survive the threats of the cyberworld?
As an industry that deals with money all through its supply chain – the raw material, work in progress and finished goods, it is no surprise that the financial services industry attracts the highest attention of cybercrime perpetrators. Industry estimates peg the cybersecurity market of financial institutions in the US alone to exceed $68 billion by 2020, reportedly the highest by any industry with cybercrime affecting more than 800 million people every year. Yet, the question that gets missed in the myriad is this: how much of this can be addressed just with technology firewalls, data protection, DMZ and encryption layers, and is there a people angle to this that needs immediate attention?
The needle of operational risk in the digital banking world is expected to swing significantly towards people, much away from processes – especially when a third of the global population would be using their mobiles to transact – involving direct customer engagement. Furthermore, changing customer behaviour and expectations play a critical role in driving innovation and adopting new-age fintech solutions, hosted on the cloud. All of these only drive the cyber vulnerability quotient to increase, and there is an urgent need, therefore, to be sensitive to a few implications:
- The eco-system is increasingly connected. And this connectivity is primarily digital. What this also means is that personal, financial and sensitive data is being shared every moment on the cyber highway.
- Storage of data and execution of transactions are not limited to bank premises. They are extended to third-party players, and also with public cloud computing on a large scale. Territorial definitions are becoming blurred.
- The sphere of vulnerability is not limited to employees across the eco-system that involves partners, contractors and most importantly, customers. Every node that is connected can be a target.
- Fintech innovation, e-wallets and new ways of payments, while promoting convenience, also pose a risk and attract perpetrators to design ways to hack through.
- Just as new modes of banking emerge, so do new types of fraud. It is not just about vigilance and precaution, but also about adaption to the new world that may hold the key. A good lead indicator is the phenomenal growth of cyber insurance over the last three years.
- And lastly, threats are not from amateurs, but from professionals. Pirates are not just individuals, but well organised, syndicated, skilled, virtual organisations. The cyber threat landscape is changing by the day, and it is a flat world – it doesn’t need physical presence to commit a crime in a given place.
If, for a moment we recognise that cybersecurity transcends tools and involves people who need to be engaged, then the glasses through which cybersecurity is seen can throw very interesting, and valuable, insights. Crystalising them as the 4P mantra, (the terminology borrowed from – and credited to – Kotler’s marketing principles), we look at what could be the CEO’s outlook on cybersecurity, without getting inundated with the technology buzzwords.
Prepare: forewarned is forearmed
In an era when applications are increasingly seen to be hosted in the cloud, and mode of communication, transaction and fulfilment is digital end-to-end, the vulnerability only multiplies exponentially. A security scorecard report, for instance, estimates 20% of financial institutions to yet be using email service providers that remain severely vulnerable.
The core issue, however, may not necessarily be just the technology, but in building the right degree of awareness with people – both employees and customers. The strength of the chain is as good as its weakest link, and this is no different when it comes to cybersecurity. So when customers or even employees fall prey to phishing attacks, when perpetrators impersonate another individual or institution to seek either data or worse still, a financial transfer, the solution may not entirely be just in quarantining such emails, but also in continuous education of the users. It’s about building a risk alert culture, one that has a higher degree of caution, and one that rewards avoidance of accidents. This involves teaching a culture of training, continuous learning and building awareness around the enterprise.
Pre-empt: a stitch in time can save more than nine
Fraud management systems are geared to drive predicting cybercrime on a real-time basis, simulating millions of scenarios that connect the dots of employees’ behaviour, customer and account profiles that are both dormant or super-active, transactions that are suspicious and determining what could be fraudulent – all in a matter of a few seconds. The reality, however, is also that only large banks can afford to invest in large-scale technology applications. Hackers looking for client data would naturally find smaller institutions a better hunting ground. Yet, complacency can be disastrous, as they can quickly grow to global scales. The Notpetya ransomware attack in Ukraine in June 2017 is a good case in point – it quickly assumed global proportions, also impacting the property arm of a European bank.
Adapting pre-emptive technologies is not only about simulating situations and mitigating data or financial loss, but also in ensuring the frontline team is well oriented about the value of the information assets, and build a continued testing process that helps improve incident responses. Ultimately, what matters is how long does a breach remain undetected, as the detection time is directly proportionate to the degree of impact. The longer time to detect, the more significant the loss.
Protect: prevention is better than cure
When PNB, the public sector bank in India reported a $2 billion fraud two years ago, it did make industry experts sit back and reflect. There was a lot of analysis on what went wrong. However, the one thing all could agree on was this: it was a classic victim of a crime that could have easily been prevented, only if the alarm bells that rang had triggered a course of action – be it in connecting the SWIFT terminal to the Core Banking platform, or enforcing the policy norms of job-rotating its employees. All of these are apparent hygiene checks, of course, more so in hindsight. One of the key takeaways, and an important learning for all banks from this experience was about defining the ownership of cybersecurity governance in a bank. Who owns this?
Well, security is everyone’s business but the buck always stops right at the top. It is therefore imperative that the CEO sees the threat as that of an enterprise business model risk, not just of technology. And that implies integrating cybersecurity and layers of protection to the information assets at an enterprise-wide level.
Penalise: saving the rod can also spoil the bank
Never before had banks had such large compliance teams that were more wary of the multitude of new compliance requirements, much more than the regular central bank-driven returns. Consider this: General Data Protection Regulation (GDPR), Anti-Money Laundering Directive (AMLD), FATCA, Basel III, International Financial Reporting Standards (IFRS), and the list grows. Failure to protect customer data is reported to make banks cough up potentially up to 4% of their annual revenue, as per the new GDPR norms. And this has got a cascading impact, at least from a bank’s psyche. Cyber-threat posed by the BPO industry can be quite large, if not managed proactively. Deterrence plays a strong role in minimising untoward accidents. A hefty punishment to an erring employee plays a critical role in establishing the seriousness when it comes to cybersecurity. Even more so, when the transaction lifecycle extends beyond internal employees, into external contractors and third-party agencies.
As one of the most quoted industry adages goes, there are two types of companies: those who have been hacked, and those who just don’t know they already have been! And it is better to be a part of the former and be aware than to remain in the dark. The last thing that ignorance will ever be in such a situation is bliss.
To read more such insights from our leaders, subscribe to Cedar FinTech Monthly View