One of the most fascinating aspects of the financial services industry is the clash between traditional practice and modern technology.
As clients increasingly demand convenience and connectivity, innovation has become a significant driver of competitive advantage and a key battleground in the financial services industry. A 2016 McKinsey report describes the rise of digital innovators as a “significant threat to the traditional business models of retail banks.” Banks and other financial institutions must adapt, or risk being left in the dust.
Breakthroughs in blockchain, artificial intelligence, and machine learning continue to invent new services, and to reinvent the way traditional services are delivered. However, financial services firms are only beginning to discover the real consequences of their choices - cyber risk.
Client Convenience and Cyber Risk: An Inverse Relationship
The Institute of Risk Management defines cyber risk as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.” At some level of abstraction, the convenience of access that customers demand is inversely proportional to cyber risk. For example, the more access points provided to a bank customer, the greater the area of network attack surfaces available to a malicious actor. Likewise, unfamiliarity with deployed technology can result in an increase of both internal and external human attack surfaces.
A notable number of high-profile financial hacks and breaches have dominated the media in recent years. Just two months ago, American prosecutors announced the indictment and extradition of Russian hacker Andrei Tyurin, the fifth man to be charged for hacking into and stealing some 80 million customers’ data from JP Morgan Chase in 2014. Customer data obtained by Tyurin was subsequently used in a wide variety of illegal activities, including online gambling, credit-card fraud and money laundering. According to the New York Times, the breach was apparently due to the bank’s security team failing to upgrade one of its network servers with two-factor authentication, rendering it vulnerable to intrusion.
Similarly, the 2017 Equifax hack, which exposed the personal data of some 145.5 million customers, resulted in unprecedented reputational damage for the consumer credit reporting agency and the possibility of impersonation by malicious actors. Although precise details of the attack are still established, CNN reported that the breach came down to a “flaw in a tool designed to build web applications” that was used for Equifax’s online claims portal, which the company knew about a full two months prior to the hack.
Cyber Risk and its Consequences
Financial services firms, including banks and fintech companies, are highly susceptible to malicious activity precisely because of the assets and data they possess. Such assets include money stored in bank accounts, as well as other non-monetary assets and derivatives under the management by the bank or firm. Data targeted by criminals include personally identifiable data, customer credit and investment records, or information which may constitute intellectual property.
An array of regulatory compliance requirements apply to financial services firms by virtue of these assets and data. For example, under Section 24 of Singapore’s Personal Data Protection Act (PDPA), organisations must make “reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks” for personal data. In addition to being sued by private individuals, administrative penalties from the Personal Data Protection Commission (PDPC) of up to SGD 1,000,000 could apply if the financial services firm fails to comply with the PDPC's directions.
While public attention has focused largely on personal data laws, such as the PDPA and Europe’s landmark General Data Protection Regulation (GDPR), this singular focus is incomplete. The confidentiality, integrity, and availability of other data types also carry regulatory requirements. For example, under Section 47 of Singapore’s Banking Act, licensed banks and their officers in Singapore are subject to an obligation of secrecy with respect to information about customer accounts and deposits. Contravention may be punished by fines and imprisonment.
Likewise, under Singapore’s recently-passed Cybersecurity Act, certain services relating to banking and finance (e.g. clearing, trading, and settlement) are considered “essential services”.
If designated by the Commissioner as “critical information infrastructure”, the computer system(s) designated must undergo bi-annual audits and annual risk assessments, and the owner of the computer system(s) must comply with various codes, standards, and directions issued by the Commissioner. A failure to do so could also lead to fines and imprisonment.
Furthermore, while these requirements are certain for now, there is nothing stopping regulators from creating additional compliance requirements in the near future. In fact, in a Consultation Paper released on 6 September 2018, the Monetary Authority of Singapore (MAS) considered raising six “best practices” in the MAS Technology Risk Management (TRM) Guidelines into mandatory requirements for all relevant Singapore entities. These include:
- Securing administrator accounts through strong passwords, authorised access, and keeping records of such access;
- Addressing vulnerabilities by performing regular checks and applying patches;
- Establishing standards, complying with them, and implementing mitigating controls where compliance is impossible;
- Deploying and regularly reviewing firewalls to restrict unauthorised network traffic;
- Installing and maintaining updated anti-virus software on relevant systems; and
- Implementing multi-factor authentication for all administrator accounts.
Brave New World
No financial institution, no matter how historic or powerful, is safe in this age of digital disruption. While technological innovation continues to digitalise and transform the financial services industry, it is the safety and security of these technologies that determine their long-term viability and success. Cyber risk is therefore a significant consideration in any digital transformation.
To satisfy demanding customers and to comply with regulatory standards at the same time, financial services firms must first understand the applicable cybersecurity requirements, and the landscape of cyber risks which may impact their business. Point-based solutions and piecemeal responses are ineffective in today’s business context— - the best strategy must be one that is holistic and comprehensive, covering requirements (regulatory or otherwise) from end to end.
Holistic cyber security involves people, processes, and technology. In relation to people, basic training for breach prevention and detection (e.g. spotting a phishing attempt, restricting access to a “need-to-know” basis) can be provided to employees who deal with sensitive assets and data., Thisto inculcates a basic level of cyber hygiene among those most susceptible to attack, and reduces the human attack surface company-wide.
In relation to processes and technology, financial services firms without in-house expertise can work with a trusted cybersecurity partner to review existing policies, and to ensure their environment is secure from a technical perspective. This could include vulnerability and threat assessments, setting up multi-factor authentication, and automated notifications for suspicious activity. Advice can also be sought on highly-specific regulatory requirements, such as mandatory breach reporting and compliance with government-prescribed standards.
No single cybersecurity solution can eradicate cyber risk completely and therefore, financial services firms should implement effective mitigation strategies to be prepared when (and not if) a breach occurs. In addition to training or engaging a skilled incident response team to facilitate recovery and remediation breaches, financial services firms could consider obtaining “cyber insurance” against losses arising from network failures or deliberate attacks.
The contents of this article are for general informational purposes only, and do not constitute legal advice. No information contained or communicated herein is intended to create a solicitor-client relationship between you and the author. Please contact a practising lawyer for specific legal advice relating to your situation.