The evolution of cybersecurity

Regulators have introduced new regulations and enhanced existing standards to ensure that the industry is adequately prepared against potential attacks and are able to restore operations expeditiously and completely

The element of cybersecurity should be intrinsic, not only to the nature of the company, but as an element of the products that are built based on current technology

Cybersecurity that financial institutions need to assimilate is the need to involve all the relevant stakeholders.

”Cybersecurity in the digital age”, held as part of the Future of Finance Summit 2018 in Beijing, reinforced the importance of bolstering cybersecurity policies and practices, as the industry becomes increasingly digitalised, opening institutions to potentially more catastrophic attacks.

Recent incidents bring this into sharp focus and indicate that the situation may have become worse. A breach at the central bank of Bangladesh, where hackers used malware and fraudulent orders on SWIFT to send $81 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York to Rizal Commercial Banking Corp in the Philippines. In January 2017, hackers attacked Lloyds Banking Group, crippling its digital services for its customers for two days.

Regulators, in response, have introduced new regulations and enhanced existing standards to ensure that the industry is adequately prepared against potential attacks and are able to restore operations expeditiously and completely, even when defences are breached.

Recognising the potential disruption to operations and customers and the damage done to the reputation of institutions, cybersecurity is no longer the sole concern of IT or risk management departments or managed by the lower echelons of the company but is discussed and deliberated at the highest levels of organisations.

Cybersecurity has been elevated to a boardroom level

Roeland van Zeijst, a former Digital Crime Officer at Interpol, recognised the progress banks in elevating the discussion of cybersecurity to the boardroom: “It is a major leap because it means that in the boardrooms of those financial institutions, people at the right level are able to actively discuss things.” He goes on to highlight the importance of the role of CIO and CISOs in the company.

His sentiments were echoed by Wan Zulhamli, the head of the Strategic Research and Advisory department of Malaysia’s science and technology ministry who opines: “Cybersecurity is no longer an IT issue, it’s a board room issue. The top management of any institution should play a role or should focus their strategy to embed cybersecurity in their institution as well.”

He adds that the element of cybersecurity should be intrinsic, not only to the nature of the company, but as an element of the products that are built based on current technology. This was emphasized by Stéphane Nappo, Global Chief Information Security Officer & Board advisor of SociétéGénérale in that incorporating cybersecurity from the start of the development of any project is essential to “ensure the sustainability of the service”

The international dimension of cybersecurity

“In the digital age, this is a global issue” a sentiment expressed by Ying Han, Policy Director of the United States Information Technology Office. It is reflective of the international dimension of cybersecurity currently.

This necessitates collaboration between financial institutions and between counties, as Nappo expresses “I believe that security officers must share more than hackers today.”

The current example that was brought to light was the establishment of the General Data Protection Regulation (GDPR) that sets out laws on data protection and data privacy in the European Union regarding collection and processing of personal information. The importance of data, both in its demand and protection, can be seen in the breach occurring in Canada in May 2018, involving the Bank of Montreal and Canadian Imperial Bank of Commerce that had the personal and financial information of around 90,000 of its customers stolen.

Van Zeijst describes the framework for such international cooperation by drawing parallels with the Budapest Convention that sets out to establish the definition of cybercrime, the methods of collaboration between law enforcement and internet service providers. Lastly, it explain how law enforcement can coordinate with counterparts across borders.

This is pertinent, given the international aspect of cybercrime that has emerged, as described by Nappo: “They achieved the digital transition on the dark side of the mirror with crime as a service in Russia, Asia and even France. It costs $15 to $30 to attack, and millions of dollars to protect. That’s why we have to integrate that new dimension.” This was seen in 2017 when seven large banks in the UK, including Santander and the Royal Bank of Scotland was forced to shut down or reduce operations after a cyber-attack using software costing a mere $14 (GPB 11).

The need for involvement of all stakeholders

Another aspect of cybersecurity that financial institutions need to assimilate is the need to involve all the relevant stakeholders. This was highlighted by Nappo in his metaphor of making the act of driving safer, stating the need to involve all the related aspects and parties.

This was echoed by Han that “there should be a lot of stakeholders involved in the discussion. It also links back to the sentiment expressed that cybersecurity should be integrated into all levels of the organisation, as well as the every stage of development of any project or product.

The nature of banking continues to evolve, as does the importance of data protection with increased regulations such as the GDPR. Cybersecurity is thus evolving and growing in importance in the financial institutions around the world.