Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
ViewpointSeptember 30 2021

Think global to fight cyber crime

The new financial order calls for a new cyber strategy based on global collaboration, writes the CEO of the Financial Services Information Sharing and Analysis Centre (FS-ISAC).
Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
Steven Silberstein

Several high-profile supply chain attacks in the last year, including SolarWinds, Accellion, Microsoft Exchange, and Kaseya, have shone a spotlight on the cyber security risk of attacks on third-party vendors to financial firms, their customers and the wider financial system.

These events, as well as visible ransomware attacks against other industries and cross-border attacks such as the distributed denial-of-service extortion wave that hit more than 100 financial firms in 2020, did not happen in a vacuum. A convergence of fast-moving trends is transforming financial services: a widespread move to the cloud, new fintech players establishing themselves at par with their traditional counterparts and growing use of cryptocurrencies by institutional and retail investors.

Added to the uncertain economic and social context caused by the pandemic, these trends necessitate a reimagination of the cyber security of the financial system, including how to assess risk, how to attract and upskill talent, and how to collaborate to combat threats at a global scale. In these uncharted waters, swimming alone is not only inefficient, but also virtually impossible.

A new financial infrastructure

According to analyst Gartner, global cloud adoption grew by 40% in 2020, with the top five providers accounting for 80% of the total market. In the past year, many of the global transaction banks announced partnerships and relationships with the largest cloud providers. While the needs of remote working and rapid digitisation of financial services due to the pandemic accelerated the trend, the industry now faces concentration risk, where vast quantities of customer data are held by only a handful of companies.

The risk is such that regulators around the world have put forward proposals and laws to ensure the cyber security and resiliency of the sector. The EU’s Digital Operational Resiliency Act for Financial Services identifies common standards to assess and mitigate technology-driven risks, including those from third-party suppliers. Similarly, the Bank of England’s Prudential Regulation Authority’s Supervisory Statement of March 2021 aims to facilitate greater resilience amid adoption of cloud and other technologies.

In Asia-Pacific, the Monetary Authority of Singapore issued the Technology Risk Management Guidelines for banks and other financial institutions to expand security oversight to include third-party vendors. In the US, the Department of Homeland Security Critical Infrastructure Security Agency announced the Joint Cyber Defense Collaborative with the main cloud providers.

Beyond efficiency and scalability, one reason for the rush to the cloud is to compete with the user experiences of rising fintechs whose technologies are cloud-native. Their digital-first approach has ushered in a new paradigm for financial services and operations. Companies like Robinhood (trading), Wise (money transfers) and Revolut (multi-currency banking and credit) continue to gain ground on traditional financial institutions. All around the world, digital-only banks are securing operating licences. Fintech giants like PayPal and Square, which have disrupted person-to-person payments, are now expanding into cryptocurrencies.

It is vital that the speed at which these players offer new products and services does not outstrip the speed of implementation of cyber security and anti-fraud measures, and that mass adoption does not result in mass risk.

The point of no return

At the time of writing, the total value of cryptocurrencies is about $2tn, larger than the gross domestic product of most countries. According to blockchain data platform Chainalysis, worldwide cryptocurrency adoption jumped more than 880% in 2020. As public sentiment solidifies the place of crypto and decentralised finance (DeFi) in the global financial system, cyber criminals’ interest in crypto is evolving from it simply being their easiest payment option to being a juicy target in its own right. A host of mainly young and unregulated firms enable the custody, trading, tracing and interoperability of cryptocurrencies and their blockchain infrastructure. This nascent ecosystem is also filled with opportunities for cyber criminals to exploit.

According to crypto security firm CipherTrace, around $156m was obtained from DeFi-related hacks in the first five months of 2021. That number was then dwarfed by the $600m hack of cross-chain protocol Poly Network in August. Though most of this was later returned, the fact remains that hackers were able to steal hundreds of millions from just one player, showing that DeFi has concentrated points of risk that threaten trust in the system. The scale of these exploits shows that the need to focus on cyber security is urgent; if left unaddressed, the spectacular growth rates we have seen may abruptly reverse.

Customer trust

Maintaining customer trust is not just an ethical and a legal responsibility; it is the core of the banking business. This is why financial services has a long history of robust cyber security. The mission of cyber security teams is to implement controls and technologies that protect the confidentiality, integrity and availability of customer assets and data, as well as the institution’s infrastructure and operations. These principles are fundamental and timeless.

As emergent business models and technologies are integrated into the larger financial system, there is plenty for new players to learn from the principles and practices that have made possible financial services’ strong cyber defence capabilities to date.

Reimagining risk and talent

While the principles remain the same, there is no doubt that the growth of cloud, fintech and crypto expands the attack surface of the financial system and thus the risk to customers. Financial firms and public authorities need to rethink their cyber security and risk management strategies as well as standards and regulations in light of this. We must think holistically in terms of integration of legacy and new technologies or run the risk of enabling threat actors to exploit gaps and vulnerabilities. The industry must keep third-party risk management front and centre as it builds partnerships with these newer players. Further, cyber literacy at the board and senior management level should be deemed a key skill to prioritise the necessary investments.

In this constantly changing environment, a talent pool with diverse skills is a business imperative. Without a wide variety of different experiences, skillsets and ways of thinking, it will be virtually impossible to stay ahead of nimble and innovative cyber criminals, giving them an unnecessary strategic advantage. With the global shortage of cyber security talent, investment in the next generation of cyber security professionals, with an emphasis both on diversity and advanced technical skills, is fundamental to safeguarding the industry and society at large.

A global fincyber community

As the scope of financial services expands and new players enter the market both as competitors and partners to traditional financial institutions, the industry must recognise that it is undergoing a technological, cultural and generational shift that is rapidly changing the way it conducts business and the types of customers that it serves. This understanding must inform both business and cyber security strategy to ensure a cyber secure and resilient global financial community.

The only way to keep this increasingly complex and constantly evolving system secure is to collaborate both at a global level and within smaller circles of trust aligned to geographies, industry verticals and specific threats. As competitive as the financial sector is, one common threat is the loss of trust in the sector’s ability to keep customer assets and information secure.

Global cyber intelligence-sharing ensures that a threat that begins in one region can be prevented and defended against in another and allows well-resourced cyber security programmes to share their expertise with less mature ones. By sharing intelligence on cyber threats as well as best practices as the system evolves, the global financial system – and the billions of people who depend on it – can remain resilient even in an environment of constant change.

Steven Silberstein is CEO of the Financial Services Information Sharing and Analysis Centre (FS-ISAC).

Was this article helpful?

Thank you for your feedback!