SECURITY - CLEAR AND PRESENT DANGER
As external threats to security continue to escalate, ensuring financial services operations have scalable, robust and secure infrastructure to operate from is critical.
No organisation wants to lose the trust of their clients by having outages and security breaches and as in all aspects of FS, specialist technology has emerged to support institutions. Working with specialist technology providers allows organisations to feel confident they have the best infrastructure setup required to handle increased demands on their systems, process data accurately and securely, and avoid having to try and shore up legacy systems against ever more sophisticated malevolent attacks. Yet outsourcing the task does not absolve institutions of the responsibility for security – identifying trusted partners and ensuring effective oversight of service providers is vital.
It is clear that the threat of cyber-attack continues to accelerate. The Trustwave 2018 Global Security Report highlighted nearly 15 000 vulnerability disclosures being recorded in 2017. The rise of cheap, mass-computing power has assisted criminals in scaling-up attacks and devising new ways to exploit new products. US$15 billion was stolen from cryptocurrency exchanges between 2012-2017. Malware, ransomware, phishing and software exploits appear to be increasingly sophisticated, often highly targeted and orchestrated by professional gangs and even state actors, creating an environment where FS organisations need to be constantly alert to potential dangers.
Firms must ensure they develop strong relationships with their IT security partners and have robust systems and protocols in place for oversight and monitoring.
As expert security resource has become increasingly scarce and expensive, there has been a growth in institutions outsourcing their information security management in recent years. Given the practical impossibility of creating defences which are impenetrable, best practice in information security has moved toward detection and response. One note of caution though is that the median time between intrusion and detection for externally detected compromises was 83 days in 2017. That could be a potentially catastrophic delay for some organisations, eroding trust with clients and impacting reputation in the market negatively. The security of services provided by outsourced contracts, including cloud hosting, remains the responsibility of the institution. Firms must ensure they develop strong relationships with their IT security partners and have robust systems and protocols in place for oversight and monitoring. Typically, institutions are demanding tighter SLAs from outsourcers to protect themselves and defend against breaches.
Greater oversight of outsourced arrangements is only likely to increase as new regulation imposes significant penalties on institutions for breaches by their outsourcers. In Europe and beyond, GDPR legislation requires companies to report cybersecurity breaches to customers within 72 hours of an event occurring. Under GDPR, much more draconian fines will be imposed if a breach takes place. It has been predicted that European FS companies could face over £4 billion in fines in the next 3 years because of data breaches.
Unsurprisingly, there have been many new solutions and providers who have emerged in response to this growing demand for expert services. For example, Panaseer enables companies to automate their data processes and visualisation to assess risk and improve cyber “hygiene”. Securonix uses machine learning and big data to detect insider threats, cyber threats, and fraud activities in real time. Cylance, acquired by Blackberry last year, utilises artificial intelligence, algorithmic science, and machine learning to proactively detect and prevent threats to the devices it manages. Veridium’s solutions integrate with existing corporate authentication infrastructure allowing employees or customers to verify their identity with biometrics from a mobile or web app.
With the growing proliferation of threats, institutions clearly need to have frequent, regular upgrades/patches to maintain optimum defences against ongoing attack and to adopt a proactive strategy based on prevention as far as is possible. While the ISO27k series of standards, published jointly by the International Organization for Standardization and the International Electrotechnical Commission, provide best practices for information security management systems, utilising outsourced service providers offers an easy way to ensure access to latest versions of software and security solutions.
Utilising outsourced service providers offers an easy way to ensure access to latest versions of software and security solutions.
To ensure outsourced relationships are as effective as possible, institutions must create comprehensive oversight arrangements ensuring the right contractual SLAs are in place to leverage new solutions and technologies to manage their security risk and controlling data that is shared with third parties.
Cybersecurity is now of critical importance to all FS institutions. Despite the seemingly endless number of threats they face, a combination of trusted partnerships with specialist providers, comprehensive oversight of the relationship(s) and encouraging staff to be ever-vigilant about the dangers that exist should place firms in the best possible position to defend their infrastructure and systems against attack.
About John Yonker:
John Yonker was appointed to chief executive of Simplitium in September 2018. Prior to joining the firm in 2016, John’s background was in Equities technology. During his 9 years at Credit Suisse (New York / London / Singapore / Hong Kong), he progressed to regional management positions for European and Asia Equities IT Trading and Execution. John then spent 4 years at Macquarie (Hong Kong) as regional Asia IT Operations manager before completing an MBA at HEC Paris (entrepreneurship specialisation) . Upon graduation, he joined Simplitium to develop Simplitium’s insurance service (ModEx) and thereafter filled the role of COO.