Cybersecurity has been identified as one of the top five risks the financial services sector is facing. In a sector where trust is critical, what needs to be done?
At the recent GovWare conference held in Singapore, much discussion revolved around the risks government, financial and healthcare organizations face in the new digital reality – and how collaborative cybersecurity efforts are the answer.
In the digital economy, cyberthreats have become an unavoidable business risk. At the sidelines of GovWare 2023, CybersecAsia posed some questions to Jason Harrell, Managing Director, Operational Technology Risk and Head, External Engagement, DTCC.
What are the most pressing cyberthreats facing the financial services sector today?
Jason Harrell (JH): Cybersecurity is identified as a top five risk facing the financial services sector. According to DTCC’s 2023 Systemic Risk Barometer, cyber risk was ranked third behind geopolitical risk & trade tensions and inflation. The financial services industry continues to see advanced, persistent, and well-funded attacks against the ecosystem. This is a trend that is expected to continue.
The maturation of the financial markets has put continued pressure on financial institutions to effectively manage this risk. There are three primary elements that increase the potential impacts of cyber threats within the financial services industry: interconnectedness, new/emerging technology and third-party/supply chain.
Interconnectedness: The financial markets are more integrated and connected than ever before, therefore operational impacts in one section of the financial markets, if significant, may create impacts in other parts of the financial system. While interconnectedness brings many efficiencies to financial markets, there is still opportunity for potential risk.
New Technology: Financial institutions continue to find ways to use new technology solutions such as cloud, AI and blockchain to develop new products and services or to enhance existing products and services. While this has several benefits to the financial services sector, including, diverse financing streams that increase financial inclusion. This may introduce new risks or change existing risks. These risks must be understood and addressed.
Third-Party/Supply Chain: Financial institutions use third parties to deliver certain portions of their products and services. When these providers support critical business operations, financial institutions apply additional analysis on the providers risk and resilience capabilities. However, if a material cyber incident causes an outage or impairs the service of one of these providers, it can impact several financial institutions.
The theme of the recent GovWare conference is: Fostering Trust Through Collaboration in the New Digital Reality. How is the financial sector collaborating to find solutions to cyber risks?
JH: Financial institutions continue to collaborate with financial authorities, their peers, standards bodies and government agencies. Cyberthreat actors excel at information sharing and collaboration, therefore, financial institutions must equally excel at this.
Financial institutions are partnering with authorities to understand changes to the threat landscape as well as to identify where rule changes, new rules or guidance or additional principles may be needed to address risks. Firms are also assessing how these changes may be best applied to enhance the required to manage the new threat landscape. Further, financial institutions are conducting industry-wide exercises to better understand potential weaknesses across the sector and to identify potential solutions to these risks.
Finally, organizations, such as Sheltered Harbor and Cyber Risk Institute (CRI), can also provide solutions to address industry challenges.
Sheltered Harbor provides a data vaulting framework and specifications that financial institutions may use to securely store data which can be used as another form of defense against severe data attacks. CRI partners with financial institutions, trade associations and financial authorities to enhance the FS Profile.
The FS Profile maps regulatory obligations with industry-accepted frameworks to ease the administrative burden of demonstrating compliance across numerous cyber rules and guidance across jurisdictions. DTCC serves on the board for each of these organizations to support the development of initiatives across the financial sector.
How are new and emerging technologies impacting the risks faced by financial institutions?
JH: Technology has a central role in a financial institution’s capabilities to deliver products and services but also to manage risks. For example, cloud technology has provided additional capabilities for financial institutions to enhance their resilience and consistently implement security across networking environments. Financial institutions also leverage cloud technology to foster innovation and to re-imagine financial services in the new digital age.
However, commonly used third-party providers, such as within the cloud may create concentration risk, where incidents may impact several firms simultaneously as well as increase the surface area where a firm can be impacted.
AI has a promising future in the financial services sector, as firms continues to assess new ways is to introduce AI more prominently. AI is already used in credit, lending, asset management, and other financial services and represents some initial wins for this technology. Generative AI has recently received larger attention for its potential benefits and challenges. As it pertains to cyber risks, AI can be used to increase the visibility of threats to the computing environment. It is already being integrated into cyber risk management tools used to protect firms.
However, for all of its benefits, it is also likely that this technology is being used to generate new malware by threat actors with lower skill levels than current threat actors.
Governments obviously have a role to play in managing cyberthreats and risks. What can governments and the financial sector do to better partner and collaborate?
JH: There are a number of opportunities to enhance government-financial sector collaboration. First and foremost, it is important to note that threat actors are sharing tactics and criminal activities with each other each and every day.
To stay one step ahead, governments and firms need to continue to share information. Without it, we will never be as effective as the threat actors we are up against. However, to advance in this area, there are a few opportunities.
First, additional legal frameworks and protections should be put in place to ensure anonymity of the firms’ providing the intelligence. Doing so can help to cultivate a more productive sharing arrangement that protects firms while obtaining the information needed to protect markets, organizations and underlying investors.
Second, a closed loop mechanism is needed. It is important that the industry understands how and when firms’ information will be used and ensure it is protected by government entities. At the same time, it is important for firms to understand whether the intelligence has been actioned, as well as whether there are additional steps firms should be taking to bolster protections and capabilities.
Financial institutions and government entities continue to collaborate, and they continue to evolve their efforts as threats and the potential impacts of these threats change. Conferences like the GovWare conference provide a platform to advance these conversations.