While global cyber regulators rush to catch up with high-speed techno crime growth, the financial industry is catching its bated breath…
Amid increasing technology-driven cyber threats on the financial industry, governments and statutory regulators are continuing to tighten laws and increase penalties for non-compliance.
In being slow to respond to cyber threats in the early days, governments are now stepping up on preventative measures — springing an unwanted surprise on certain financial institutions while also giving agile startups a leg up. Firms lagging behind in the cat-and-mouse tussle can sometimes see themselves as victims not only of cyber threat actors, but also of what they view as excessive regulation. This may in turn curtail financial innovation and shift market equilibriums unnecessarily.
So now, we have a trilateral stand-off between cybercriminals (mercenary and state-sponsored alike), governments, and the rest of society worldwide.
How can industry arbitrators such as the Depository Trust & Clearing Corporation (DTCC) help the authorities and the private industry players harmonize efforts in their common goal to fight the criminals and protect market players?
In an interview with the DTCC’s ManagingDirector (Operational and Technology Risk) and Head of External Engagement, Jason Harrell, CybersecAsia.net received heartening viewspoints…
CybersecAsia: What are the emerging cybersecurity threats that the industry as whole (worldwide) is tracking?
Jason Harrell (JH): Cyber risks that continue to rise to the top cyclically are ransomware, AI risks, and quantum computing.
- While ransomware is not “emerging” in the revolutionary sense, the frequency of attacks continues to force the financial services sector and other critical infrastructure to develop and enhance strategies quickly to recover their information and information systems from these attacks.
- AI technology has been used across the financial services sector for several years now. However, recent advancements in AI have created a marked increase in the potential use of this technology for fraud and misinformation. These AI advancements have forced financial institutions to develop processes to detect this fraud while generating innovative ways to use the technology.
- Lastly, quantum computing is an emerging risk. Data encryption allows information to travel safely from one location to another using insecure mediums (e.g., the internet). An advanced quantum computer will have the ability to capture and decrypt encrypted data, potentially making sensitive information accessible to nefarious actors. It is important for financial institutions to understand where encryption is currently being used to identify potential business impacts as quantum technology improves.
CybersecAsia: What are the threats that the industry is not sufficiently accounting for in their cyber resilience plans?
JH: The financial services industry worldwide faces some of the most advanced and sophisticated cyberattacks. To address these attacks, it takes a well-coordinated approach by financial institutions, financial authorities, standards bodies and government agencies to effectively communicate and share cyber and fraud threat information, identify opportunities to “raise the floor” on the collective cyber threat preparedness — and have the resilience to recover from successful cyber incidents rapidly and safely.
As an example, the G7 Cyber Experts Group (CEG) has published a series of effective practices for several cybersecurity areas that were developed by subject matter experts from the public and private sector.
The Financial Stability Board (FSB) has also partnered with the private sector to advance the Format for Incident Reporting Exchange (FIRE). This initiative is an opportunity for financial institutions and financial authorities to use a common framework to share cyber incident information in a way that decreases the operational friction for financial institutions to report this information, while easing the ability for financial authorities to assess and derive learnings from the reported incidents to share insights with market participants.
To enhance the financial market’s ability to recover from successful cyber incidents rapidly but safely, there is a renewed focus on the disconnection and reconnection frameworks necessary to protect the financial markets for scenarios where a cyber incident poses a threat to regional or global financial stability. This effort will markedly increase the industry preparedness to extreme cyber incidents.
CybersecAsia: With major threats escalating, the number of new cyber regulatory actions globally continues to increase. Do you see an opportunity for regulatory harmonization? Until then, what is the current situation in the industry?
JH: The G7’s heightened focus on cyber threats is a significant step towards addressing the increasingly sophisticated and growing cyberattacks against the interconnected financial services sector.
As cybersecurity threats evolve, increased global alignment on principles to enhance consistency and improve information sharing across jurisdictions and bolster cybersecurity defenses is the right step forward. For example, the coordination of cybersecurity principles and information sharing mechanisms ensure a more unified approach to cyber threats and help to further bolster the industry’s response and resilience.
At the same time, harmonized regulations can create a solid foundation from which the industry can continue to fortify its cybersecurity resilience. Until continued evidence of successful harmonization, what is the current situation?
- The evolving cyber threat landscape is driving financial institutions to reevaluate the way information and information systems are protected. For financial authorities, the current rules, guidelines and standards must remain “fit for purpose” to protect the consumer and the financial markets. For example, cyber regulatory text will have sweeping impacts, the European Union Digital Operational Resilience Act plans to set minimum cyber governance, controls and testing arrangements across its member states. This will impact not only financial institutions that operate within the EU but also organizations that provide services to EU financial institutions.
- The areas of impact for financial institutions operating within those regions include third party and supply chain risk management (alongside a register of information for third party suppliers), cyber incident reporting and specific threat-led penetration testing requirements.
- For organizations providing services to EU financial institutions, understanding the evolving needs of EU clients related to the management of third party and supply chain risks will help organizations prepare or adapt to these new expectations.
CybersecAsia: Given the increasing complexity of supply chains, what approaches should the financial industry take to specifically manage and mitigate supply chain cyber risks?
JH: Financial institutions historically have to, and continue to, use third parties to deliver portions of their products and services. When these providers support critical business operations, financial institutions apply additional analysis on the providers’ risk and resilience capabilities.
The proliferation in the use of third parties for technology-based services creates an environment where cyber incidents could impact several financial institutions. To manage this risk, financial institutions must ensure their third parties and supply chains can deliver risk management and resilience capabilities that meet regulatory demands.
The Basel Committee on Banking Supervision (BCBS) Principles for Operational Resilience is one of several approaches that can be used to establish increased expectations for third parties.
Additionally, the Financial Stability Board recently published its final report on Enhancing Third Party Risk Management and Oversight — A Toolkit for Financial Institutions and Financial Authorities that provides tools to help financial institutions identify critical third-party services and manage potential risks throughout the lifecycle of the third-party service relationship.
CybersecAsia: Will new rules and regulations result in possible restrictions on technological advancements in the industry?
JH: New technology has reimagined how financial institutions develop and deliver innovative financial services and products. These changes may result in financial authorities creating new rules or issuing guidance on how to interpret existing rules to manage the potential risks from these changes.
A regulatory environment that encourages responsible innovation and protects against emerging risks will be essential to ensuring that technological advancements continue to drive positive change while safeguarding the industry. To achieve this goal, it is important that financial institutions and financial authorities have an open dialog about how new technology is being used to reimagine these services; the benefits and potential risks that are being considered; and how those risks are being addressed to allow any new rulemaking to grow the financial industry in line with managing risk.
CybersecAsia thanks Jason Harrell for sharing his insights with our readers
