The digitisation of financial services continues at a relentless pace but brings with it the challenge of managing customer data and the ever growing cyber security risks.
The digitisation of financial services continues at a relentless pace. Financial services players are increasingly innovating and opening up more channels to market for their customer base - whether it be the delivery of financial products and services through web, smartphones, tablets, social platforms, video or any other number of channels.
It is about responding to customer demand for a seamless, real-time, 24/7 service. Those players that fail to embrace such opportunities risk losing their customers - the very lifeblood of their business.
Yet with this embracing of “all things digital” comes the challenge of managing customer data and the ever-growing cyber-security risks - a challenge which is not to be taken lightly given the potential cost and reputational ramifications for players, which are significant to say the least.
This article examines the chronic and systemic nature of cyber-security attacks, recommends measures which financial players ought to be putting in place to respond to such threat, considers some of the ways in which cybersecurity is being tackled at an international level, and identifies some of the recommendations which the Financial System Inquiry (FSI) has put forward which go some way to addressing the issue at an industry level in Australia.
CYBER-CRIME HAS BECOME CHRONIC
Data breaches are getting bigger, occurring with greater frequency and becoming more-highlypublicised. The risk to reputation from a data breach or cyber-security attack has never been greater.
A few notable examples of late include:
- The attack on Target in the US last year in which tens of millions of credit card details were stolen through an attack on the organisation’s point of sales systems, colourfully described as “the digital equivalent of BP’s disastrous Deepwater Horizon oil spill.”1
- The 2014 JPMorgan Chase data breach arising from a cyber-attack that was identified in late July 2014 (but not completely halted until the middle of August), ultimately compromised account information for 83 million households and small businesses.
- The high-profile, studio-wide attack of Sony Pictures by a group calling itself the “Guardians of Peace” who claimed to have stolen up to 100 terabytes of sensitive data from Sony - a breach which has been described by Sony as “an unparalleled and well-planned crime.”
As for Australia, it is estimated that over 800 million records were lost last year, mainly through cyber-attacks, and that such attacks are costing large Australian enterprises an average of $8.3 million a year2.
Cyber-crime is now an enterprise-wide risk that cannot be ignored.
And whilst technological and operational measures have traditionally been used to combat this threat, the difference today is that financial services players are custodians of more customer data than ever before (as a consequence of the proliferation of internetconnected devices and systems). We are now also seeing a “low and slow” approach to cyberattacks - with attacks planned over months or years - and involving a level of sophistication which is unprecedented.
THE CONSEQUENCES CAN BE CATASTROPHIC
The impact from a cyber-security attack can be severe.
Apart from the obvious economic impact, security breaches may result in:
- business interruption;
- loss of customer data, or breach of customer privacy;
- loss or theft of intellectual property assets;
- damage to reputation and brand;
- reduced customer and investor confidence;
- share market value being impacted;
- increased regulatory scrutiny; and
- the risk of unwanted class action litigation from affected individuals.
In light of the severity of these impacts, it is imperative that financial services players take proactive steps to manage the cyber-security threat.
CYBER-SECURITY IS NO LONGER JUST A TECHNOLOGY ISSUE
The first step is recognising that cyber-security is no longer just a technology issue.
With the risk and sophistication of cyber-attacks growing faster than traditional firewall and antivirus technology can keep up, technology on its own is no longer enough.
This requires financial services players to adopt “defence in depth” strategies to prevent, detect and respond to security risks - on one hand, deploying technology solutions that focus on preventing and/or identifying breaches and, on the other hand, implementing sound governance, operational and risk management processes and procedures to minimise the damage caused by a breach.
A number of large financial services players also participate in industry-wide exercises that simulate cyber-attacks and enable sharing of response tactics and intelligence on security attacks. Cooperation at this level is, however, an area where much more could be done.
REGULATORY RESPONSES TO DATA BREACHES INTERNATIONALLY
Data breaches are continuing to attract the attention of regulators throughout the world. The trend is towards increased regulation to penalise breaches.
The European Union General Data Protection Regulation, which is on track to be finalised in 2015, will add new requirements for:
- breach notifications to individuals;
- risk assessments and audits by organisations that handle personal data; and
- increased fines for organisations that are compromised.
In the US, President Barack Obama only last month unveiled two cyber-security proposals to counter the threat of attacks, including:
- a national data breach law requiring companies that have been hacked to reveal it within 30 days if personal data may have gone3; and
- a proposal to make it easier for companies to share intelligence about cyber-security risk and breaches without incurring liabilities that might otherwise arise4.
And whilst Australia does not currently have mandatory data breach legislation, there is increasing international pressure for it to move in that direction. Legislation aside, there may well be an imperative to inform affected customers of a breach in circumstances where the impact or harm to them is serious. Failure to do so could have dire consequences were the affected individuals to find out about the breach in circumstances where there had been a failure by the organisation to disclose.
LOOKING INTO THE FSI
There are 3 recommendations within the FSI’s Final Report which are relevant in the context of the above discussion.
The first is Recommendation 19 - that the Australian Government commission and the Productivity Commission review the costs and benefits of increasing access to and improving the use of data. Whilst this recommendation is designed primarily to look at ways in which the better use of data can drive competition and improve user outcomes, it may also be used to look more broadly at the issue of sharing intelligence about cyber-threats with Government and across industry players.
The second is Recommendation 15 - that the Australian Government develop a national strategy for a federated-style model of trusted digital identities. Such a model, once developed, should improve convenience and security for individuals engaging in online financial transactions. It should also assist in reducing the risk of cyber-crime perpetrated through identity theft and the use of false identities.
The third is Recommendation 38 - that the Australian Government update the 2009 Cyber Security Strategy to reflect changes in the threat environment, improve cohesion in policy implementation, and progress public private sector and cross-industry collaboration. It includes a recommendation that the Government establish a formal framework for cyber security information sharing and response to cyber threats.
This last recommendation is particularly telling. It re-emphasises the growing urgency for the industry and Government to come together in a timely, effective and co-ordinated way to explore better ways about how they share security intelligence - including across other sectors as well, such as the telecommunications sector. It recognises that cyber-attacks are best tackled by the sharing of intelligence information at a number of levels - within the organisation itself, amongst industry participants and with Government. It also flags the need for a much clearer delineation between public and private sector roles in the event of a cyber-attack.
The outcome of the Government’s cyber security review is due to be released in May 2015.
WHERE TO FROM HERE?
There is no one simple solution to address the cyber-security threat. The growing sophistication of cyber-security attacks requires an equally sophisticated response.
At the organisational level, having an effective cyber-risk management program which manages and mitigates against the consequences of a data breach is essential, and is just as important - if not more so - than having robust security technology solutions and infrastructure in place.
Above and beyond that, it is about looking at what is happening in the industry more broadly. And that means collaborating with stakeholders, supply chain participants and Government, where appropriate, to better understand risk vulnerabilities and to plan for, and respond to, attacks.
The increasing inevitability of a cyber-attack makes a compelling case for building such multiple lines of defence.
Industry-wide measures, along the lines of the recommendations of the FSI described above, should go some way in addressing the identified sensitivities and ensuring the resilience of the financial services industry in the digital age.
- The importance and value of private data is increasing for industry participants.
- Security and reputational risks are significant and can be challenging to address.
- The FSI Report contains three key recommendations to tackle cyber-security in the digital age.
1 “White hats to the rescue”, The Economist, 22 February 2014
2 “Defending the digital frontier”, The Economist, 12 July 2014
3 The Personal Data Notification and Protection Act
4 The White House, Office of the Press Secretary, “SECURING CYBERSPACE - President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts” 13 January 2015