Managing cybersecurity risk in a transformational landscape
The shift towards digitalisation and cloud-based financial services has increased the need for regulatory oversight in areas such as cybersecurity and risk management. These critical areas have a significant impact on the overall security and stability of the banking and financial services industry, making it crucial for regulators to stay vigilant. Explore how organisations can improve their cyber readiness, assess it and prepare for threats by mitigating risks.
Cybersecurity - Protecting the ecosystem where data is created, stored, and used
Data and risk are the developing focus of financial services. Everything we do now is surrounded by data, tracked by applications, systems and devices that describe us in granular detail. The increase in digital payments means the availability of information such as spending behaviour, spending limits, credit history, and shopping cart contents that provide insights into people and their financial behaviour and habits in more depth than ever before. Accordingly, the need to protect this data is ever more critical, which is why regulators are focussing on digital transformation to ensure financial systems remain safe, secure, and resilient while encouraging innovation.
Data is an invaluable target for cybercriminals, so we are now challenged with the mammoth task of securing online transactions, digital payments, and platforms. Digital footprints require adequate protection, leading to a paradigm shift where information stored on our devices is more precious than the actual device itself and therefore, securing this ecosystem poses new challenges. Cybersecurity needs to be distributed, i.e., carried out across all components of the ecosystem in real-time and adapted to all the moving parts where data and information are created, stored and used.
Choosing the right approach to cybersecurity
We see a lot of clients approaching cybersecurity from different angles, as outlined below. We tend to see a combination of all three approaches dependent on the type, scale, and complexity of organisations and the structure of how cybersecurity is managed as well as governed.
- Audit-based: Leveraging internal and or external audits to identify key risks and control issues and remediate those on a rolling basis. This approach is repeatable and can be tailored in terms of scope, depth and breadth, e.g., reviewing selected cybersecurity capabilities such as incident response, threat detection, or restoration procedures.
- Maturity-based: Leveraging common industry frameworks to measure the current state and define the target state maturity, developing strategies to achieve a maturity goal, e.g., striving to progress from ‘initial’ towards ‘defined’ or ‘optimised’. This approach can often be ambiguous regarding how maturity is measured and makes it difficult to compare.
- Regulation-based: Utilising regulatory frameworks to review controls against the requirements for cybersecurity and the management of cybersecurity risk. This approach is transparent and reflects regulators’ views on what must be implemented to protect sensitive and critical information.
We believe all three approaches deliver value to an organisation if used iteratively. With the right frameworks, organisations can achieve compliance with regulations and review them to assess if their readiness and maturity are appropriate to the fast-moving world of technology and security in line with regulatory requirements.
Regulators worldwide have introduced regulations to change the cybersecurity landscape for financial services, imposing a higher level of vigilance and accountability, ranging from disclosure of cyber incidents to greater convergence in cyber reporting. Financial institutions must also deal with increasing regulations across multiple jurisdictions.
The Australian Prudential Regulation Authority (APRA) has introduced the new CPS230, which is due to come into effect in 2024 and instructs regulated entities on the minimum requirements they must have to manage their operational risks from a security, resilience, disruption, and outsourcing or cloud perspective. The regulatory requirements expect financial service organisations to maintain a minimum standard concerning operational resilience, service providers, and business continuity. The aim is to ensure stability in the financial services and insurance sectors and minimise impacts from unplanned outages due to the increased operational complexities and cyber threat landscape.
A new approach
A very frequent question that comes up in conversations with the board or C-suite is, what is the right approach for cybersecurity?
A very simple analogy would be - if I was to compromise my organisation’s information and assets, how would I break into the building to gain physical access? To elaborate - how would I compromise directory services to prevent staff from accessing their workstations, or how can I disable the filtering of outbound internet access requests, or how can I disable endpoint software to deploy malware undetected? All modern cyber concerns which can threaten organisations.
Cybercriminals generally follow a similar approach when determining the weakest link and the effort required to break security controls. A cybersecurity breach is an exercise to look at how little effort is required to break into organisations to access valuable information and data. From an attacker’s point of view, if some of your mission-critical platforms are frequently failing but are built in a resilient manner, disabling the failover mechanism could be an initial vector to start with, e.g., to ensure that the operational team are pre-occupied while the attacker infiltrates the organisation and deploys malware.
Boards must consider moving the cybersecurity strategy into a threat-centric modus operandi with a more proactive approach to determine and remediate weaknesses. These could be physical security or any other vulnerabilities related to platforms within the environment. In some instances, this also applies to vulnerabilities throughout the supply chain and other service providers that may have access to critical and or sensitive assets.
To see more from Alice Kalambokas, feel free to visit her here.