In the wake of increasing cybersecurity regulation requiring financial services organisations to demonstrate robust operational resilience measures, Director of Sales, Sean Arrowsmith, sums up a recent conversation with cybersecurity professionals from the banking sector to get their perspective on the cybersecurity risks and the impact of tighter regulation.
Deeper digital and data connectivity between organisations in recent years has increased the risk of cyber breaches across all sectors, and the financial services sector is highly exposed. So much so that the IMF considers cybersecurity a global financial threat.
And because financial services companies are fundamentally important to economic stability and growth, regulators are now stepping up requirements on the sector to improve its operational resilience, raising the bar through initiatives such as the EU’s Digital Operational Resilience Act (DORA).
So how can financial institutions and companies, large and small, prepare? What are their biggest challenges in cyber-proofing their IT infrastructure? What are some best practices and tactics to achieve resilience?
We recently spoke to the chief security officer (CSO) of a leading bank, the chief information security officer (CISO) from a banking tech provider and a professor of cybersecurity for a panel discussion about the cyber risks faced by the financial services industry. Here’s what we learned.
(The following is an excerpt from a longer report – download the full story here).
Strengthened cybersecurity in finance regulations means organisations must act
Governments and public institutions are shoring up the regulatory infrastructure for cybersecurity. In continental Europe, the Digital Operational Resilience Act (DORA), finalised and enacted in late 2022, aims to ensure Europe’s financial sector can maintain operations through a severe operational disruption. It sets uniform requirements for network and information security for both networks and critical third parties, including cloud platforms and data analytics services. Regulatory oversight of cryptocurrencies is strengthening, too.
In fact, the banking panellist also credits regulators for progress in disrupting the business models of cyber criminals: “That back end of the process, in terms of making money, washing it and getting it out, is getting harder,” he said.
However, variations in the rigour with which regulations are applied in different jurisdictions can pose challenges. That’s especially true for companies aiming to grow quickly across multiple markets, while older businesses struggle to keep up. “You need to figure out how to manage cost and risk in a way that does not get tied up in endless special cases, bureaucracy, change criteria or ‘we can’t deploy this here because it’s not appropriate’,” said the technology panellist.
He called for companies to be “aggressive in simplifying compliance and regulatory efforts”, such as using a privacy gold standard in the US even though some states might currently have weaker legislation. “That’s fine because your business model, technology and tooling will work even when the legislature passes a watered-down regulation.”
The cyber professor called on the financial services industry to harness automation tools more. A mechanical engineer by background, he asks why the industry can’t mimic the way in which the aerospace sector has created approved autopilot systems. “We cannot have people watching screens and trying to shut things down [manually]. We have grown to a scale where it’s very difficult to manage [as] we are managing today. We need to start building systems which prioritise threats, block them and self-heal.” The technology panellist agreed that cybersecurity is stuck in the bespoke phase and needs to move to an “a la carte model, which is reasonably well-defined and addresses the risk profile you care about”.
The panellist from the bank argued for a rationalisation of supply-chain due diligence. “We need to reset how we approach this. How do we get telemetry through the life cycle against a common standard, a few really important critical control factors? What is the convening entity that would get experts around that and get consensus across industry? The way we are doing things now is unsatisfactory for everybody. We can’t be working on a whack-a-mole basis. We need to look at first principles.”
To read the summary of the full discussion, click here.
To find out more about how Crossword can support you in developing robust cyber risk management processes, contact us.