Why COVID-19 demands a review of your Technology and Cyber Security Risk Management
The COVID-19 outbreak has had an immediate effect on Financial Services (“FS”) firms, transforming how their employees work as much as the ways in which they are able to interact with customers, partners and third-party providers.
The impacts of the current crisis have been felt by all kinds of FS firms; from retail banks negotiating lockdown restrictions to serve customers in branches, to investment banks facing the challenge of supporting remote working for traders whilst remaining compliant with regulations. On the other hand, in every crisis lies opportunity: FS firms with more robust digital offerings have gained significant ground as customer awareness and use of online and mobile solutions has increased.
As the finance industry becomes more dependent on technology to support business operations and deliver products and services, it is now more critical than ever that FS firms review their Technology and Cyber Security risk management. We have identified 4 key steps that firms can take in order to improve their technology and cyber resilience.
1. Reduce your attack surface
COVID-19 has been a catalyst for digital transformation across organisations as they adapt to support digital proximity amid social distancing. Unfortunately, the rapid growth in reliance on technology – with no time for a well-planned and phased approach to implementation – has, in turn, expanded attack surfaces for cyber-criminals. Consequently, the financial sector has been increasingly targeted during the COVID-19 breakout as hacking groups seize the opportunity to exploit new vulnerabilities.
This has been the recent experience of Finastra, a UK banking software fintech. In mid-March, they suffered a ransomware attack in the midst of their COVID-19 preparations, with Chief Executive Officer, Simon Paris, stating:
“We believe the attack came deliberately whilst we focused on moving the majority of our global workforce, including several thousands of our colleagues in the Americas, to safer work from home processes in light of COVID-19”.
There is evidence that a growing number of technology and cyber security threats are being sustained across the industry. Between February and March 2020, a study conducted by VM Ware Carbon Black reported a 38% increase in cyber-attacks against financial institutions, accounting for 52% of attacks across all sectors.
While cyber-attacks are inevitable, there is much that FS firms can do to protect themselves from information security compromise. For example, in order to minimise unauthorised IT access, organisations can take steps to reinforce access management controls and define key risk indicators to monitor the number of unauthorised remote access attempts.
2. Protect your critical operations
As organisations shift away from using physical premises and support remote working, operational impacts need to be assessed in order to mitigate potential disruption caused by cyber-attacks, security breaches and IT outages.
Of course, the challenge of making a workforce remote-capable varies depending on the roles and responsibilities of each team. Beyond the common need for remote access, video-conferencing and other online productivity tools, certain functions require additional operational and technological enhancements in order to be performed remotely. Let’s take the trading floor of an investment bank as an example: traders need robust, real-time communication, with additional controls to monitor and evidence regulatory compliance, such as a complete record of trading transactions and use of recorded lines for regulated employees.
In many cases, these additional requirements call for more extensive digital transformation which, in turn, varies in complexity according to an organisation’s digital readiness. Many organisations will be reliant on legacy, or even obsolete, hardware and software in order to deploy IT solutions to support their operational capabilities remotely or via digital channels. In order to minimise the likelihood of potential data loss, FS firms should focus on strengthening their IT change management controls and monitor the percentage of business applications not supported by remote working as the situation develops.
3. Go digital – but prepare for Disaster
Over the last decade in the UK, we have seen a significant decline in the use of bank branches and, consequently, an increase in branch closures. According to House of Common Library statistics, the number of physical branches and building societies fell by 22% between 2012 and 2019.
Since social distancing measures have come into force, customers have been even more averse to visiting their bank branches. Consequently, consumer appetite for digital offerings is on the rise, even amongst the less technologically adept. According to recent research conducted by London-based Fintech Nucoro, every day between 14th March and 14th April, around 200,000 people downloaded their bank’s app for the first time.
For some FS firms, this sharp increase in demand for online and mobile offerings, combined with already unstable systems, has caused a surge in IT outages. Indeed, service outages due to poor IT strategy and governance is already a widespread and recurrent industry issue: an FCA discussion paper on Impact Tolerances for important business services cited 20% of incidents reported over the last 12 months as being explicitly linked to weaknesses in change management.
As FS firms drive towards digitisation and increasingly rely on technology to offer products and services, they will become more susceptible to service interruption due to IT outages or infrastructure failures. In order to avoid the costly financial and reputational impacts that result from operational downtime, organisations should ensure they continuously review and evolve their Disaster Recovery and Business Continuity plans. Indeed, it is likely that regulators will start requiring FS firms to carry out stricter and more regular checks of their online systems’ ability to cope with greater demand.
4. Assess the vulnerabilities of third-party providers
In order to adapt to the post COVID-19 market and enable employees and customers access to fast and engaging digital-driven experiences, it is likely that FS firms will overcome deficiencies in their own legacy core systems by transitioning to cloud computing-based and third-party solutions.
Already, across the finance industry, firms are adopting outsourcing as a business strategy and growing their reliance on third-party providers. Cloud providers such as Amazon, Google and Microsoft, for example, are becoming systemically important pillars of the financial system. The Bank of England (BoE) recently focused its attention on this topic, publishing a consultation paper on ‘Outsourcing and third party risk management’ in December 2019.
While the BoE facilitates FS firms’ use of technology like Cloud to improve their operational resilience, it also warns of the increased potential for concentration risk (i.e. industry over-reliance on a specific provider). Furthermore, the rapid rate of adoption will make it more challenging for FS firms to gain a comprehensive view of their third-party dependencies and exposure.
In order to combat these risks, FS firms should take steps to improve and streamline their third-party due diligence process, as well as continuously monitor the performance of third-party providers using key risk indicators (e.g. the number of security incidents attributed to vulnerabilities in third party systems).
What can FS firms do to improve their Technology and Cyber resilience?
FS firms should start by leveraging industry-standard frameworks to conduct risk and control assessments, and define risk metrics and reporting that drive risk awareness in corporate decision-making. Considering the comprehensive impact that the COVID-19 pandemic has already had on FS firms, key risk indicators should also be reviewed and implemented across all Technology and Cyber risk domains. The diagram below showcases a high-level example against the key themes that have been identified in this blog.
We have seen that now, more than ever, FS firms need to take action in order to mitigate their Technology and Cyber Security risks. But how should they prepare for a post COVID-19 world? We think that the goal should not be to return to normal, but to prepare for a “new normal”; one with Technology and Cyber Security risk management at the core of digital relationships with employees, customers and partners.
Technology risks and cyber threats will keep evolving, driven by the impact of global events (such as COVID-19), increased usage of emerging technologies by banks and FinTechs (e.g. artificial intelligence, machine learning and open banking) and cybercriminals adapting their attack methods to exploit new and overlooked vulnerabilities. The review and enhancement of Technology and Cyber risks and controls cannot be a one-off exercise. Continuous improvement will be required in order for FS firms to adapt to a worldwide economy that is increasingly digital and interconnected.