Credit: ID 4389664 © Madartists | Dreamstime.com
Are cyber-attacks an inevitability in the financial services industry, given the wealth of personal data – and funds – entrusted to the keeping of banks, insurers and other players in the sector?
Management consultancy PwC thinks so. Its Top Financial Services Issues of 2018 Report divided financial services organisations into two categories – those that have faced a cyber-attack and those that will.
Australian firms can ill afford the reputational damage that’s the inevitable result of a successful hacking incident or large-scale data breach. They’re already scrabbling to regain acres of ground after an annus horribilus of public revelations about dubious and unconscionable conduct from players in their sector, courtesy of the long running Banking Royal Commission.
Spending whatever it takes on cyber-security measures to protect data, funds and customers isn’t just a smart idea for Australia’s $140 billion financial services sector.
It’s a critical imperative for organisations that hope to rehabilitate their reputations as trustworthy and honourable institutions. But as threats increase and become more sophisticated, where should time and investment be focused?
Building a stronger cyber-security culture
It’s often said employees can be both the strongest and weakest links in the cyber-security chain. Education is the key to ensuring they’re the former. Continuous training can help make safe practices the default behaviour for the 450,000 Australians working in the financial services industry.
But embedded security awareness goes beyond asking individuals to complete regular courses.
Organisations with truly robust security posture didn’t get that way by accident; rather, they’ve embarked on a conscious drive to develop a genuine security culture, from the C suite down to tellers on the front line.
In these environments, security isn’t just a matter for a team of specialists sitting somewhere in the IT shop. It’s everyone’s business, and employees with security remits are embedded across the institution, not buried in the back room.
Real time detection as well as prevention
Security budgets across the board are steadily shifting from prevention to response. Being able to detect and react to threats in real time is critical.
In the banking world, in particular, threats are as likely to come from inside the organisation as from without. Data theft is a particular risk when employees change jobs, given the wealth of valuable and sensitive information that can potentially walk with them – think clients’ contact details, trading algorithms and strategies, strategic plans and other confidential and business critical data sets.
Protecting the institution against leavers ‘copying the database’ and being able to detect when they’ve done so should be a key focus.
Securing the supply chain
Financial services organisations don’t operate in isolation. More so than many other enterprises, they form part of a vast, interconnected web of vendors and partners, in Australia and abroad.
Firms which are serious about earning and retaining a reputation for sound cyber-security practice must do much more than merely securing their own perimeters. If a breach occurs, customers aren’t interested in hearing why it’s the fault of the supplier to which data processing or business functions have been outsourced. They’ll attribute blame to the business name with which they have direct dealings – their bank, building society or insurer – not their less vigilant partner. Ensuring ‘back doors’ are firmly bolted should therefore be top priority.
The rise of the Internet of Things (IoT) means there may soon be many more back doors to bolt, as a proliferation of smart devices and sensors become potential entry points to critical systems.
Data protection gets serious
The past year has seen the introduction of tough new data privacy legislation, at home and in the European Union, which affects all organisations which handle and store customer data, including financial services firms.
Australia’s mandatory data reporting laws require local businesses with turnover in excess of $3 million to notify customers and the Office of the Information Commissioner within 30 days of a serious data breach. Penalties for organisations which fail to do so and to remediate the incident appropriately can rise to $1.8 million.
EU laws are much tougher again. The bloc’s GDPR regime allows just three days to act following a breach. It can impose penalties of up to 20 million Euros or four per cent of global turnover on large companies which don’t safeguard consumers’ privacy adequately.
It’s not just a concern for enterprises domiciled in the EU – the legislation is applicable to any organisation which collects and stores the data of EU citizens, including individuals who live in Australia.
In this punitive climate, having the capacity to track activity and respond proactively to vulnerabilities and incidents is vital. Investing in monitoring systems which provide an up-to-the-minute view of the enterprise can help companies mitigate the fall-out and meet their compliance obligations, should they experience a breach.
Putting security first
Cyber-security breaches can result in significant material loss and damage to corporate reputation that’s impossible to quantify. At a time when Australian financial services organisations are collectively suffering from an image problem, the security of corporate and customer data has never been more important.