Everyday solutions to an existential threat
In the latest of our article series looking at the 2019 conference sub-themes, we discuss how the finance sector’s security professionals are taking a practical and holistic approach to protecting client assets
Cybersecurity breaches represent one of the most serious threats to the finance sector. If banks and financial institutions cannot transact safely in the digital age, the consequences of the resulting loss of client trust will be severe. Add to this existential threat the fast-changing motivations and tactics of all-but-invisible criminals, hackers and quasi-state actors and it becomes easy to see cybersecurity as a shadowy, high-stakes, high-tech arms race.
Military parallels are not entirely misplaced, but can be misleading. Much of the effort required to protect client assets is far from glamorous, bordering on the mundane. Across the sector, firms are working to embed cybersecurity into every process and product, every initiative, meeting and decision.
This multi-dimensional approach is warranted by the wide, evolving ‘attack surfaces’ of hyper-connected entities with complex networks across multiple clients, employees, counterparties, suppliers, product lines and geographies. Much progress has been made, but experts say more and varied resources, greater board-level support, and deeper cross-industry collaboration are required. This will bolster the efforts of chief information security officers (CISOs) to build multi-layered and resilient strategies to prevent, detect and recover from cybersecurity attacks.
No silver bullet
Cybersecurity chiefs no longer see themselves as the law-enforcers of the banking world. According to JF Legault, global head of cybersecurity operations at JP Morgan, CISOs now collaborate with bankers on what they should and should not do to keep safe. “When product teams develop a new idea, our response should be ‘how’ rather than ‘no’”, he says. “There needs to be a collaborative relationship between cybersecurity and business teams to ensure security is integral to the design and implementation of any new initiative. Today, cybersecurity is an enabling function, using our knowledge of the threats to manage the risks associated with our business.”
Legault’s role in the development of new banking services goes beyond discussions with product managers. He’s having more conversations with clients too, to better understand how banks can meet their changing needs. When asset managers and large corporates wish to receive data streams via APIs, banks need to facilitate such requirements as securely as possible, similar to when retail brands wish to supply frictionless micro-payments, perhaps as a refund or an incentive to participate in a taste test. A component of the response is partnership, such as JP Morgan’s investment in Ionic Security, a data trust management solutions provider, announced earlier this year. “But it also requires an understanding of the threat landscape: how might this particular offering be attacked? It’s about layered controls rather than a single silver bullet. Only an integrated approach can reduce risk on a sustainable basis,” says Legault.
Cheri McGuire, CISO at Standard Chartered, emphasises collaboration across business lines, client groups and third-party technology vendors. Like any business risk, cybersecurity threats need to be handled effectively, but unobtrusively, she says. “Clients want to access more data, more quickly, via more channels than ever before. We have to be innovative in how we apply security technologies to ensure we reduce friction for customers while also keeping their data and assets safe. This includes the introduction of facial and voice recognition for authentication and new applications that use machine learning and artificial intelligence to recognise suspicious transactions.”
Banks are looking to factor cybersecurity considerations into any new initiative alongside more traditional elements of a cost/benefit analysis. Like many banks, Standard Chartered is developing deeper partnerships with fintechs to augment customer offerings. Cybersecurity needs to be built in, says McGuire.
“With more integration across apps, platforms and companies, it’s imperative that cybersecurity is a fundamental part of any new processes. As a business risk, security needs to be considered when entering into any new partnership. If done right, strong cybersecurity capabilities can be another source of competitive advantage,” she explains.
Despite its high-tech tools, humans remain critical to cybersecurity. As well as ongoing employee-specific training programmes at all levels, Standard Chartered is further embedding cybersecurity into its day-to-day processes through the selection of cybersecurity ‘champions’ within business lines. These are existing staff who take on responsibility for spreading awareness, helping to ensure cybersecurity is viewed as a team effort. “Our cybersecurity champions help to ensure risks remain front and centre throughout the organisation,” says McGuire, noting that training and education is important at every level from the board down.
Jane Frankland, managing director of Cyber Security Capital, says many organisations are putting their operations and customers at risk by failing to educate non-executive directors (NEDs) and board-level executives.
“NEDs are absolutely integral to issues of security, trust and resilience. But typically, they don’t understand as much as they should about cybersecurity and need to get up to speed,” Frankland says. “NEDs are in a position to support the board by asking the difficult questions that few others can ask and be listened to, and for those questions to be acted upon. We have to get the support and the understanding right at the very top, in order to support those working in security.”
In many organisations, CISOs can lack the authority to effect necessary change in their organisations to bolster defences due to shortness of tenure and lack of advocacy skills. Often, they carry the can for breaches before they have time to address the underlying causes.
Frankland calls for the development of ‘high challenge-high support’ environments in which CISOs set high expectations, but actively enable teams to develop the skills needed to overcome their challenges. In these environments, staff have the psychological safety to fail, learn and progress. “Right now, people fail, are sacked and move on, or they report on issues, fail to garner support for resources, and are used as scapegoats when things go wrong,” she says. “We need board-level awareness to reach a consensus on reasonable expectations of a CISO. It’s not a case of if but when there is a breach. The sooner we’re back in the game, we’re not losing as much intellectual property, money or reputation, clients aren’t suffering and we’re not failing compliance or regulation.”
If cybersecurity is a war fought with cutting-edge technology, the CISO needs the communication and influencing skills to secure the necessary resources. Success hinges on the ability to influence people to achieve common goals and purposes, says Frankland, achieved through personal effectiveness. “It’s based on pulling and attracting and allows for increased awareness within the ecosystem. Once a CISO has developed influence, they’ll be better heard and much more effective change-makers. Right now, I often see poor leadership and poor communication.”
For Frankland, this also involves pulling in currently under-used human resources that can offer a different perspective on cybersecurity risks. In her recent book, she contrasts the widely-reported cybersecurity skills shortage with the under-representation of women in the field (roughly 10%). “The industry has failed to harness a massive amount of the prospective talent pool,” she observes.
While integrating cybersecurity into existing processes and new business partnerships, banks and financial institutions are tackling threats through industry-level partnerships and collaborative initiatives across both the payments ecosystem and increasingly also the securities sector.
Securities transaction chains may be vulnerable to cybersecurity threats in a particular way says Mark Gem, member of the executive board and head of the Risk Committee at Clearstream. This is partly because the timing payments resulting from securities are fairly predictable, and potentially easy to identify, as they take place on a semi-automated basis when an interest payment is made. Further, cash accounts used to settle securities transactions are often in a separate functional environment from other payments processes and so may not necessarily be subject to the same level of controls. Best practice is evolving to ensure securities processes are as well protected as payments processes, for example through an International Securities Services Association working group which is helping firms identify and address vulnerabilities.
Also at the industry level, Gem sees an opportunity to improve identification and protection of valid messages used to settle and pay securities transactions through the adoption of the ISO 20022 message standard framework. “As the payments industry migrates to ISO 20022 as the basis for message formats, it should be possible to structure messages for payments associated with securities operations such as interest payments that offer more precision and thus better control and resilience,” he says. Standards work is ongoing in both the SWIFT Payments Market Practice Group and the SWIFT Securities Market Practice Group to this end.
Of course, collaboration is not confined to the finance industry itself. Standard Chartered was a founding member of the Cyber-Defence Alliance (CDA), which was established in 2016 to enable UK-based banks and financial institutions to share data with each other and law enforcement agencies, legally and securely, to identify cybersecurity threats. McGuire asserts that the organisation has made “great strides” in enabling information-sharing over the past three years, both to alert peers to potential attacks and to track down perpetrators of actual attacks.
“Experience shows that it’s very difficult to catch cybercriminals,” observes McGuire. “Data needs to be gathered from multiple sources over time to build strong evidence packages leading to successful prosecutions. Collaboration and information-sharing partnerships are essential to putting cyber-criminals out of business, rather than just defending your own institution. We all need to stay vigilant and nimble, so we can pivot quickly and address new threats as they emerge.”
 IN Security, Jane Frankland (Rethink Press, 2017)