2019 trends in cyber risk and regulation for financial institutions
The ever-increasing extent of connectivity has driven a wide range of innovation and performance improvements within financial institutions.
Stéphane Hurtaud - Partner - Risk Advisory - Cyber Risk - Deloitte
Nick Seaver - Partner - Risk Advisory - Cyber Risk - Deloitte
Dave Clemente - Senior Manager - Risk Advisory - Cyber Risk - Deloitte
Published on 5 February 2019
Customer interactions have been transformed, geographic constraints lessened, processes automated, and downtime significantly reduced. Whilst this increasing connectivity undoubtedly benefits organizations, it is largely built on internet technologies, designed primarily to share information rather than protect it.
The rewards for getting cyber risk management right include peace of mind and competitive advantage, while the costs of getting it wrong include business disruption and unwelcome regulatory scrutiny. This article looks at key trends in cyber risk and regulation for 2019 and offers insight for financial institutions looking to stay ahead of the pack.
The management of cyber risk continues to be a fast-moving challenge, with most analysis concluding that the number and severity of cyber risks continues to rise despite ever-expanding levels of investment. Cyber risk is a top priority for financial institutions and will remain so throughout 2019, with key trends including:
Geopolitical uncertainty & state-sponsored cyber activity
Financial institutions risk becoming entangled in political disputes, as cyberspace is used increasingly to facilitate covert and overt state-sponsored actions. These actions have resulted in multi-billion-dollar damage and disruption to civil infrastructure around the globe, as demonstrated by the 2017 NotPetya malware attack. This worrying trend shows no signs of changing. Financial institutions should expect to be directly or indirectly targeted and will need to regularly update their risk assessments to account for evolving threats.
Building a citadel
These threats have made financial institutions aware that, while synchronous (instant) replication across a network facilitates customer activity and meets business and availability needs, this functionality also allows cyber-attacks to disrupt multiple systems across their network in seconds. This was demonstrated on a number of occasions in recent years, as organizations suffered attacks and were locked out of business-critical systems. This resulted in a push to develop air-gapped, asynchronous data storage and recovery solutions, to safeguard critical assets and allow them to be recovered in a timely manner after an otherwise catastrophic event.
Business as usual now means migration into the cloud. As a result, financial regulators are expressing growing concern that concentration risk could be elevated if a significant number of institutions rely on the same cloud service provider. While institutions can aim to manage this through monitoring and greater awareness, they may find that confidentiality restrictions limit their ability to obtain clarity on areas of potential concentration risk.
Developing an integrated approach
Destructive attacks are important but maintaining business as usual brings its own risks. For example, it is no longer enough to examine related risks in isolation. Leading financial institutions have realized that there are benefits to be gained from taking decisive action to break down the silos between domains. These include:
- Pooling scarce engineering and machine learning resources to encourage innovation, increase automation, and reduce false positives
- Building rich user profiles based on customer due diligence, digital behavior, and transactions to increase accuracy and enable faster customer on-boarding
- Aggregating information streams from AML/CTF, cyber, and fraud to speed up investigations
- Unlocking innovations in data integration to improve data collection, monitoring and analytics, and risk assessment and alert handling
The regulatory landscape—for both cyber security and data protection—has seen significant recent changes. There is a trend for regulators to increasingly frame cyber risk as a core operational risk, and an expectation for senior management to ask the right questions and offer informed guidance within their organizations. While this is currently focused on systemically important financial institutions, other actors will also receive growing regulatory scrutiny regarding how they manage cyber risks. The outlook for 2019 includes the trends below.
European Banking Authority (EBA) guidelines
The focus on operational risk noted above is clearly demonstrated in the European Banking Authority (EBA) guidelines on Information and Communication Technology (ICT) Risk Assessment under the Supervisory Review and Evaluation process (SREP), which specify criteria for competent authorities (i.e. regulators) to use when assessing ICT risk as part of operational risk. The guidelines account for the evolution of cyber risks together with the increasing potential for cybercrime and possible cyber terrorism and acknowledge widespread reliance on outsourced ICT services and third-party products.
Furthermore, and in the same vein, the EBA draft guidelines on ICT and security risk management will establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology risks (including Cyber security risks). These guidelines are part of a larger trend of mounting supervisory pressure on financial institutions to demonstrate tangible improvements to their IT and cyber security resilience and have the potential to set the scene for future local financial sector regulations across the EU.
In the same way that cloud migration is now impossible to ignore, so too is business innovation involving artificial intelligence (AI), which is being incorporated into a range of functions. This is often trialed in labor-constrained areas of financial institutions, which are ripe for automation. But the technology may also introduce new risks by removing human intervention and judgement and placing trust in algorithms that were designed to enhance the customer experience, but which may never have been subject to robust security testing.
Evolution of red teaming
A trend for regulator-driven frameworks for intelligence-led red teaming is gaining traction in financial institutions in the EU (TIBER-EU), UK (CBEST), Hong Kong (iCAST), and Singapore (Adversarial Attack Simulation Exercises). These are implemented and carried out by national supervisors, and use intelligence from real attacks, with the goal of improving resilience. They aim to enhance the standardization and coordination of cyber-defense testing and could provide a blueprint for a global standard that has hitherto been absent, benefiting cross-border firms and improving cyber resilience. Once proven in the financial sector, there is the potential for these frameworks to be adopted by other critical sectors.
Red teaming isn’t the only trend seeing growing adoption. The General Data Protection Regulation (GDPR) is more than six months old, and financial institutions are handling the requirements in a variety of ways. There is a split in the market between the laggards and the leaders. Some organizations are just starting a gap analysis to embark upon GDPR programs. They have nothing in place and have made no progress. At the other end of the spectrum are organizations that have completed their program and embedded it and are now putting effort into eliminating risk at the root by , for example, driving reductions in unstructured data.
The NIS directive came into force the same week as the GDPR but has been overshadowed by its cousin. It proposes measures for a high common level of security as regards network and information systems across the EU, and member states had until 9 November 2018 to identify the relevant Operators of Essential Services (OES) in their territory. Banking and financial market infrastructures are two of the seven industry sectors covered by the directive and relevant institutions are advised to monitor legislative activity in their countries of operation.
Proposed EU Cyber Security Act
Adding to the array of EU measures on cyber security, the proposed act includes a permanent mandate for ENISA (the EU Cybersecurity Agency) and the creation of a voluntary certification framework for ICT security products. Negotiations are ongoing and may result in ENISA obtaining the power to conduct audits of critical infrastructure. This could encompass financial institutions that are considered critical, with a risk of duplicating existing frameworks. Regarding the certification regime, its voluntary nature means it should have limited impact on financial institutions, many of which already face more stringent rules arising from other EU initiatives.
In 2019, financial institutions will be greeted by diverse trends in terms of cyber risks and regulations. They will need to respond by preparing for growing geopolitical instability and regulatory changes, developing an integrated approach to fraud, and embedding security into efficiency initiatives (e.g., the cloud and AI). They will find significant value from participating in red-teaming exercises, honing incident response procedures, and improving resilience across the organization—all key to surviving and thriving in 2019.
Global Cyber Risk
Deloitte helps organizations prevent cyberattacks and protect valuable assets. We believe in being secure, vigilant, and resilient—not only by looking at how to prevent and respond to attacks, but at how to manage cyber risk in a way that allows you to unleash new opportunities.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.
The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at www.deloitte.com/lu/privacy.