“I think every organisation needs to assume that they are compromised,” Dmitri Alperovitch, an American computer security industry executive and former vice president of threat research at McAfee, once said. While this may perhaps sound too alarmist, cybersecurity is expected to be one of the top risks facing institutions in the financial services sector and institutions need to ensure they mitigate such threats appropriately.

A report published by international auditing firm PricewaterhouseCoopers, which looks at financial services technology in 2020 and beyond, identifies cybersecurity as an area which practitioners in the sector should focus on.

The threat posed by cybersecurity is unlikely to diminish in the future, especially due to factors such as the use of third-party vendors; rapidly-evolving, sophisticated and complex technologies; cross-border data exchanges; increased use of mobile technologies by customers; and heightened threats to cross-border information.

IoT as a conduit for cyber threats

As we explore in a separate article, the Internet of Things (IoT) is increasingly becoming integrated in our everyday lives. The number of IoT devices is expected to reach 25 billion by 2020 and this new technology also brings new risks and challenges to cybersecurity, which will need to be addressed.

IoT allows physical objects, such as household appliances, wearable devices and cars, to communicate with each other through the internet. A number of pilot projects involving the pairing of Artificial Intelligence with IoT – in the areas of traffic management, education, health, customer care, tourism and water and electricity management – are, in fact, in the pipeline in Malta.

To date, IoT growth in financial services has happened mostly in areas related to payments, insurance and banking.  Banks are collaborating with wearable tech makers to give customers the function of making mobile payments using watches or fitness trackers. Insurers are using telematics tech to monitor the driving habits of their customers and to give discounts to those who drive safely.

But unsecure interfaces will increase the risk of unauthorised access, raising various concerns, mainly that hackers can enter a corporate network using an IoT device or that consumer privacy could be violated because of the pervasiveness of IoT data collection and advanced analytic capabilities.

Cyber-crime making financial institutions attractive targets

While financial institutions have dealt with sophisticated threats for a long time, cyber-crime is making such institutions more appealing than ever.

The Bangladesh cyber heist of 2016, which saw almost US $1 billion transferred through the SWIFT network from the Federal Reserve Bank of New York to an account belonging to Bangladesh Bank, through the use of fraudulent instructions issues by security hackers, is a prime example of this.

To make matters worse, some bad actors appear to be now working together to carry out attacks. There is an upside to this, however, as the same functions which make networks more vulnerable can also be bolstered with defences.

Big data analytics, for instance, can be used by financial institutions to monitor for covert threats, enabling them to identify external and internal security risks and react quicker.

Moreover, the technology which enabled smartphone proliferation can also be used for biometric security, with some banks now allowing customers to access their accounts using thumbprints or facial recognition, thus improving security.

Cyber security must be given high importance

A key message which financial services entities would do well to take onboard is that cybersecurity should become a priority not an add-on. In this regard, cybersecurity is one of the core pillars of the MFSA’s supervisory agenda for the upcoming years.

The security model which worked in the past – which is controls- and compliance-based, perimeter-oriented and aimed at keeping data and the back office secure – could be out of date.

Security risks have changed drastically, and the  defences to them have to keep up.

In light of this, it is recommended that institutions focus on proactively managing cyber-risk and regulation; building and executing a strategic cybersecurity roadmap; putting in place tailored cyber-protection programmes and developing an incident response plan; recruiting and developing key cyber-protection talent focusing more on enterprise and business risk management; and establishing reporting requirements for cybersecurity.

New tools can also be used to combat cyber threats, such as state-of-the-art mining tools and other technologies which detect instances of security and fraud anomalies.

Technology can be deployed to prevent or reduce the impact of cyber risks, depending on the company’s risk assessment and risk appetite. With the right tools and practices in place, however, they can be discovered and addressed quickly, helping institutions to avoid financial damage, bad publicity and a loss of trust amongst customers.