Cybercrime in financial services: Work together to win the war
Modern life is increasingly a collaborative experience, from open offices to social media. But for businesses, moving towards a more “collaborative” style of work can raise concerns: how can competing companies work together? Nowhere is this dynamic more critical than in cybersecurity, where the stakes are high, the data is sensitive, and the threat grave, writes Rob Johnston, SVP, head of operations at FIS.
Estimates suggest that global businesses and their customers lose more than $500 billion annually to cybercrime. Breaches are occurring at a higher rate – five billion records compromised in 2018 and 4.1 billion records in just the first six months of 2019. At the same time, cybercriminals penetrate the most sensitive and proprietary parts of businesses. The financial industry has acted in response – joining together to move towards better and more holistic industry-wide relationships to combat cybercrime. Here’s how they are doing it.
An ounce of prevention is worth a pound of cure. The industry is increasingly shifting resources from mitigating the impacts of cybercrime to actually working to stop it. Firms like Amazon are building sophisticated customer profiles that can more easily recognise abnormal activity. The opportunity exists for this information to be shared – as long as the appropriate privacy measures are being put into place.
An important shift is happening to tip the balance between resources dedicated to “cyber defense” versus that of a risk culture. Technical defenses include firewalls, encryptions and controls on data, but the most common point of failure is user error. Better security hygiene and password management can lead to meaningful improvements in data. These approaches are nearly universal – meaning industry groups and thought leadership are effective ways to teach and share knowledge across the industry.
Cybersecurity professionals frequently split their roles into two parts – things they do on the ‘left’ and ‘right’ side of the boom. The boom here is the detection of a cyberattack, the legal time stamp when the incident officially ‘begins.’ While preventative work typically happens on the ‘left’ side of the boom, let’s turn our focus to the right side.
A nightmare scenario for any industry is a coordinated attack against multiple companies. In an ideal scenario, companies would be able to immediately coordinate their response. That isn’t happening yet, but the increasing presence of mandated industry reporting means that window is narrowing. In some jurisdictions, companies need to report compromised data within 72 hours of a breach.
The main barriers to working together typically aren’t legal – they are practical. Different companies might have different reporting lines and structures. It is important to know in advance who should be contacted at other firms during an incident. The Financial Services Information Sharing and Analysis Center is an excellent channel for communication and practice. Last year some of the firms involved held joint cybersecurity war games with IBM in Massachusetts to practice how they can coordinate their response to an attack. A new industry organisation, P20, is a direct response to the ever-increasing need for greater regulatory clarity, consumer security and collaborative innovation as it applies to the payments industry.
The role of regulation
Regulators can be helpful agents in helping draw lines of permissibility. Here in Europe, the Second Payment Services Directive (PSD2) requires payment services providers to establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks around their services. PSD2 provides guidance on how to move forward on working together as an industry, especially on the preventative side of the equation.
Regulators and other industry bodies can also play an important role in assembling groups to discuss solutions. Whether under the auspices of the government or just with a guiding hand, these forums can be a place to share industry best practices. These also can include mock simulations, which are now typically being done as joint exercises between government agencies and systemically important companies. Leaving competitive issues aside, this can be a chance to start and eventually strengthen relationships that will be needed in times of crisis.
What we need is a smart, flexible way of working together anticipate and respond to threats. By addressing the whole cybersecurity ecosystem, including partners and customers, we have the ability to collaborate to create a better industry and a safer world.
By Rob Johnston, SVP, head of operations at FIS