The COVID-19 crisis has been a collective shock to our systems, bringing a decade-worth of disruption squeezed into weeks. It has forced countries, governments, businesses and individuals to abruptly rethink and redefine long-held beliefs and practices in how we work and conduct our lives.
Primary in its disruption, it created circumstances that further accelerated already ongoing trends in the world of business. For the financial services industry, three trends clearly defined the new normal – changed consumer expectations, the digitalization of banks to the smartphone and the remote management of banking by staff, overnight. At the confluence of these three trends lay cyber-risk. Moving banking away from the confines of branches, offices and data centers to mobile phones, tablets, laptops and the cloud, opened up data to new vulnerabilities.
Embarking on a cloud and (more widely) digital transformation journey, makes banks as lucrative targets for cyber-criminals, who treated the pandemic as a once in a lifetime global gold rush. Threat actors exploited the unique operating environment to prey on a remote, distracted and vulnerable workforce. Additionally, the lack of organization-wide understanding of security controls, performance and risk in the new operating environment, added to the vulnerability.
Changes that Start Inside an Organization’s Structure
To restore a secure operating environment, CISOs and IT security teams first need to relook at the threat points – transmission security, network security and encryption security. Apart from vulnerabilities at their end from remote working and the introduction of end point susceptibilities, banks also need to worry about how cyber-secure their customers and vendor partners are. Banks have to look at how to train, reskill, educate, create awareness and deploy additional security measures in their own environments as well as customers’ environments. These measures include:
- Training staff on the implications of security threats and creating awareness across the user base on dos and don’ts
- Reskilling staff with post-pandemic relevant skills
- Retaining core operations and outsourcing non-core activities, for example, deciding between managing a data center or moving all data to the cloud
CISOs will also need to use this time to go back to the drawing board and re-address how they use the three pillars of security: what you are (biometrics), what you know (passwords) and what you have (SecureID, RSA tokens, OTPs). Two-factor authentication is no longer sufficient in the new normal, given its susceptibility to be broken into by threat actors. While banks need to re-think all three mentioned methods, any changes need to be made without taking away from a frictionless banking experience.
Other options that they can plug into include voice-based authentication, number grids on debit/credit cards or digital cards that change PIN for every transaction, without inconveniencing the customer. With a wide customer base ranging from tech-savvy digital natives to baby boomers who are habituated only to branch banking, awareness creation and customer education should be the underlying foundation for any security enhancing measures. Vendor partners will also need to be educated and audited for compliance with heightened security requirements, as well as multi-factor authentication. While these methods use existing and already tried technologies, new technologies that appear on the horizon promise to take banking cybersecurity to the next orbit.
New and Emerging Technologies
Artificial Intelligence (AI) has been touted as a silver bullet for solving many of humankind’s problems – from climate risk to cancer cures to education outreach and even cybersecurity. In fact, AI-based technologies like machine learning (ML) and deep learning (DL) hold tremendous potential in preventing cyber-fraud. They provide analysis – transaction, behavior, background and historical analysis – along with future projections and extrapolations in a matter of milliseconds. This ensures that any transactions that do not fit the usual patterns of a given customer are scrutinized further, with the objective of fraud prevention. They can be deployed on critical transactions like value-based assessment or volume-based assessment, securing the robustness of banking security.
Blockchain/distributed ledger technologies also show immense potential across the whole financial services domain. Blockchain is a cryptographic distributed ledger containing a log of transactions stored on computers in a network. Each computer holds a copy of the ledger, so there can be no single point of failure that hackers can compromise. The system relies on a validation protocol, called a proof of work, which guarantees individual transactions based on existing records on the ledger. In this way, it is impossible to sell the same thing twice. Blockchains are distributed and immutable (the record cannot be changed once it is written), which protects data and creates resistance to cyber-attacks. In addition, each transaction contains metadata, including a time stamp, creating certainty of execution.
Regulations: Pulling the Brakes
Regulators are increasingly taking notice of the risk that cyber-criminals pose, renewing the focus on technology risk management and broadening the types of incidents that banks must report. They recognize the risks introduced through the rapid adoption of digital technologies during the pandemic and will expect banks to articulate how they are managing and mitigating these risks. Even before the pandemic, banks were losing nearly $17bn annually from identity fraud alone, according to Javelin Strategy & Research. In December 2020, US regulators including the Federal Reserve proposed new rules requiring banks to notify their primary regulator of data breaches and interruptions in service, no later than 36 hours after identification.
Regulators are nudging banks and other financial institutions to embrace the latest technologies in preventing cybercrime. The SolarWinds hack of several US government departments, including the agency in charge of the country’s nuclear weapons stockpile, showed up the vulnerability of even the most supposedly secure data assets. Such incidents should compel banks to intensify their consideration of risks in their digital and technology landscape. While undertaking this journey, they will do well to understand that cybersecurity has no final destination in this ever-evolving space.