Banking and Finance is arguably the sector most innovative, heavily regulated and targeted by cyber criminals within any given economy. This combination creates an interesting ecosystem from a technology perspective, as it drives innovation with caution. Here are some key technology innovations in the Banking and Finance sector and their implications on cybersecurity.
More Artificial Intelligence (AI), Machine Learning and Analytics – there is a huge push in Banking and Finance to adopt these technologies to improve customer service, analyse customer behavior and align products to it, as well as digitise business processes for cost optimisation. As AI and ML can be applied in so many ways, we expect to see increasing investment in these technologies. From a cybersecurity perspective, there are a few considerations that come to mind. The first is configuration and security of these systems – AI/ML systems not only churn through a lot of data to learn behaviours and patterns, they also produce a lot of data based on their analysis for decision making. The integrity of both types of data is critical to produce true, accurate and unbiased results. Second, is the ethical use of AI. Like any technology, AI can be used or misused. For example, analysing and predicting customer data to such a degree that encroaches on their privacy. While this is not strictly a cybersecurity issue, privacy and security are intrinsically entwined. Third, AI can be used to enhance cybersecurity itself. We expect AI to be used more heavily in the prediction and stopping of cyber-attacks in future. Unfortunately, with the good comes the bad and we expect adversaries to simultaneously use AI to change and morph attacks on the fly in order to evade control measures.
Ongoing Digital Transformation Initiatives – this is at the heart of innovation in Banking and Finance institutions as digital transformation investments have been used to improve customer service, get closer to customer needs, differentiate their service and so on. COVID-19 has accelerated this and we expect it to continue. From a cybersecurity perspective, it is critical to ensure that cybersecurity measures are built into any digital transformation initiative from the start, rather than retrofitted afterwards (or not at all!). Products have to be secure by design and security must not be sacrificed to achieve speed to market. Allowing a new application to be hacked is not worth the risk to customers, financial penalty and reputation damage.
Open Banking ramps up – open banking is here to stay and will continue to impact Banking and Finance institutes’ business models as they embrace and respond to this open ecosystem. For example, in Australia Consumer Data Right legislation has been drafted to govern data ownership and secure sharing of data. From a cybersecurity perspective this requires the secure sharing of data, management of consent, creation and security of APIs and security of connected systems.
Increased use of Blockchain Technology – we expect banks to increasingly exploit blockchain technology to interact with their clients, process and manage transactions, and use in regulation technology “reg tech”. While Blockchain technology is secure by design, this security is only as good as its configuration. So Banking and Finance institutions need to be careful in their implementation to ensure the blockchain deployment is configured in line with the value of the data it holds and its associated threat profile.
Working from Home is entrenched – while this has been driven by necessity in 2020, and is as much about culture as it is about the technology that enables it, it is here to stay even after the effects of COVID have waned off. This impacts bank employees and their customers and means an acceleration of remote and online banking. Staff need to be able to securely access customer data from their home. The company network has effectively expanded to include the device and home network of employees and these need to be secured. The concepts of Zero Trust is necessary to protect customer data being accessed from home.
Increased use of 5G – this will allow greater access to data to both customers and employees from anywhere using any device. Fundamentally, this will drive Banking and Finance institutes to adopt an even greater online presence. The flow-on effects of this on cybersecurity is the need to secure customer data on any device being access from any location. Strong authentication, encryption and Zero Trust security will become key to achieving the level of data security needed. We can no longer trust the user or the device accessing the data and must assume that every channel may bring a threat. The data itself needs to be containerised and secured. And distributed denial of service attacks (DDoS) will become an even bigger threat due to increased bandwidth availability.
Greater use of the cloud – while cloud is not a new technology, its increasing adoption partly accelerated by the pandemic, will change the way we work and how organisations consume computing resources. Cloud-based applications allow employees easier access to data from anywhere, and 5G will reduce latency issues. As a result, on-premise data centres will largely disappear as organisations move to the cloud for compute power and storage. From a cybersecurity perspective, some organisations were so focussed on rapidly moving to the cloud in response to the pandemic that they did not embed adequate cybersecurity measures and now need to retrofit, a problem exacerbated by misconfigurations. In addition, for infrastructure as a service (Iaas) you can’t just rely on the cloud provider for security – the buyer is responsible for ensuring security from the operating system up.
Regulatory landscape and requirements – Banking and Finance is the most regulated sector in most countries. This will drive greater use and innovation in the reg tech space to help ease the compliance burden. Regulations will continually drive changes to the way Banking and Finance institutes conduct business. An example is the current enforcement of cyber resilience by APRA on financial institutes in Australia, which will impact the business models many Banking and Finance institutes adopt. Regulations will have a large impact on the cybersecurity measures adopted by Banking and Finance institutes. Regulations will dictate the minimum standards that organisations must adopt and will force investment in areas that are currently lacking.
Banking and Finance institutions must continue to innovate and invest in technology to differentiate, to meet regulatory requirements, to create new products and be able to make them relevant to customer needs based on analysis of their buying behaviours. But trust and risk management will remain key pillars within any Banking and Finance institute so continuing investment in cybersecurity initiatives is essential to satisfy both these business requirements.
Ashwin has had over 22 years' experience in the IT security industry in Asia Pacific. His qualifications include a Bachelor of Commerce and Administration degree from Victoria University, Wellington, New Zealand majoring in information systems and management.