Author: Luis Maldonado, Professor IE University and Senior Advisor at everis
Technological innovation is an essential aspect of today’s business reality, where financial institutions are investing in new technologies and IT security so as not to fall behind in the current digital revolution. In this environment, cybersecurity breaches can be devastating to a company’s reputation and financial situation. While exact figures on the effects of cybersecurity breaches can be difficult to pin down, because companies often try to cover incidents in an effort to protect their reputations, cyberattacks are being carried out more and more frequently and are becoming increasingly serious in nature.
According to the IE Law School and everis joint 2018 report “Technology in banking: the opportunity to comply and compete,” the European Commission has found that 4,000 ransomware attacks occur every day—a 300% increase from 2015. The financial burden of cybercrime is on the upswing, costing the world 900 billion euros per year—256 billion of which are in the EU alone.
Combating vulnerability to cyber risks
Financial institutions are particularly exposed and vulnerable to cyber risks because they are in constant contact with a large number of clients and use various means of communication to collect sensitive information. Although the goal of an increased use of personal information is to increase security in financial services and payment systems, it also makes financial institutions larger targets for cybercriminals.
As these threats have grown, they have gained prominence in international debates. At the July 2017 G20 summit, the Financial Stability Board (FSB) warned of the risk that cyber attacks pose to international financial stability and cooperation and highlighted the need to improve risk evaluation, response and recovery to address cybersecurity threats.
When it comes to monitoring and controlling risks, responses vary across borders and institutions. In an effort to standardize procedures, the EU’s Single Supervisory Mechanism (SSM) has reviewed the risks posed by cybersecurity attacks and has considered implementing a framework for reporting incidents in an effort to standardize identification of risk and subsequently, the appropriate actions to be taken by financial institutions. In collaboration with the European Banking Authority (EBA), guidelines have been implemented helping financial institutions self-evaluate, in an effort to mitigate cyber risk.
In 2016, the Directive on the Security of Networks and Information Systems was approved in Europe, requiring all member states to implement a strategy on the national level to secure information. Strategic cooperation, exchange of information, and the creation of a network for responding to security threats form the basis of the directive. It outlines security requirements for two important entities:
- Operators of essential services such as health, water and banking for which security breaches could have serious social and economic consequences.
- Digital service providers, streamlining the way security and incidents are managed when it comes to search engines, cloud services, etc.
In an effort to support member states and fortify the EU’s response to cyberattacks, the European Commission has also proposed the creation of the European Cybersecurity Agency in order to establish a quick response plan for large-scale cyberattacks, an emergency response fund, and to consider non-cash payment methods to minimize the potential for fraud.
Regulation to beef up banks’ security
New regulations have been created as part of a comprehensive package of measures to improve and strengthen cybersecurity of the financial sector. In order to comply with this regulation, financial institutions must:
- Understand cybersecurity as an important aspect of the business and integrate management into compliance and security systems.
- Define a framework for identifying risks, detecting irregularities, and for recovery in the event of an attack.
- Consider past experiences and expert opinions.
- Establish first- and second-line defense structures in risk management.
- Ensure that all personnel, from directors to lower-level management, understand risk exposure and how to manage it.
- Have the technological infrastructure needed to support security processes.
Technological cures for technological breaches
Cybercrime is constantly evolving; the effective use of technology must evolve along with it in order to successfully protect institutions and individuals. Adapting to new risks requires increasingly innovative technology to combat increasingly vicious and infectious crime.
As cybercriminals get more creative, it can be hard to keep up. In recent years, both phishing and pharming scams, which trick users into providing confidential information, have increased, alongside Distributed Denial of Service (DDoS) which compromise critical infrastructure. Difficult to detect malwareless attacks, which control systems using device administrator tools, as opposed to attacking through external programs, also pose a significant threat. But technology can be a powerful tool to take on these new variations of cyber attacks, and institutions are increasingly implementing the latest tech to more effectively mitigate risk:
- Blockchain technology offers a security environment for an exchange of sensitive information through the usage of encryption tools such as public or private keys.
- Machine learning systems are used to monitor behavior and detect inconsistencies in use, helping to effectively identify and report suspected malwareless attacks.
- Cloud services provide significant infrastructure cost savings and greater agility and flexibility.
In the fast-paced process of digital transformation, standardized regulation and innovative technology are being used to maintain control over sensitive information and mitigate the risk and effects of cyber attacks.
Access the article in Spanish here
Luis Maldonado has developed his career finance, both in the public and private sector. He was advisor to the Minister of Economy in Spain, Director of Strategic Consulting at PwC and CSO for a retail bank. He has also worked for five years at the International Monetary Fund, where he held different positions, as an advisor to the Managing Director and in the Monetary and Financial Markets Department. More recently, he was Managing Director of the PwC-IE Business School Financial Sector Center. Currently, he is professor at IE Business School, Senior Advisor at Everis and Senior Digital Financial Sector Specialist at the IFC (World Bank Group). Luis Maldonado holds a Ph.D. in Economics from Alcalá University, he is State Economist for the Government of Spain, and he holds Degrees in Law and in Business Administration from ICADE University.
Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.