About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

RegTech Insight – Cybersecurity

Subscribe to our newsletter

Pandemic restrictions are finally easing in many parts of the world. But financial institutions across the board continue to feel the effects of remote and home working on their vulnerability to cyberattack, with incidents ranging from data breaches and stolen data, to disruption to key activities like trading, settlement and payments.

That’s bad news, since capital markets firms experienced a 40-fold increase in cyberattacks from February 2020 to April 2021, according to Wipro’s State of Cyber Security 2020 report. Wipro estimates that the average cost of each data breach is almost $6 million. It also reckons that more than 40% of black market data sold is stolen from the banking, financial services and insurance sector.

The increase in cybercrime against the finance sector coincided with the shift to remote work and subsequent reliance on dynamic collaboration and chat applications, says Marc Gilman, general counsel and VP of compliance at collaboration security and compliance solutions vendor Theta Lake. These collaboration tools present unique cybersecurity risks given the use of features for sharing, showing and sending information, he says.

“Since collaboration and chat platforms are increasingly used to facilitate external interactions – from prospecting and client conversations to support and trade execution – they expose firms and employees to increased risk of attack,” Gilman says.

Firms may face fines or litigation if an employee intentionally or inadvertently displays an account number, material non-public information about earnings, or the details of a pending transaction during a collaboration session.

Cyberattacks that disrupt key activities such as trading, trade settlement or cash payment are the greatest concern. Ransomware attacks are top of the list, followed by risk associated with large fraud (which would include cash payment sent to unauthorised counterparties), says Julien Bonnay, cybersecurity partner at business and technology management consultancy Capco.

“Sharing company knowledge outside of work significantly increases the risk of attack and phishing is also on the rise,” he says. “In addition, the geopolitical environment has created a lot of scrutiny for capital market institutions.”

According to Theo Zafirakos, chief information security officer at global security awareness training provider Terranova Security, the most important consideration for any capital markets firm is to reduce the human risk factor through effective security awareness training that changes end user behaviour.

“Remote working has made it even more difficult to protect confidential data from a technological standpoint,” he says. “Various factors come into play here from the use of personal devices for work related tasks to VPN-less internet connections when employees are working outside a centralised, often more cyber secure office environment.”

Capital markets firms pondering whether to use third-party regtech solutions to combat cybercrime need to consider that changing over to new, untried systems takes a long time and demand a huge investment in training, roll-out and client understanding.

That is the view of Sabine Zimmerhansl, chief operating officer at enterprise communications surveillance compliance service txtsmarter, who observes that third party fintech development is fast and agile and can add an additional layer of security and ease of use.

“On the other hand, trying to integrate new technology into older systems can provide a challenge in itself, as the advantages that using newer technology can offer have to be ‘brought down’ to a level where the solution is able to interact with older systems,” she adds.

The obvious benefit of using a third party regtech solution is that it makes it much easier to perform tasks such as aggregating risk data, creating risk metrics, and using predictive analytics to monitor changes.

But Zafirakos cautions that applying the technology is not always a straightforward process. “Like any digital transformation, major shifts in how an industry approaches fundamentals such as compliance and risk management take time although regtech solutions are taking steps in the right direction,” he says. “In addition, the proper application of these technologies still relies on the human element.”

Regtech platforms use API-based integrations with communications tools to capture every aspect of conversations. Machine learning techniques allow for the understanding of content in context and promote more effective risk detection, resulting in efficient review processes.

“The primary challenge facing capital markets firms is the rapidly evolving cybersecurity threats in the new normal of hybrid work,” suggests Gilman. “Choosing a regtech with tight partnerships and integrations with the key communications platforms as well as staff who have delivered cybersecurity solutions for large, complex organizations is key. They must be able to stay on top of emerging features and functionalities to deliver consistent and comprehensive security products.”

The significance of improving cybersecurity in capital markets was underlined in February when the US Securities and Exchange Commission proposed new rules related to cybersecurity risk management that would require advisers and funds to implement written cybersecurity policies and procedures designed to address risks that could harm advisory clients and fund investors.

The proposed rules would also require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC.

The new rules mandate development and implementation of stronger cyber technical controls as well as disclosure requirements that provide greater transparency to investors about the occurrence of – and responses to – material cyber incidents.

“They also promote senior level engagement on the development and evolution of firms’ cybersecurity strategies,” says Gilman. “Requiring registered investment advisers and registered investment companies to implement technical controls to protect information, including data shared over communications platforms, will ensure that emerging cyber threats related to their use are addressed.”

Zimmerhansl refers to the proposals as a welcome development, noting that in the case of communication channels the shift to newer alternative media has been extremely fast and regulators all over the world have yet to catch up with it.

“Regulators can now actively enforce rules and regulations that existed for years on paper but where the technology to do so was not there,” she adds. “We have seen quite an increase in the European market after the FCA announced that it would require 18 month records of WhatsApp messages.”

Zafirakos hopes the mandatory incident reporting and disclosure rules proposed by the SEC will lead to more consistent, transparent reporting of breaches and other incidents, which will ensure more organisations make the appropriate investment in their cybersecurity infrastructure, including employee training.

“With cyberattacks so top-of-mind in the larger public discourse – especially in North America – the new rules are necessary steps and, down the road, it is likely other regulators will follow suit,” he says.

Bonnay agrees that the SEC is moving in the right direction (although he also warns that the proposed rules are still fairly broad) and concludes that information sharing through alerts to regulators is key to combatting cybercrime.

Learn more


Subscribe to our newsletter

Related content


Recorded Webinar: Potential and pitfalls of large language models and generative AI apps

Large language models (LLMs) and Generative AI applications are a hot topic in financial services, with vendors offering solutions, financial institutions adopting the technologies, and sceptics questioning their outcomes. That said, they are here to stay, and it may be that early adopters of Generative AI apps could gain not only operational benefits, but also...


Understanding the Value of Global Identifiers in the Fight Against Financial Crime

By Clare Rowley, Head of Business Operations, GLEIF. Money laundering and terrorist financing create significant systemic risks in the global financial system. The intricate webs spun by fraudsters and criminals to evade detection crisscross national borders and legal jurisdictions, commonly exploiting multiple financial institutions and legal entities. In today’s instant digital economy, this is exposing...


AI in Capital Markets Summit London

The AI in Capital Markets Summit will explore current and emerging trends in AI, the potential of Generative AI and LLMs and how AI can be applied for efficiencies and business value across a number of use cases, in the front and back office of financial institutions. The agenda will explore the risks and challenges of adopting AI and the foundational technologies and data management capabilities that underpin successful deployment.


Regulatory Data Handbook 2023 – Eleventh Edition

Welcome to the eleventh edition of A-Team Group’s Regulatory Data Handbook, a popular publication that covers new regulations in capital markets, tracks regulatory change, and provides advice on the data, data management and implementation requirements of more than 30 regulations across UK, European, US and Asia-Pacific capital markets. This edition of the handbook includes new...