About a-team Marketing Services

A-Team Insight Blogs

RegTech Insight – Cybersecurity

Subscribe to our newsletter

Pandemic restrictions are finally easing in many parts of the world. But financial institutions across the board continue to feel the effects of remote and home working on their vulnerability to cyberattack, with incidents ranging from data breaches and stolen data, to disruption to key activities like trading, settlement and payments.

That’s bad news, since capital markets firms experienced a 40-fold increase in cyberattacks from February 2020 to April 2021, according to Wipro’s State of Cyber Security 2020 report. Wipro estimates that the average cost of each data breach is almost $6 million. It also reckons that more than 40% of black market data sold is stolen from the banking, financial services and insurance sector.

The increase in cybercrime against the finance sector coincided with the shift to remote work and subsequent reliance on dynamic collaboration and chat applications, says Marc Gilman, general counsel and VP of compliance at collaboration security and compliance solutions vendor Theta Lake. These collaboration tools present unique cybersecurity risks given the use of features for sharing, showing and sending information, he says.

“Since collaboration and chat platforms are increasingly used to facilitate external interactions – from prospecting and client conversations to support and trade execution – they expose firms and employees to increased risk of attack,” Gilman says.

Firms may face fines or litigation if an employee intentionally or inadvertently displays an account number, material non-public information about earnings, or the details of a pending transaction during a collaboration session.

Cyberattacks that disrupt key activities such as trading, trade settlement or cash payment are the greatest concern. Ransomware attacks are top of the list, followed by risk associated with large fraud (which would include cash payment sent to unauthorised counterparties), says Julien Bonnay, cybersecurity partner at business and technology management consultancy Capco.

“Sharing company knowledge outside of work significantly increases the risk of attack and phishing is also on the rise,” he says. “In addition, the geopolitical environment has created a lot of scrutiny for capital market institutions.”

According to Theo Zafirakos, chief information security officer at global security awareness training provider Terranova Security, the most important consideration for any capital markets firm is to reduce the human risk factor through effective security awareness training that changes end user behaviour.

“Remote working has made it even more difficult to protect confidential data from a technological standpoint,” he says. “Various factors come into play here from the use of personal devices for work related tasks to VPN-less internet connections when employees are working outside a centralised, often more cyber secure office environment.”

Capital markets firms pondering whether to use third-party regtech solutions to combat cybercrime need to consider that changing over to new, untried systems takes a long time and demand a huge investment in training, roll-out and client understanding.

That is the view of Sabine Zimmerhansl, chief operating officer at enterprise communications surveillance compliance service txtsmarter, who observes that third party fintech development is fast and agile and can add an additional layer of security and ease of use.

“On the other hand, trying to integrate new technology into older systems can provide a challenge in itself, as the advantages that using newer technology can offer have to be ‘brought down’ to a level where the solution is able to interact with older systems,” she adds.

The obvious benefit of using a third party regtech solution is that it makes it much easier to perform tasks such as aggregating risk data, creating risk metrics, and using predictive analytics to monitor changes.

But Zafirakos cautions that applying the technology is not always a straightforward process. “Like any digital transformation, major shifts in how an industry approaches fundamentals such as compliance and risk management take time although regtech solutions are taking steps in the right direction,” he says. “In addition, the proper application of these technologies still relies on the human element.”

Regtech platforms use API-based integrations with communications tools to capture every aspect of conversations. Machine learning techniques allow for the understanding of content in context and promote more effective risk detection, resulting in efficient review processes.

“The primary challenge facing capital markets firms is the rapidly evolving cybersecurity threats in the new normal of hybrid work,” suggests Gilman. “Choosing a regtech with tight partnerships and integrations with the key communications platforms as well as staff who have delivered cybersecurity solutions for large, complex organizations is key. They must be able to stay on top of emerging features and functionalities to deliver consistent and comprehensive security products.”

The significance of improving cybersecurity in capital markets was underlined in February when the US Securities and Exchange Commission proposed new rules related to cybersecurity risk management that would require advisers and funds to implement written cybersecurity policies and procedures designed to address risks that could harm advisory clients and fund investors.

The proposed rules would also require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC.

The new rules mandate development and implementation of stronger cyber technical controls as well as disclosure requirements that provide greater transparency to investors about the occurrence of – and responses to – material cyber incidents.

“They also promote senior level engagement on the development and evolution of firms’ cybersecurity strategies,” says Gilman. “Requiring registered investment advisers and registered investment companies to implement technical controls to protect information, including data shared over communications platforms, will ensure that emerging cyber threats related to their use are addressed.”

Zimmerhansl refers to the proposals as a welcome development, noting that in the case of communication channels the shift to newer alternative media has been extremely fast and regulators all over the world have yet to catch up with it.

“Regulators can now actively enforce rules and regulations that existed for years on paper but where the technology to do so was not there,” she adds. “We have seen quite an increase in the European market after the FCA announced that it would require 18 month records of WhatsApp messages.”

Zafirakos hopes the mandatory incident reporting and disclosure rules proposed by the SEC will lead to more consistent, transparent reporting of breaches and other incidents, which will ensure more organisations make the appropriate investment in their cybersecurity infrastructure, including employee training.

“With cyberattacks so top-of-mind in the larger public discourse – especially in North America – the new rules are necessary steps and, down the road, it is likely other regulators will follow suit,” he says.

Bonnay agrees that the SEC is moving in the right direction (although he also warns that the proposed rules are still fairly broad) and concludes that information sharing through alerts to regulators is key to combatting cybercrime.

Learn more

Events

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: Perpetual KYC: compliance as the source of better business

Perpetual KYC (pKYC) opens the door for financial institutions and corporations to improve customer onboarding & monitoring processes, reduce operational costs, ensure regulatory compliance, and better understand risk exposures in real time. Unlike traditional or periodic KYC, pKYC continually reviews and updates client data in near real-time providing ongoing data accuracy and accurate risk management....

BLOG

Plenitude Secures Strategic Investment from Private Equity Firm GCP

Financial crime and compliance specialist Plenitude has secured a strategic investment from Growth Capital Partners (GCP), a private equity firm focused on investing in growth companies in the technology and services sectors. The investment will support the further build-out of new software capabilities and accelerate Plenitude’s expansion plans including establishing a presence in the Asia-Pacific region....

EVENT

A-Team Innovation Briefing: Innovation in Cloud

This Innovation Briefing will explore approaches to data infrastructure transformation, technologies required and how to make sure processes are optimised to support real time data management. Hear from leading practitioners and innovative technology solution providers who will share insight into how to set up and leverage your data infrastructure to provide user access to consistent data and analytics, and companies the ability to monetise their data.

GUIDE

Regulatory Data Handbook 2022/2023 – Tenth Edition

Welcome to the tenth edition of A-Team Group’s Regulatory Data Handbook, a publication that has tracked new regulations, amendments, implementation and data management requirements as regulatory change has impacted global capital markets participants over the past 10 years. This edition of the handbook includes new regulations and highlights some of the major regulatory interventions challenging...