Pandemic restrictions are finally easing in many parts of the world. But financial institutions across the board continue to feel the effects of remote and home working on their vulnerability to cyberattack, with incidents ranging from data breaches and stolen data, to disruption to key activities like trading, settlement and payments.
That’s bad news, since capital markets firms experienced a 40-fold increase in cyberattacks from February 2020 to April 2021, according to Wipro’s State of Cyber Security 2020 report. Wipro estimates that the average cost of each data breach is almost $6 million. It also reckons that more than 40% of black market data sold is stolen from the banking, financial services and insurance sector.
The increase in cybercrime against the finance sector coincided with the shift to remote work and subsequent reliance on dynamic collaboration and chat applications, says Marc Gilman, general counsel and VP of compliance at collaboration security and compliance solutions vendor Theta Lake. These collaboration tools present unique cybersecurity risks given the use of features for sharing, showing and sending information, he says.
“Since collaboration and chat platforms are increasingly used to facilitate external interactions – from prospecting and client conversations to support and trade execution – they expose firms and employees to increased risk of attack,” Gilman says.
Firms may face fines or litigation if an employee intentionally or inadvertently displays an account number, material non-public information about earnings, or the details of a pending transaction during a collaboration session.
Cyberattacks that disrupt key activities such as trading, trade settlement or cash payment are the greatest concern. Ransomware attacks are top of the list, followed by risk associated with large fraud (which would include cash payment sent to unauthorised counterparties), says Julien Bonnay, cybersecurity partner at business and technology management consultancy Capco.
“Sharing company knowledge outside of work significantly increases the risk of attack and phishing is also on the rise,” he says. “In addition, the geopolitical environment has created a lot of scrutiny for capital market institutions.”
According to Theo Zafirakos, chief information security officer at global security awareness training provider Terranova Security, the most important consideration for any capital markets firm is to reduce the human risk factor through effective security awareness training that changes end user behaviour.
“Remote working has made it even more difficult to protect confidential data from a technological standpoint,” he says. “Various factors come into play here from the use of personal devices for work related tasks to VPN-less internet connections when employees are working outside a centralised, often more cyber secure office environment.”
Capital markets firms pondering whether to use third-party regtech solutions to combat cybercrime need to consider that changing over to new, untried systems takes a long time and demand a huge investment in training, roll-out and client understanding.That is the view of Sabine Zimmerhansl, chief operating officer at enterprise communications surveillance compliance service txtsmarter, who observes that third party fintech development is fast and agile and can add an additional layer of security and ease of use.
“On the other hand, trying to integrate new technology into older systems can provide a challenge in itself, as the advantages that using newer technology can offer have to be ‘brought down’ to a level where the solution is able to interact with older systems,” she adds.
The obvious benefit of using a third party regtech solution is that it makes it much easier to perform tasks such as aggregating risk data, creating risk metrics, and using predictive analytics to monitor changes.
But Zafirakos cautions that applying the technology is not always a straightforward process. “Like any digital transformation, major shifts in how an industry approaches fundamentals such as compliance and risk management take time although regtech solutions are taking steps in the right direction,” he says. “In addition, the proper application of these technologies still relies on the human element.”
Regtech platforms use API-based integrations with communications tools to capture every aspect of conversations. Machine learning techniques allow for the understanding of content in context and promote more effective risk detection, resulting in efficient review processes.
“The primary challenge facing capital markets firms is the rapidly evolving cybersecurity threats in the new normal of hybrid work,” suggests Gilman. “Choosing a regtech with tight partnerships and integrations with the key communications platforms as well as staff who have delivered cybersecurity solutions for large, complex organizations is key. They must be able to stay on top of emerging features and functionalities to deliver consistent and comprehensive security products.”
The significance of improving cybersecurity in capital markets was underlined in February when the US Securities and Exchange Commission proposed new rules related to cybersecurity risk management that would require advisers and funds to implement written cybersecurity policies and procedures designed to address risks that could harm advisory clients and fund investors.
The proposed rules would also require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC.
The new rules mandate development and implementation of stronger cyber technical controls as well as disclosure requirements that provide greater transparency to investors about the occurrence of – and responses to – material cyber incidents.
“They also promote senior level engagement on the development and evolution of firms’ cybersecurity strategies,” says Gilman. “Requiring registered investment advisers and registered investment companies to implement technical controls to protect information, including data shared over communications platforms, will ensure that emerging cyber threats related to their use are addressed.”
Zimmerhansl refers to the proposals as a welcome development, noting that in the case of communication channels the shift to newer alternative media has been extremely fast and regulators all over the world have yet to catch up with it.
“Regulators can now actively enforce rules and regulations that existed for years on paper but where the technology to do so was not there,” she adds. “We have seen quite an increase in the European market after the FCA announced that it would require 18 month records of WhatsApp messages.”
Zafirakos hopes the mandatory incident reporting and disclosure rules proposed by the SEC will lead to more consistent, transparent reporting of breaches and other incidents, which will ensure more organisations make the appropriate investment in their cybersecurity infrastructure, including employee training.
“With cyberattacks so top-of-mind in the larger public discourse – especially in North America – the new rules are necessary steps and, down the road, it is likely other regulators will follow suit,” he says.
Bonnay agrees that the SEC is moving in the right direction (although he also warns that the proposed rules are still fairly broad) and concludes that information sharing through alerts to regulators is key to combatting cybercrime.