Finance
The financial services sector must balance modernisation with security and compliance
By Prakash Pattni, Managing Director for Financial Services Digital Transformation, IBM
The ability of viruses to evolve almost in step with our defences is something the world has become very familiar with. While nations have worked to vaccinate their populations at speed, organisations have faced a parallel challenge against the cyber equivalents of COVID-19. The wide-spread adoption of hybrid working, often supported by cloud-based systems and the creation of increasingly complex digital supply chains, has created new opportunities for adversaries to launch cyber-attacks and compromise valuable data.
The financial services industry, with its vast treasure trove of sensitive data, is high on the hit list. The scale of the security challenge for financial businesses was exposed by IBM’s recently published 2022 X-Force Threat Intelligence Index. The sector witnessed 19% of all UK cyberattacks in 2021; the global figure was 22.4%. To put that in perspective, last year the sector was the second most attacked industry worldwide. Of all those attacks, 70% were on banks, 16% were on insurance companies and 14% were on other types of financial institutions.
As financial services companies modernise, there is a clear need for an approach to security that supports the shift towards digital business models while reassuring customers and regulators.
Complexity is the enemy of security
The sobering statistics on cyber-attacks in financial services come at a time when the industry is undergoing major disruption. Financial institutions are transforming to better serve their increasingly digitally savvy customers and find new sources of revenue, as fintechs exploit new channels and business models. But as major security incidents across the private and public sectors have shown, the adoption of technologies that support digitisation, such as cloud platforms, can create a wider attack surface for cyber criminals to exploit.
The fragmentary approach many businesses have taken as they scrambled to take advantage of cloud platforms has led to systems created from disconnected parts that are riddled with complexity – the enemy of security. Massive cyber-attacks in recent years have been successful because they took advantage of the digital supply chain – a vast, intermixed supply chain of business and technology partners.
Zero trust
The inherent trust that exists within these complex environments – across many user and application relationships within the network – has created more pathways for adversaries to access sensitive and critical data. This is why we’re beginning to see a global shift to zero trust security architectures. Zero trust is a methodology that abandons the idea you can trust anyone or anything as far as security is concerned. Every user and application needs to be re-evaluated and re-authenticated and then given the lowest set of system privileges required for them to operate. This approach adds an additional layer of security defence to other technological solutions and is essential where remote working is commonplace, as it is in many financial services businesses.
Going hybrid to stay secure
As the industry faces increasing threats, regulators are increasingly requiring financial institutions to use multiple clouds to mitigate systemic risk. This is partly what has been driving the trend for a hybrid, multi-cloud model, which gives companies the choice to host workloads and data where it needs to be – across multiple public clouds, or private cloud or on-premise – and allows data to be moved to wherever it is needed. Research from the IBM Institute for Business Value and Oxford Economics found that only 3% of businesses globally are using a single cloud – down from 29% in 2019.[1]
Where a business’s data resides matters. That’s why we’re seeing established financial institutions continue investing in their on-premises mainframe systems, which remain vital for the industry, as well as public clouds. In fact, today, mainframe technology is evolving alongside public cloud solutions to stay several steps ahead of cyber criminals. For example, modern mainframes can now use artificial intelligence (AI) capabilities that enable clients to detect and prevent fraud during transactions such as credit card payments, in real-time. The latest mainframes are also now capable of protecting sensitive data from the future threat of maliciously deployed quantum computing technology, which will be capable of breaking through all current forms of encryption.
Keeping data safe in the cloud
Whether it’s payments, investments or savings, the data financial institutions hold makes them a top target. As a result, the industry has adopted some of the most advanced security measures and strategies available. For example, to keep customers and proprietary data secure and private, enterprise-grade security innovations, such as ‘keep your own key’ encryption and confidential computing, are essential for financial institutions.
Confidential computing processes data in a shielded enclave, ensuring users have the security they need when conducting online interactions and transactions. It means company A can use a public cloud platform, which is also used by company B, and neither company B nor the cloud provider itself can view the data. This is true when the data is being used, at rest, or when it’s being moved.
Protecting data and managing encryption across multiple platforms can be complex and all it takes is one weak link to put a company’s entire security strategy at risk. To overcome this, companies should adopt solutions that provide a single point of control to manage encryption keys securely and simply across platforms – including on other clouds and on-prem. This holistic view can also help companies demonstrate their compliance faster, freeing up time and resources to drive innovation.
De-risking the supply chain with an industry cloud
The need to level up security for the cloud era is also fuelling interest among financial institutions in adopting industry-specific cloud platforms. Research from IBM in the UK found that for 43% of financial services respondents, data security was the biggest barrier to digital transformation while 90% said their company had already adopted or planned to adopt an industry cloud.
There’s good reason for this trend. A cloud designed for the needs of the financial services industry not only supports the most advanced enterprise security technologies, but it also helps to de-risk the ecosystem of financial institutions, including the third and fourth parties in their supply chain. An industry cloud platform can have the necessary security controls built into its code, so that all financial institutions, partners and fintechs meet the required standard. The same is true for the stringent regulatory compliance standards banks must meet. With compliance controls built into the industry cloud platform, banks can automate compliance across their entire digital estates, and ensure the partners they transact with have demonstrated compliance with the platform’s requirements.
Highly regulated industries, particularly financial services, are feeling pressure to transform with an ever-increasing rate and pace. However, in doing so, they must not lose focus on security, resiliency and compliance as they digitise.
[1] Source: https://www.ibm.com/thought-leadership/institute-business-value/report/cloud-transformation
-
Top Stories4 days ago
Australia’s ANZ Group to settle credit cards class action for $37.4 million
-
Top Stories4 days ago
Analysis-Spain’s battle of the banks as BBVA narrows gap to Santander
-
Top Stories4 days ago
Talgo’s top shareholder in talks with Stadler over takeover bid, report says
-
Top Stories3 days ago
Google, Apple breakups on the agenda as global regulators target tech