As financial services institutions (FSIs) increase their acceptance and integration of digital technology, they can face increased risk of a domino effect taking place if digital services providers and vendors should fail.
This is according to experts at Fortinet, who warn that financial regulators in governments around the world are increasingly concerned about the risks facing FSIs as financial systems depend more and more on digital ecosystems.
Doros Hadjizenonos, regional director at Fortinet, says: “South Africa is no different to the rest of the world where FSIs are considered an extremely important part of the country’s economy and hence the need for specific regulations to govern banks and other financial organisations.”
The core issue is that with FSIs relying on digital service providers who often use other digital services from other vendors, there are concerns that the industry is reaching a point of no return, where there are no exit strategies in place. The fear is a catastrophic ‘domino effect’ if one provider fails, leading to other failures and, ultimately, extensive damage to financial systems.
To avoid the domino effect of one service provider failure leading to other failures and the crippling of a nation’s financial industry, regulators are compelling FSIs to create exit strategies. In the European Union, regulators are giving FSIs timeframes of roughly thirty days. Therefore, if there’s a serious incident, FSIs have only a month to replace a piece of technology or find a new cloud provider.
Hadjizenonos notes: “Cybersecurity has always been extremely important to FSIs and must be taken into consideration when developing these exit strategies.”
Fortinet recommends that FSI CISOs trying to align with changing regulations take the following steps:
- Identify Business Critical Processes and Vulnerabilities – FSIs need to identify their critical business processes and apply a risk rating to prioritise the most critical and vulnerable ones. CISOs should also identify their organisation’s vulnerabilities and risks.
- Build Cyber Skills Set as Part of Your Foundation – FSIs need to upskill their employees so that their organisations can help compensate for the lack of cybersecurity talent worldwide. All employees, regardless of position, need cybersecurity awareness training, with periodic refreshers around new threats and attack methods.
- Automate Everything with Cybersecurity Mesh Platform – Amid a global lack of security talent, automation and augmentation are the only ways around this shortage issue. Empowering your employees with AI/ML technologies will provide your teams with actionable alerts and provides a single pane of glass to manage, automate, and orchestrate your network and security across the entire organisation. If an FSI’s infrastructure isn’t automated and its data isn’t integrated, it won’t be able to comply with changing requirements and regulations.
- Share Knowledge – FSIs and CISOs need to think outside their walls, and proactively find out what is happening to the brand out “in the wild.” Information sharing knowledge among organisations is key. If an IT security team is only looking at its own data, they’re going to be ill-prepared for the cyber criminals that are attacking other FSIs, and, of course, vice versa. It is also important to consider employing a DRP (digital risk protection) service, to enhance a view of the external digital attack surface. Places like the dark web can offer insight into future cyber-attacks to come.
- Uplevel Your Risk Conversation Using Frameworks and Business Level Language – Aligning with a well-known framework like NIST, so that these conversations across the business can be had about that service, and it’s also important to build a foundation as well. OSCAL (Open Security Controls Assessment Language) has been at the forefront of how FSIs can create an information mechanism that actually tries to understand and make data machine readable—so that FSIs can uplevel their regulatory landscape and make audits automated. If a CIO or a CISO is talking with the business stakeholders, they need to communicate in a common language and only talk about the company’s risk and protection, threat detection, response, and recovery, it makes it much easier to have a conversation across the business. FSIs in both the US and EU use various control frameworks such as ISO 27001, COBIT, and NIST 80053. Each is good in its own way but sits in a specific space and context. It is common to see FSIs use their own frameworks which include parts of many frameworks. NIST CSF is not a control framework, but a set of objectives to help cybersecurity risk management. It provides a common language that allows multiple standards to be used together. NIST CSF helps to translate between frameworks into a common language that is flexible and repeatable. It allows organizations to see from a risk perspective what is needed in order to mitigate.
- Know Your Regulation and Compliance Landscape – Preparing for new regulations is all about building the right foundation that brings the vision from the technology but also has feedback loops between the people that will be affected by that policy, the stakeholders, and those who are actually going to build that policy. A lot of organisations, especially when they are in rapid digital acceleration, don’t have a holistic view and they are not building the foundations with the proper weight. Knowing what specific regulations you need to address and comply with is key from a business level but also from an IT and security level.