User experience remains the main differentiator for successful financial services organisations and digital transformation provides the only scalable answer.
By Ricardo Ferreira and Michael Brown of Fortinet
The digitisation of products, services, and operations is happening now, and quickly. Organisations are orchestrating applications, networks, and devices to securely provide seamless access to digital services. A financial services organisation (FSO) needs to protect its assets, minimise risk, and enable growth to meet today’s security challenges.
Cybersecurity solutions must be broad, integrated, and automated across an organisation’s entire IT infrastructure.
The importance of cybersecurity in financial services
In addition to managing their customers’ money, financial institutions also retain customers’ personally identifiable information (PII), which makes financial institutions an attractive target to cybercriminals.
As the amount of data available increases, regulatory bodies continue to churn out new laws to protect consumer data financial institutions face increasing legislative pressure to protect their customers’ data, and failure to comply with regulations could result in severe government penalties.
Additionally, failing to maintain security standards can result in an organisation losing the ability to process credit card payments altogether if it violates the Payment Card Industry Data Security Standard (PCI DSS).
As financial organisations increase their digital initiatives, the potential attack surface expands as well. Each work-from-anywhere (WFA) login, mobile app, or service integration represents a potential vulnerability. For example, in the United States, multiple banks were hit with a $1.8 billion fine last year because employees were using personal messaging apps for company business.
To adapt to the current landscape, financial institutions need advanced threat protection from the data centre to the endpoint to the edge with comprehensive cybersecurity solutions that include secure networking for branch locations, WFA capabilities, and next-generation firewalls (NGFWs).
The cybersecurity impact of digital transformation on financial services
As financial service organisations (FSOs) move forward on their digital transformation journey, they need to address cybersecurity concerns in these four stages:
* Process transformation – This stage typically consists of revising software or internal processes to be more efficient, such as removing redundant processes or code. Chief Information Security Officers (CISOs) must be involved in these changes because simplifying processes may inadvertently create security gaps.
* Domain transformation – This stage occurs when an organisation moves into new areas of business. For example, a credit union might begin offering car loans to their customers for the first time. Although offering the new service can be exciting for the business, it also has the potential to create new infrastructure vulnerabilities. Any new systems that are created should be consistent and integrated with existing cybersecurity measures.
* Business model transformation – An example of business model transformation is offering an existing product digitally, such as providing enhanced mobile banking services and paperless statements. Another example is the shift some FSOs are making from their core banking platform to service domain semantic APIs. As with process transformation, any new system should be viewed as having potential vulnerabilities.
* Organisational and cultural transformation – This final stage represents a shift in day-to-day business operations. Digital transformation of internal processes may improve employee efficiency, but it also can open the door to human error. Any cultural transformation should be matched with cybersecurity resources and training at every level of the organisation.
Consequences of inadequate cybersecurity in financial services
In extreme cases, a cyberattack may cause irreparable damage or even cause the FSO to lose its ability to process transactions. Some specific consequences of inadequate cybersecurity measures include:
* Operational outages – When an attack occurs, security teams often need to isolate the source of the attack and evaluate the amount of damage. In other cases, such as a distributed denial-of-service (DDoS) attack, the goal is to disrupt operations. In either case, the business is interrupted and experiences a loss in productivity both internally and externally. Employees can’t work and customers can’t access their money.
* Loss of critical and protected data – Perhaps the biggest security concern when it comes to FSOs is when cybercriminals gain access to proprietary information (such as investment portfolios) or the customer’s PII (such as Social Security numbers, emails, home addresses, and passwords).
* Reputation damage – An FSO security breach can be catastrophic for the organisation’s reputation. Once an FSO has demonstrated that it cannot protect its customers’ PII, it is extremely difficult to recover. The Equifax breach, for example, is still a talking point years after the initial incident.
* Regulatory penalties – There are cases where a company can be fined by multiple regulators for a single incident, and we have seen this in the past with companies receiving fines from both the Securities and Exchange Commission and NY State Department of Financial Services, for things like deficient disclosure controls and procedures related to cybersecurity.
There is also a risk that one of your business lines, or potentially the entire firm being shut down for non-compliance if the penalty includes revoking any licenses or charters that the company needs to operate.