The need for industry standards in the fight against cyber-crime

The CBEST testing framework created by the Bank of England is a positive step but it could be stronger, says Clayton Locke.

Clayton Locke, CTO, Intelligent Environments
Clayton Locke, CTO, Intelligent Environments

In order to address the threat facing the financial services industry, the Bank of England (BofE) recently created the CBEST testing framework. This framework uses intelligence gathered from commercial and government sources, and can be tailored to the business model and operations of individual firms:

“CBEST provides an holistic assessment of a financial services or infrastructure provider's cyber capabilities by testing people, processes and technology in a single test which will be less time constrained than traditional penetration testing.”

This is clearly a strong step forward. Yet even though CBEST has robust certification requirements for testing companies, it does not provide a certification standard for the financial services institution itself. Although the BofE sees the tests as critical to maintaining the integrity of the financial system, performing an assessment is entirely voluntary.

Making these assessments voluntary highlights an inherent weakness in the financial services industry outside of payment cards. It would be stronger to make the assessments compulsory, as is the case for PCI DSS.

It is time for us to develop a similar standard across our industry – a Financial Services Industry Data Security Standard. This standard could build on the foundations set by PCI DSS to cover the full scope of financial services cyber-security. By cooperating around such a standard, the industry will be able to deliver a stronger collective response to the cyber-crime threat than any single company could do alone.

Accountability to consumers

Although organisations are accountable to the Information Commissioner's Office (ICO) for data breaches, and although the ICO can (and does) levy substantial fines to organisations that are negligent, there is little accountability to consumers.

Rather than be proactive in taking accountability for security breach and data loss, the typical approach is to downplay the losses and focus on controlling damage to reputation.

The UK's Data Protection act, the act that safeguards consumers' data, does not require organisations to make any form of formal disclosure in the event of a data breach – although the Information Commissioner believes ‘serious breaches' should be brought to the attention of his Office:

“Where there is significant actual or potential detriment as a result of the breach, whether because of the volume of data, its sensitivity or a combination of the two, there should be a presumption to report.”

An imminent amendment to the EU General Data Protection Regulation aims to unify data protection within the EU with a single law. It will require any company with European dealings that suffers a data breach to inform both the regulator and affected individuals, “without undue delay.” We should welcome this much needed update, and take it further.

If the industry waits for the regulator to set the standard, and then performs no higher than to this low bar, consumer confidence in the integrity of digital financial transactions will continue to decrease. 

According to the recent 2014 Consumer Security Risks Survey by Kaspersky Lab, 62 percent of consumers fear financial fraud on the internet and 42 percent said that they would use online payment systems more often if they were protected from cyber fraud. This fear of fraud represents a major opportunity cost to the financial services industry; 75 percent of those surveyed expect banks, online payment systems and online stores to protect their computers and mobile devices from financial fraud.

Financial Services is at the forefront of digital security and the fight against cyber-crime. Security is fundamental to the services provided to banking customers, and essential to the trust promise of the brand. It is a mission-critical factor in determining the growth prospects of the industry.

We need a set of cyber-security standards that are specific to Financial Services, perhaps leading to an FSI DSS certification. We should set our sights higher than mere regulatory compliance, and cooperate to put in place security measures that raise the bar across our industry.

Contributed by Clayton Locke, CTO, Intelligent Environments