The financial services industry has seen technological innovation accelerate at an unprecedented rate in recent years. Cloud computing, distributed ledger technology (DLT), artificial intelligence (AI) and robotics have demonstrated their potential to fundamentally transform global markets, but with greater efficiency comes the possibility of heightened risk.
As a result, an industry-wide focus on cyber-security has run parallel with the wave of innovation. This trend is hardly surprising; the more technology in use, the greater opportunity for cyber-criminals to breach it. This leaves the industry with a critical question: how can firms foster technological innovation while upholding a rigorous cyber-defence strategy?
The sharpened focus on cyber-resiliency is evident across the industry. Cyber-security is consistently ranked as the number one risk facing the global financial system in DTCC's Systemic Risk Barometer, and industry players are actively collaborating to develop cyber security standards and best practices to improve firms' defences while fostering innovation. An example of this is the establishment of a new World Economic Forum consortium led by DTCC, Citigroup and Zurich Intelligence that will look closely at bolstering cyber-security across fintechs. With global cyber-security spending predicted to reach US$200 billion £144 billion per year between 2017 and 2021, investing in cyber-defences has become a widespread priority.
Some technologies naturally lend themselves to stringent cyber-defences. The public cloud enables firms to encrypt and distribute applications and data across millions of servers and various centres, preventing malicious actors from identifying the resources used by a specific enterprise. Moreover, best practices, standards, data encryption and application programming interface (API) logging are validated at every level.
However, problems can arise when companies run head first into innovation without considering potential risks. For example, when organisations embark on a large-scale technology project, such as cloud adoption, they may find themselves in a transition period which can leave security gaps exposed and allow attackers to more easily infiltrate their network and infrastructure. These vulnerabilities are compounded as older IT systems tend to suffer from lower levels of security.
So how can firms avoid putting themselves at risk as they adopt new technology? There are a number of effective defence strategies that are being deployed to mitigate this growing risk. National and international collaboration across jurisdictions, information sharing and regulatory and industry engagement are key to addressing cyber-threats and preparing for recovery in the event of an attack. There is acknowledgement among firms that the likelihood of a cyber-breach is high due to the determination of a growing community of well-resourced actors and the sophisticated nature of attacks. As a result, many firms are placing increased focus on response, while continuing efforts around prevention. Now is the time to go “back to basics” and ensure cyber-security defences are built in at an architectural level.
Take DLT as an example. DLT has two primary areas of focus. The first is the protocol itself in terms of a hacker's ability to enter and alter its framework and the second is at the end points. DLT's immutability means that if a hacker writes a bug into the ledger it could be significantly difficult to rectify. Therefore, firms must account for such actions by unwinding the system. Ensuring that the defences are built in from the moment the technology is launched allows firms to build stronger resiliencies and reduce the risk of contagion.
The consequences of failing to do so are high. As an example, vulnerabilities were recently discovered in the chip security architecture of several large IT providers which made millions of systems susceptible to external access from unknown actors, putting sensitive personal data at risk. The scope of exposure caused widespread panic both within and outside of the financial services industry, reinforcing the belief that when it comes to security, complacency is not an option.
The technological innovation revolution is taking place amid a growing number of new threats and constantly evolving defence strategies, so firms must be vigilant and adapt to keep their infrastructure and critical data secure. Firms should start by ensuring that their defences are embedded at an architectural level. Security should not be viewed as a hindrance to growth. In fact, the right defence strategy can propel innovation. With so much at stake, the risks are simply too large for cyber-security measures to be left as an afterthought.
Contributed by Stephen Scharf, chief security officer, The Depository Trust & Clearing Corporation (DTCC).
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.