The digital revolution in the financial sector has created a serious threat to controlled data. Faced with hackers looking for the slightest loophole, financial services must maintain the highest degree of protection. This is a monumental task that concerns IT, staff and all partners and subcontractors.
Eighty percent of all attacks have financial gain as their ultimate goal, with the other 20% linked to operations carried out by activist movements or states for espionage activities or cyber-attacks.
The digitalisation of processes and services, a necessary step to ensure the future of the financial sector, has given rise to a new wave of criminals who no longer care about bulletproof windows and secret codes in safes. However, this does not mean that cybercriminals are not in search of the same goal: looking for loopholes in security systems in order to make money. “Eighty percent of all attacks have financial gain as their ultimate goal, with the other 20% linked to operations carried out by activist movements or states for espionage activities or cyber-attacks,” observes Pascal Steichen, Managing Director of Securitymadein.lu, the cybersecurity agency for Luxembourg’s economy. The goal clearly puts the financial sector in the firing line, however a ramping up of cybersecurity initiatives and programmes in companies to protect their activities have seen it become less targeted. “The financial services sector has invested significantly into this type of security in the last ten years, more so than many other sectors,” points out Steichen. As a result, many cybercriminals are now approaching it indirectly, targeting customers instead.
Pascal Steichen, Managing Director of Securitymadein.lu
The threat is nonetheless severe and has only increased in recent years. According to Check Point Research, the number of cyber-attacks on businesses grew by 50% between 2020 and 2021. Clearly the Covid pandemic and the resulting rise in telework has whet the appetite of hackers, with connections multiplying and becoming less secure than before. During the pandemic, phishing attacks are estimated to have increased by 600%.
The most popular practice is ransomware: a hacker enters a computer system, encrypts the data to make it unusable and promises to make it readable again if a sum of money is paid. According to US cybersecurity specialist SonicWall, there were 495 million ransomware attacks worldwide in the first nine months of 2021, and damage from these could reach $20 billion by 2022, a fourfold increase in five years.
For financial professionals, the risks appear in multiple areas. In addition to the financial aspects, they will see their reputation tarnished and risk seeing customers demand compensation. “Financial firms cannot let their guard down,” continues Steichen. “Ensuring security is a continuous process because as soon as your system becomes weaker, it’s again a prime target.”
At the European level, regulators are well aware of the danger. Specific to the challenges of the financial sector, the Dora (Digital Operational Resilience Act) regulation, proposed by the European Commission in September 2020, should be adopted by the end of this year. “This will be applicable to all Member States without any transposition procedure and therefore without interpretation,” notes Cécile Gellenoncourt, Head of Supervision of Information Systems and Support PFS at the Commission de Surveillance du Secteur Financier (CSSF). A stark difference to the 2016 NIS Directive (Network and Information Security Directive), which was intended to increase the level of cybersecurity in the EU, but which remained too general and has sometimes been interpreted very differently by member states.
Cécile Gellenoncourt, Head of Supervision of Information Systems and Support PFS at the Commission de Surveillance du Secteur Financier (CSSF)
“If we look at the evolution of texts related to cybersecurity, the first measures adopted were very generic,” continues Gellenoncourt. “In 2016, the PSD2 directive, which imposed stricter security standards in the field of payments, marked the first major development. It was followed three years later by the guidelines of the European Banking Association (EBA), which extended key security requirements to all players under its jurisdiction.” As for the Dora regulation, it will aim to both escalate cybersecurity risk management to the board level, harmonise incident reporting, require IT operational resilience testing programmes and formally extend risk management to ICT service providers.
The question is no longer if, but when your organisation will be attacked. Cybersecurity is becoming a resilience issue for organisations and, as such, an issue that concerns management and the board of directors, not just IT departments,
The European view is therefore clear: cyber risk must be managed at the highest level of the company. “The question is no longer if, but when your organisation will be attacked. Cybersecurity is becoming a resilience issue for organisations and, as such, an issue that concerns management and the board of directors, not just IT departments,” confirms Najia Belbal, independent director and board advisor for cybersecurity.
Najia Belbal, independent director and board advisor
There is still room for improvement at all levels. “Awareness has been raised and it is now clear that security education needs to be reinforced,” continues Belbal. “Most managers still don’t know what a major cyber security incident is. It is not a question of turning them into ‘geeks’, but they must understand the challenges of IT security and adopt the appropriate approach.” This requires both preventive measures in terms of securing the most important data as well as a response plan for an attack so as not to be caught off guard. All this comes at a cost. It is difficult to set an average cyber security budget, but according to Belbal it should be around 10% of an organisation’s IT budget.
“Protecting yourself against attacks is not enough,” confirms Pascal Steichen. “You also need to have the capacity to detect and react to attempted attacks. The situation must be managed quickly to reduce the impact as much as possible.” Although the financial sector has invested significantly in protection, few firms, with the exception of some large banks, have put significant resources into detection and reaction capacity. “The Dora regulation forces players to invest in these capabilities through requiring firms to report all cybersecurity incidents.“
An important part of our work consists of organising security awareness training to ensure that people are properly trained and understand cybersecurity threats. People are the first line of defence and the biggest risk.
In the digital world, hackers have a reputation for being determined to succeed. They target as many entities as possible, both large and small, and repeat attacks until they find an open door. However, experts note that in more than 90% of cases, the success of an attack is linked to human error. Hence the need for awareness and training at all levels of the company. “An important part of our work consists of organising security awareness training to ensure that people are properly trained and understand cybersecurity threats. People are the first line of defence and the biggest risk,” admits Jelena Zelenovic Matone, Chief Information Security Officer at the European Investment Bank (EIB). “Training your staff is now essential as increased and diversified sabotage attempts are launched against companies through simple emails that an uninformed employee is likely to open.”
Jelena Zelenovic Matone, Chief Information Security Officer at the European Investment Bank (EIB)
IT security is also no longer contained to the firm itself anymore. Given the increasingly technical nature of the business, many players are resorting to outsourcing. These partners can almost be Trojan horses and must therefore also be monitored. “The CSSF has been proactive in this respect,” says Gellenoncourt. “In 2020, following the publication of the EBA guidelines on ICT and security risk management, we issued a circular (20/750) which further extended the scope to specialist and support FSPs.” In May this year, the body responsible for supervising financial institutions also published a circular (22/806) dedicated to outsourcing. It is much broader in scope than cybersecurity, but it does include measures on this issue. “Dora also tackles this aspect by requiring an oversight of the most critical European IT providers for the European financial sector“, Gellenoncourt continues.
The entire financial sector is also struggling to recruit the talent it needs in order to ensure cybersecurity. “Each business has its own needs and its characteristics, and much of our work cannot be fully automated, so we are facing a real lack of people and skills in cybersecurity. According to the World Economic Forum, the world is lacking 3 million cybersecurity professionals ” laments Jelena Zelenovic Matone, who was one of the founders and is the President of the Women’s Cyber Force Association, whose aim is to convince more women to enter the cybersecurity field and bridge the gap via concrete solutions.
Dora also tackles this aspect by requiring an oversight of the most critical European IT providers for the European financial sector.
The entire financial sector is also struggling to recruit the talent it needs in order to ensure cybersecurity. “Each business has its own needs and its characteristics, and much of our work cannot be fully automated, so we are facing a real lack of people and skills in cybersecurity. According to the World Economic Forum, the world is lacking 3 million cybersecurity professionals ” laments Jelena Zelenovic Matone, who was one of the founders and is the President of the Women’s Cyber Force Association, whose aim is to convince more women to enter the cybersecurity field and bridge the gap via concrete solutions.
Her solution for gradually narrowing the gap between supply and demand is what she called the “Industry 5.0” in reference to “Industry 4.0”, which sums up the project to digitalise all economic activity. “It’s an admirable goal, but the next thing to do is to secure as much as possible of the ever growing Internet of Things. We must therefore think about introducing cybersecurity aspects from the beginning of higher education so that young people can already consider this specialisation.”
When it comes to cybersecurity, risk managers are in a race against time and against a threat that is growing exponentially. The financial sector, although it has taken the lead in some cases, is also at risk with regards to its customers’ savings and confidential data. It cannot risk dropping its guard for a second: the cost would be exorbitant.