Podcast transcript: How to strengthen cyber resilience in Asia-Pacific banks
28 mins approx | 13 July 2023
Andrew Gilder
Welcome to the next episode of the EY NextWave Banking in Asia-Pacific Podcast. In recent times, cyber attacks have caused widespread disruption and inflicted more financial damage on businesses than ever before across multiple industry sectors including financial services, health care, energy, pharmaceuticals, and utilities.
Gilder
In this episode, we explore why Asia-Pacific financial services institutions, and in particular, banks, must enable cyber resilience as a critical strategic priority, and the approaches leadership teams need to undertake to develop this capability in order to absorb these attacks into their business as usual operations rather than a reactive crisis mode. For today's episode, I'd like to introduce Clare Sporle, our EY Financial Services Partner based in Sydney, who will be leading today's conversation with our two special guests. Over to you, Clare.
Clare Sporle
Thanks for the introduction, Andrew. Our special guests today, Gajan and Rohit, are actually seated in Melbourne, Australia. Gajan is the Tech Area Lead for Security Operations, Intelligence, and Influence at ANZ. And Rohit is the EY Asia-Pacific Financial Services Cybersecurity Leader. So hello, Gajan and Rohit. Thank you for joining me today.
Gajan Ananthapavan
Thank you very much, Clare and Rohit. Really looking forward to this discussion.
Rohit Rao
Hello to you, Clare, Gajan, and our listeners. Thank you for having me. And great to be here on quite a miserable and cold Melbourne day, but glad to be here.
Sporle
Unfortunately, it's the same in Sydney today, too. I always find it works really well with these sorts of topics to start with the big picture. And I'll start with you, Gajan. Can you describe for our listeners what you feel are the key trends that are shaping the cyber agenda at financial institutions and banks?
Ananthapavan
I guess there are certainly a number of trends that we can point to. And what I would say is we're all paying very, very close attention, not just to the fact that there's a significant increase in cyber attacks, but more importantly, all organizations are closely observing all incidents. So, whether there are supply chain attacks that are impacting our third parties and fourth parties or data breaches, which are suddenly becoming a more frequent headline, or the API style of attacks, ultimately, we're taking all of the learnings from those various sorts of incidents and events back to our organizations really to make sure we've got the appropriate protections in place. And I think, certainly, reflecting on organizations, ANZ is no different. And certainly, the other financial institutions, we all … In the region, we all take security very, very seriously, in particular, security of our customers. But we also recognize that a major security incident or event can really happen to anyone. And those events, even in organizations with great security are vulnerable. And I guess it's becoming more and more relevant, certainly in a world where we're continuing to work closer more closely with all of our different partners.
Ananthapavan
But I guess for me, the one trend or challenge, I guess I'd call out, is really around and in fact, a CTO whom I met with recently summarized this beautifully it's the fact that malicious software is easier to access or cheaper to buy than a bottle of milk or a carton of eggs. And I think that's a very, very simple way to sort of describe the challenge or the problem that we're all facing into. And it's so true because the real challenge for us is threat gangs and threat actors are making malicious software and their platforms more easily accessible. And therefore, it is making it far easier for those groups to have a real impact, and that's part of the challenge that we're all facing into, and certainly why a number of organizations have started to see suddenly a significant increase in the impact to services and resilience, and it's really part of the challenge that I guess we're all facing into. And equally, that's part of the reason why we're seeing an increase in not just cyber incidents and attacks but also around customer scams and fraud. So, it all ties into I guess what we're all seeing or facing at the moment.
Sporle
Wonderful. And Rohit, your perspective from a broader Asia-Pacific point of view?
Rao
Look. As a headline, I think the major breaches, the war, and the increased regulatory supervision have defined the cyber threat landscape. And as a continuation of the headline, I think cybersecurity, especially among the banks, is the number one non-financial risk that the banks are facing. And I think it will remain number one for quite some time in the future. EY has been sort of conducting annual surveys from a security perspective for the past few years — in fact, 20 years. And this year, we have sort of renamed it as Adaptive Security Survey, and there are quite a few highlights in that survey coming through. And one of the few things that we are seeing is that today's ecosystem creates too many attack surfaces and supply chain risks.
Rao
Historically, if you talk to the organizations, the top concern was not enough budget for the cyber professionals and organization. But now, in this year, it has been replaced by expanding attack surface. And that says a lot because banks and organizations are embarking on a major transformation, whether it's your cloud, digital transformation, and today's ecosystem is much more connected.
Rao
The second highlight is the workforce — humans. It continues to be the weakest link. And if you think about the major breaches that have occurred, usually it's a human that clicks on a link or does not adhere to the policy. And a few other things that are evolving are the cybersecurity risks with the advent of AI and the ChatGPT. I think there is a large percentage who are saying that they're not very well-positioned to really address the risk of the future. And lastly, I would say that the concept of cyber resiliency is really getting amplified in today's world, and due to the regulations, or even the important role the banks play in the ecosystem, right? So, I'm sure Clare will dig a bit deeper in the future.
Ananthapavan
And just on that point you made around, I guess, the role that regulators and other sort of industry players are … I guess the role that they're playing is suddenly evolving and changing. And I think it's an important shift. And I think it's important to sort of recognize the fact that actually this is a great opportunity that we all need to leverage and come together and play a role in terms of how we can support and enable each other. I think the role of, certainly, the regulators and governments has changed and shifted. Resilience, I think, is key to not just, I guess, the banks and major organizations, it's key to resilience across the economy and across the country. And clearly, there's a great opportunity to leverage the intent and the directives and the initiatives that are being driven at the moment.
Sporle
Perhaps we'll take an angle of trust around resilience next in terms of what might be useful to delve into in a bit more detail for our listeners. So, we've all experienced a very interesting start to 2023 with the global financial sector seeing an increased level of uncertainty due to the banking instance, in particular that we've seen in the US and in Europe, and the ripple effects of those are still continuing. So, I'd be interested in your perspectives on how this series of events or similar events, which you may have experienced have reinforced or shifted your strategy to ensure investor and consumer trust.
Ananthapavan
As I'd sort of touched on earlier, certainly in the context of our organization, ANZ, we take security very seriously. We take the security of our customers and our data very seriously. And trust is really everything to us. It's certainly the most important attribute of organizations like us. And I guess the opportunity here is to actually see security as a differentiator in the services that we provide and how we foster digital trust across our customers through the products and services that we design and build and enable and do that in a consistent way. So, for me, I guess the opportunity here is really how the security becomes an enabler or becomes a differentiator for our business. And I think that's part of the opportunity that we're seeing with this incredible focus.
Ananthapavan
So, while on one hand, there's a real challenge around the threats and the increasing challenges around all the cyber incidents that we're seeing take place across the world, there's equally an opportunity. And Rohit, as you sort of touched on in the past, organizations were worried about budgets and mandates, but actually, there's an opportunity to harness the intent, the concern, and use that as a way to really drive security, as I said, as a real enabler. And for me, I guess, part of the opportunity, certainly, if you look at how security works in a lot of our organizations, we don't just rely on one control or one layer of defense. There are many layers of defense that come together to protect our organizations and our data.
Ananthapavan
But I think it's really about how we build on that now to provide greater capability and services out to our customers. I guess the other element here is really around and Rohit, again, you touched on this earlier people traditionally have been the weakest link. And how do we start to better enable them? How do we start to better educate them to be able to also equally leverage the services and the capability that we offer?
Sporle
Interesting in terms of this focus on data. I think every podcast that we've recorded in this series so far, data has come up as an important topic regardless of the focus of the podcast episode. So, Rohit, I'd be interested in your perspectives around how the financial services industry can get better at understanding what data and what assets they're storing. Where is it located and how is it protected?
Rao
Today, data has been seen as the new oil or a tremendous asset with only an upside. But from an institution's default position, it has been to retain the data, nurture it, and not really delete it in the right size. So, with the current philosophy of whether data is a liability, we just need to challenge the paradigm, and that's what we are looking at in terms of the major breaches that have happened. And also, what I think is, given the vast proliferation of the data and applications, and what we call the data access and the ecosystem, I think, no longer we can sort of point data to a small number of core databases. Customer information and sensitive data are typically in today's world spread across the organization in different applications and different platforms. So, it's definitely rather complicated with the whole digital and cloud transformation that organizations are embarking on.
Rao
So, I think one of the key things that we encounter when the boards and the execs are asking is, what are the protection that are in place to stop a cyber-attack? We feel that the cushion needs to be slightly more aligned, which is to the point around where is our data and why are we keeping it? I think some of the pointed questions would help organizations and executives see through what is the data that we are keeping, why are we collecting it, and how much is required. And how do we actually reduce our footprint in terms of the data? So, it's an evolving paradigm shift that I'm sure, Gajan, you're also experiencing in your organization.
Ananthapavan
Yeah. And I think the other important learning, as we've seen through a number of the major data breaches and events, is really around how prepared are organizations to be able to deal with responses, data breaches, or responses of that size and magnitude. And I think that's the real challenge that organizations are seeing. And it is really about how prepared are you in testing those resilience and recovery plans and understanding how your organization can respond at the speed and scale that it needs to in the event of a large-scale data breach. I mean, as we all know, even organizations with great security — who have invested well — every organization is vulnerable. They’re not necessarily immune. So, we need to prepare for those scenarios. And I think that's certainly part of the challenge that we've been seeing as it relates to data across a number of events now across the industry.
Sporle
You've both touched on there the complexities of what banks are dealing with at the moment in terms of all of the dimensions that they're looking to change. And we know that banks in Asia-Pacific continue to evolve and transform their product offerings. They're driving their digital agenda. And they're often looking at how they can shift to use the evolving cloud ecosystem for more scalability. So, I'd be interested, Gajan, in particular your perspectives on how banks should do this while balancing the cybersecurity risk.
Ananthapavan
Certainly for us at ANZ and certainly across a number of financial institutions, cloud is part of the solution because it gives us greater flexibility. It gives us the ability to patch and protect those environments a lot quicker. It gives us the ability to refresh our environment and the underlying hardware and technologies a lot quicker. If you look at a lot of the problems that we have around vulnerabilities or exposures today, a lot of it really is to do around legacy, hardware, environments, and applications that take time to remediate. So, for us, the cloud done well, I think is certainly very much part of the solution in helping us all balance our cybersecurity risks, while also looking at how we drive better resilience and recovery across our environments. And it's something I guess we really need to embrace.
Ananthapavan
It's not just about how we continue to manage and operate our own services, it's also about how we better partner with organizations and have that ability to scale. So, I certainly see it as a great opportunity certainly where cloud has done well as a way to drive suddenly greater optimization and efficiency, as well as better security for our organizations.
Rao
And probably Gajan, I would definitely agree with that and I'll also add that I see a tremendous opportunity just to use the technology and the ecosystem. You made a point earlier around working with the government, the cloud service providers together as a united front. So, I think that collaboration and working together is very important to combat the risk of cyber. And also, I think the newer technology that comes with the cloud and other emerging tech is quite important to help and sort of continuously monitor the controls. And in today's world, you all have that facility and functionality, which was sadly missing in some of the legacy platforms. So, I definitely see it as positive. The only thing I would say is how do we actually maintain a good level of governance and visibility? Because as the earlier point, the attack surface is increasing. There are many parties. The supplier risk is increasing. So, how do we maintain better governance and good visibility around all those aspects?
Sporle
Let's shift our focus of the conversation a little bit now toward the recent cyber-attacks that we have observed that have affected various industries, including financial services. So, what has been your observation in terms of what we've learned about the mindsets that we need to have and the greater focus on cyber resilience capabilities? What's changed? What do we think needs to be improved even further? And what would you say are some of the critical success factors in this space? Rohit, I'll go to you first with this one.
Rao
From a banking perspective, it is quite essential that certain functions, banking functions, like payments, are required to be always available, it impacts everyday moms and dads and also has a crippling effect on the economy if such functions are not available. But what we do find is organizations are still falling victim to some of the basic attacks, largely because either they haven't done all of organizational testing or some of the key decisions have not been sort of pre-agreed with the board or the response, to your point, Gajan, how prepared they are. So, I guess in today's world, the cyber threat scenarios are very real. If I look at some of the business continuity and resiliency planning that was there, it was more oriented toward either the data center not being available or the site going down. But now with these breaches and ransomware attacks and increased regulations, it is how we respond to the media, the public, the customers, and also how you maintain that transactional resiliency and restore the services.
Rao
So, we are seeing … And again, as part of the survey and other customer interaction, we're seeing increased expenditure and focus on the response and simulation. And again, you mentioned that, Gajan, earlier. Also, a greater focus on maintaining cyber hygiene and testing the controls. There is obviously splash damage that happens when the potential data breach occurs, how do you recognize those aspects? And lastly, how do you understand the inherent risk of supply chain and other third parties? So, getting a grasp and good view of all that, and being prepared I think is the key, and especially around some of the cyber scenarios that are playing out.
Ananthapavan
And it think I’ll just add, as I've sort of touched on earlier, being prepared and really testing resilience and recovery plans, and being able to respond at speed and scale is very much key to this. But the other word I'd call out is partnership. So, how you partner with the government, how you partner with the regulators, how you come together with your relevant business partners is very much key to being able to drive a greater response and really about building out a stronger resilience across your organizations. No one organization can do this in isolation. And certainly, when you reflect on all the major incidents and events, and there's certainly a lot of learnings for all of us, partnership is key. And I think this is where we're certainly seeing a lot of changes in the US. But governments around the world are increasingly seeing the importance of the role that they play. And I think we're certainly seeing that in our region. And it's an incredible opportunity. We need to build on that partnership. We all need to invest in that because I think that's how we're going to drive a better response.
Sporle
One of the other changes we've obviously observed in the last few years is this shift in the perimeter of an organization's network, because of the way that we're all working now, we've observed a lot more hybrid working arrangements, and its increased need for interconnectedness. So, what would be your view of the benefits and challenges that this has brought the way that banks are now considering the security of their networks and their data?
Ananthapavan
It's a really important point as we continue to partner and leverage services across different organizations. We're having to move away from the concept of a hard perimeter to more of a virtual perimeter. And certainly, that requires a lot of us to rethink how we have approached some of the foundational pillars of security across our organization. So, whether it's around network security, identity management, how we protect our data — all of those elements — we're all having to rethink. And certainly, a big part of our approach and certainly part of the approach that many organizations are considering is really around the zero-trust framework, and how that can help us rethink many of those elements to better protect us in a virtual world. And for, certainly, simplistically for us, zero trust is a way in which we can start to stitch together some of those foundational pieces around identity management, which look is going to continue to play an even bigger role in protecting all of us and protecting our customers and protecting how we work better with our partners.
Ananthapavan
And so, zero trust is a big way in which we're going to bring all of those sort of key elements together and enable us to work in a more virtual environment. I think there's a significant business benefit and opportunity as well, in that. It allows us to move away from, I guess, the dedicated infrastructure and data centers, and so forth, that we've all had to invest in over a period of time. And it allows us to more freely operate and leverage cloud services. So, there are some great opportunities there in terms of how we adapt and change our approach and certainly, zero trust is a big element of that.
Rao
Yeah, I think we all feel the same way. Technology is fast-moving. The ecosystem and the supply chain are expanding. So, I think the challenge is grappling with what to do now vs. the future. And in terms of the future, again, to sort of dip into our survey, what we find is only 1 in 5 organizations feel that their cybersecurity is effective now, and they are ready for the future. So, you may ask, what do these organizations do? Why do they feel that they are effective now as well as they are ready for the future? And there are four things that stand out. I think, one is they adapt — or adopt — emerging tech faster, whether it's CIML, or in your identity world, password-less, or it may be just the automation aspect, right? So, they are adopting the emerging tech faster, and to their benefit. They're also focusing on managing the attack surface, whether it's cloud ecosystem and the supply chains well.
Rao
This, in my view … The third one is very important, which is to integrate cyber across the enterprise. The whole business integration, and how do you make the muscle memory, I think is super important, and some of the organizations really do it well. And the last one is: embrace simplification. Sometimes less is more, both in terms of process and technology. So, these are the four sort of classic themes that stand out in terms of how you lean into the future and embrace it as well as manage it well.
Ananthapavan
Some great points there. And maybe just a couple that I might just sort of tie back into because I think, for me, and I completely agree, simplification is incredibly important, I think especially across many of our large organizations. As you and I've spoken about many times before, we don't just have one or two of something, we generally have 10 of the different sort of products and platforms. So, there's an incredible opportunity to simplify our environments.
Ananthapavan
And also, the other important point you touched on was around sort of embracing new technology. And I think we're at this pivotal point, and certainly, there has been lots of conversation around AI and machine learning and leveraging ChatGPT, and there's clearly always two sides to it. But there's an incredible platform that we're able to leverage and harness, not just for our organizations, but from a security standpoint to really strengthen our teams and allow our teams to learn and move quicker. And I think that's an important part of where we are right now. And as I said, it's a pivotal turning point, and really important that we embrace the platform. I know there's an element of reluctance out there. Security professionals sometimes tend to be a little bit more cautious. But I think there are some incredible opportunities there.
Sporle
That theme of simplification has also been common across a number of these podcast episodes as well. I think the key message that 'simpler is smarter' at the moment for many different dynamics that we think about in business. So, a complex topic. So, I'm going to close with maybe an impossible question. But what is the one takeaway that you would like CEOs and CISOs listening to the podcast to consider in this space? Rohit, I'll start with you.
Rao
I would just say, just being brilliant at basics. What I mean by that is just maintain the hygiene, look at your workforce, supply chain, and more integration. Sometimes — to your earlier point, Gajan, you have too many technologies and tools. How do you integrate that rather than bolt-on, which adds to the complexity? So, I would say just be brilliant at basics.
Ananthapavan
I think for me, one of the things that's incredibly important in all of this, and I'd sort of come back to my comment or my message before. It's really about partnership. It is about how organizations come together — how we work together better as a community. It's about having customers very much front and center of everything that we do. Trust is so incredibly important to our organizations. And again, we're not going to be able to necessarily get on top of this isolation, it's really going to be through greater partnership. And I think that's incredibly important, certainly over the next few years in light of what we're facing into.
Sporle
Oh, thank you both so much. One of my takeaways would be that cyber resilience is enduring work that needs many minds, both within organizations in terms of tech, talent, customer brand, and also that partnering with many minds externally, such as regulators, across institutions, and also with the government as well. So, I'm very thankful that we had both of your minds to collaborate in the discussion today. And thank you very much for the insights you've provided.
Ananthapavan
Thanks, Clare. Thanks, Rohit.
Rao
Thank you.
Gilder
You've listened to the EY NextWave Banking in Asia-Pacific Podcast. To learn more about EY, our people, and our latest thinking, visit us at ey.com/banking. If you would like to have a further conversation on what you've just heard or learn more about joining our team at EY, please contact us via the details found in the description. If you liked this episode, please leave a review to help us bring you more insightful and relevant content. And finally, don't forget to subscribe to our podcast on Apple Podcasts, Spotify, or wherever you listen.
