HVA driver #1: increased risk posed by cyber attackers
The first driver of the push toward better HVA management is the ceaseless probing by cyber attackers seeking weak points. Financial institutions, especially those considered to be critical infrastructure such as clearing networks and stock exchanges, are under constant threat from cyber attackers of all types, from hacktivists to hostile nation-states. Financial institutions also must cope with increasingly sophisticated attacks by adversaries with a profit motive, whether it’s attackers stealing and reselling customer data, or committing financial crimes, and then covering their digital tracks. For any of these attackers, finding a financial institution’s unguarded HVA poses a serious threat. If an entire business process relies upon a component, even if it is a relatively small subsystem, that component should be considered as part of HVA and protected to an appropriate extent.
HVA driver #2: faster pace of deployment from new business models
Technology disruptors like digital delivery continues to change business models for financial institutions. To embrace digital delivery, financial institutions are constantly being pressured to move quickly with new initiatives, new applications and new products. This creates a natural tension with the operational constraints of maintaining integrity, resiliency, privacy and security.
Yet financial institutions’ “Do no harm” approach to protecting the customer has limited the pace of change, and this has turned out to be a competitive liability for large financial institutions versus Fintech companies. Unlike traditional financial services firms subject to a high level of oversight and expectations, Fintech companies tend to move quickly with a “fast-to-fail” strategy, in which they deploy into the market products that are only 80% to 90% ready and then adjust accordingly. This approach is difficult for financial services firms to imitate, both because of their internal culture and expectations to protect the marketplace and consumers.