The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

Will innovation increase cyber threats in the financial services industry?

Innovation is essential for incumbents to compete, but it should not come at the cost of security.

With the region’s financial institutions (FIs) under increasing pressure from non-traditional financial services institutions entering into the battlefield, they are seeking to innovate quickly to stay ahead. Right now, the market is being disrupted by two groups of new entrants:

  1. FinTechs: These start-ups are shaking the banking value chain by focusing on: customer-centricity, innovation culture, low cost, simple business models and fewer regulatory constraints.
  2. Tech giants and their subsidiaries: These powerful players, including Apple, Alphabet, Alibaba and Tencent, are seizing market share through their high-recognition brands, well-established platforms and global scale.

In response, we have recently seen several banks in the region embrace emerging technologies. However, making such deployments sync seamlessly with legacy platforms requires rapid digital transformation.

The combination of a rush to transform and partner with other entities is good for innovation, but it also increases a bank’s digital attack surface. This makes it challenging for IT and security teams to maintain effective cyber defenses.

What are the security pain points from a fast-and-furious digital transformation?

In a rapidly changing environment, security issues arise from a simple lack of readiness, in terms of:

  1. People: The human element is always the toughest factor in securing digital transformations. People remain the weakest link in security, with Forrester estimating that at least 80% of data breaches are connected to a compromised privileged credential. Even the tightest security systems can be defeated by a single person acting in an unauthorized manner, with social engineering risks, including impersonation attacks, spear phishing and media drops.
  2. Process: With rapid and intense change, information security is pushed to its limits. New workflows, ways of working and commercial contracts, including their business continuity and recovery processes, all need to be rapidly updated to reflect the new systems and operating models. Otherwise, these changes can open a gap in your cyber defenses.
  3. Technology: To appropriately integrate different emerging technologies into your environment, and reap its full benefits, changes are required at various levels, including network. Rushed digital transformations create new attack vectors, especially when requirements are unclear and testing is inadequate.
  4. Vendors: FinTechs can have services that are not yet proven or compliant in the highly regulated market. Many also struggle to make the transition to a large, corporate environment. According to a recent study conducted by Ponemon, 59% of respondents indicated they had suffered a data breach associated with one of their vendors or third parties. These breaches can have significant repercussions on the organization, including potential regulatory fines, diminished brand value and trust in the market.

EY - Will innovation increase cyber threats in the financial services industry?

How should FIs respond?

  1. Manage privileged access effectively and efficiently across the organization

    Privileged credentials are often targeted by cyber criminals as, if compromised, they can allow bad actors to take over critical systems or your entire network. Considering the implications, it is essential they are protected using a Privileged Access Management (PAM) solution.

    PAM solutions provide businesses with additional layers of defense, requiring extra approvals, multi-factor authentication or recording the session – all aimed at creating additional visibility and control around who accesses and what they gain with these credentials.

  2. Conduct continuous threat intelligence and analytics

    Organizations often imagine transition moments are happening ‘behind closed doors’ and therefore normal security exercises are unnecessary. In fact, monitoring and threat intelligence gathering should be conducted more frequently during transformation when attackers can take advantage of a rare opportunity to gain access to the in-transit and often less-secured systems.

    With a shortage of skilled and specialized security resources, adopting automated tools, such as Security Orchestration, Automation and Response (SOAR) goes a long way to proactively detect threats and improve the incident response time. Using such tools, our clients have been able to successfully improve incident response times by up to 80%.

  3. Enhance network visibility and controls

    With new cloud services and third-party collaboration, you can no longer trust all devices on the ‘internal perimeter’. Yet, we continue to see many financial institutions relying on traditional segmentation, with bloated firewall rules and weak protection on lateral traffic within their networks. These limitations are hindering organizations from adopting innovative initiatives and preventing IT operations scaling to support the business.

    Financial institutions should embed ‘security-by-design’ principles in their enterprise architecture. At a network level, we recommend micro-segmentation as it provides more granular controls and greater visibility – helping organizations secure critical workloads and reduce the impact of a potential network breach.

  4. Transform third-party risks into a competitive advantage

    Financial institutions have an important opportunity to automate their Third-Party Risk Management capabilities, enabling a more rigorous analysis of third-party risk by integrating internal and external data. Risk assessments and reviews should cover exit strategies and contingency plans, including incorporating the ‘fail-safe principle’ at the strategy level. They must also consider: cross-border transfer of personal data; business continuity management; and regular monitoring of service delivery and performance so any incidents or potential breaches are known and investigated as soon as identified.

EY - Will innovation increase cyber threats in the financial services industry?

Innovation is essential for incumbents to compete, but it should not come at the cost of security.

Banking leaders need to strike a balance between speed to market and protecting their own and their customers’ data and assets.

Contact us

EY - Sean Gunasekera

Sean Gunasekera

EY ASEAN Financial Services Cyber Security Leader
+65 6718 1162