Cyber, Identity and Privacy (CIP) Part II – The Response to a persistent problem

This is the second part of our series of two posts exploring the Cyber, Identity and Privacy (CIP) category of our RegTech Directory.

Below, we take a look at the response from financial services firms, and how they attempt to mitigate the increasing threat being faced by the industry. 

In recent years, the threat from cyber crime has gained increased attention and focus across numerous industries – financial services in particular. Cyber crime is far from a new topic on the agenda, however, in 2017, seven British banks, including Santander, Royal Bank of Scotland and Barclays, were forced offline following a series of attacks. Critical operations were affected and entire systems shut down as a result, with the cost to remediate running into the hundreds of thousands of pounds, according to the National Crime Agency. In 2018, the FCA (Financial Conduct Authority) received 145 breach notifications, up from 25 in 2017. This significant increase was seen primarily across both investment banks (from 3 to 34) and retail banks (from 1 to 25).

Current Trends

In 2019 there were 927 Security incidents reported across the Financial Services, Banking and Insurance (FSBI) space, 207 of those included a confirmed data breach. Web Applications, Privilege Misuse, and Miscellaneous Errors represent the trending patterns responsible for 72% of breaches. Denial of Service resulting in operational disruption for institutions, and use of stolen credentials on banking applications targeting consumers remain the most common methods of attack, whilst hardware based activities such as ATM Skimming continued to decline. 

Illuminate Financial, a Venture Capital (VC) firm backing companies that solve problems in financial markets, have noticed an increased need for innovative solutions in this space. Reszo Szabo, Investment Director provides the following commentary – “Emerging cyber security startups have seen an incredible increase in demand, both from customers and investors. According to a recent survey more than half of the US businesses experienced a cyber attack in 2019. No wonder venture capitalists have invested more than $30bn in cyber security startups in the last 5 years. In the last year alone the industry saw 8 new cyber unicorns (startups that breached the one billion dollar valuation level when attracting new investments).”

This increased attention was also shown in a recent Lloyds Bank report, where cyber crime has leapt from eighth place to fourth since 2018 in terms of priority areas of concern for respondents. This increased concern is reflected in budgets. In 2018, 46% of respondents said one of their firm’s top three technology investment strategies was to improve cyber security, behind improving customer satisfaction and reducing operating costs. In 2019, cyber security has moved to the top of the tech agenda and with greater prominence, as 70% now make it their number 1 priority.

Robina Barker Bennett, head, financial institutions, Lloyds Bank Commercial Banking, says: “In 2019, firms are arguably more dependent than ever on technology. With this rapid advancement, the risks from cyber crime are increasing, placing extra pressure on financial institutions to change the way they operate.”

Areas to improve

Customer demand to consume financial services digitally has exacerbated the problem. In 2018 Accenture produced a report, assessing the cybersecurity of 30 major banking applications, of which all had at least one known security risk 25% were deemed to contain a “high-risk security flaw.” Their vulnerabilities included insecure data storage and privacy, insecure authentication and poor identification capabilities, as well as code tampering.

The move towards digital is only going in one direction – people aren’t going to go back to cash transactions and weekly visits to their local bricks and mortar banking branch. If financial services players want to keep up with consumer behavior while avoiding a major attack, they’ll need to update their web and mobile cybersecurity practices.

Rezso describes how the industry has reacted:

“We see there is a single common technology theme across this space  – data. At Illuminate we work closely together with our industry partners, including several global financial institutions, banks, asset managers and market infrastructure providers. They seem to have reacted to the increasing number of threats two ways. 

  • Firstly, large enterprises are trying to limit the exposure in case of a breach through reducing the sensitivity of data in use within the organisation. They can do this by applying differential privacy solutions, like Privitar as an example. 
  • Secondly, more and more cyber security tools are required to provide a decent protection envelope against numerous newly emerging threats.

This fragmentation fuels demand for better monitoring, data aggregation and remediation workflow solutions – stitching data together to try to identify and address gaps across the hundreds of existing point solutions. We think this area will greatly benefit from applying next generation Artificial Intelligence and Machine Learning tools to reduce false positive alerts and uncover unknown unknowns.”

At RegTech Associates we continually research and analyse the industry, collecting data on over 1,000 technology products that are specifically designed to meet regulatory challenges and obligations, which we package together creating the largest global RegTech Directory. This is segmented into 8 specific categories, grouped together by related functions. In the Cyber, Identity and Privacy category, we have seen a marked increase in the number of products, now including a total of 142 products with a relatively even split between the three individual sub-categories. This represents an increase of over 150% in less than 6 months, since our most recent directory refresh, and in order to help understand the landscape, we have compiled the attached market map to provide a visual guide to the most innovative solutions in this space. Many of the providers have solutions which address more than one aspect of C.I.P and have been categorised according to their primary use case and value add expertise.

In line with the commentary throughout this blog, we see C.I.P as an area of growth and focus for the market, as solutions addressing these challenges are increasingly becoming essential to organisational resilience and resulting success, rather than being an optional extra or ‘nice to have’. Identifying which C.I.P products are able to meet firms requirements requires significant time and effort in navigating the fog of innovation. RegTech Associates is always happy to help – so check out our C.I.P market map, the RegTech Directory or contact us if you have a more specific query.

Cyber, Identity, Privacy (CIP) Market Map

Conclusions

It is clear that cyber security, identity verification and data privacy are becoming increasingly interconnected in today’s digital world. Financial Services firms are caught between a rock and a hard place with conflicting interests pulling in different directions. 

On the one hand, client expectations now require a seamless omnichannel experience, focusing on a frictionless onboarding process and ongoing overall improvement in customer journey. Pulling in a conflicting direction there is an obvious need for increased cyber security, dual factor authentication and the requirement for 100% control and visibility of all personal data held online. 

Data is widely regarded as the most valuable commodity on earth today, and the effectiveness of how we manage and protect this now and in the future will become a competitive differentiator for companies, if it hasn’t already.