Cyber, Identity and Privacy (CIP) – Trends and Challenges

This is the first of a series of two posts exploring the Cyber, Identity and Privacy (CIP) category of our RegTech Taxonomy. Below, we explore the challenges posed to the financial industry from cyberattacks, data security, and privacy. The next post will explore the technological solutions and trends we are seeing in the market.

Banking and Financial Services has changed drastically in recent years, as clients and consumers move their preferences towards digital offerings and accessing information online. This brings numerous challenges including  balancing the complex and ever-changing regulatory and compliance requirements, efforts to boost effectiveness and reduce costs through cloud service usage and smarter business processes, and improving customer journeys and experience via digital transformation. For example, banks need to  enable optimal user access to systems while ensuring appropriate security measures are maintained, focusing on the privacy and protection of company and client data. Both internal and external users are now accessing systems from all over the world and from a variety of devices, meaning the identities of these users and their associated access are forming the new security boundary around the organization. 

These challenges bring significant opportunities for firms who are prepared to adopt emerging technologies to gain a competitive advantage, whilst also placing challenging new security strains on an industry forced to adapt to find new ways to protect itself and its customers. Whilst an augmented and seamless customer experience is attractive, it is imperative firms have cybersecurity systems to match. Investing in the right tools plays a huge part in this including firewalls, Identity Access Management (IAM) solutions, or anti-virus programmes.

Frank Joshi, director at Mvine Limited, provides insight regarding the importance of  strong customer identity verification tools and inter company collaboration to effectively tackle the problem: “More and more people are finally waking up to digital identity being the thing that’s holding back the UK’s digital economy. Cross industry collaboration initiatives are desperately needed to solve the impasse and to bring interoperable and ubiquitous digital identity into the mainstream where it belongs.”

CIP – Regs, Facts and Figures

The General Data Protection Regulation (GDPR), the Cybersecurity Requirements of the New York State Department of Financial Services (NY DFS 500), California Consumer Privacy Act (CCPA) and the Payment Services Directive II, introduce a range of new requirements that organizations must meet, or be faced with significant financial penalty and subsequent reputational damage. In response to the increased regulatory regime, a number of relevant authorities have released best practice documents and other guidelines such as the EBA’s recent release on outsourcing, and the FCA’s current focus on operational resilience.

Attacks and heists pose a huge threat not only to the financial services sector, but numerous other industry verticals and the economy as a whole. This is evidenced by the Travelex Ransomware and British Airways Data Breach incidents which have resulted in huge regulatory fines and unquantifiable loss of revenue opportunity.

But GDPR and Privacy is about much more than security – indeed Forrester reported in January 2020 that more fines and penalties had been issued for failures of data governance, not security.  According to Robert Baugh, Founder & CEO of Keepabl, a GDPR SaaS provider in the Fintech Power 50 2020 cohort, ‘Although GDPR’s definition of ‘personal data breach’ does start with ‘a breach of security’ it’s not just stereotypical hacking that’s covered.  Many are surprised to learn that the majority of Privacy fines and penalties have come from governance aspects such as accidentally sending an email to the wrong recipient, losing or leaving data unprotected, incorrect redaction, inadequate retention practices, and lack of ability to demonstrate compliance.  You can be fined for not complying with GDPR in a myriad of ways, not just for a personal data breach.’  

Robert continues, ‘So I believe your inclusion of Identity is an inspired bridge between Security and Privacy!  Much of compliance depends on establishing access rights to data, from authentication, encryption and least access privilege to responding to data subject rights, training (not least against social engineering attacks) and compliantly sharing (or not sharing) personal data.  Fines of up to €20m or 4% of global turnover, as you’ve pointed out, can reach astronomical amounts. But lots of 5- to 7-figure GDPR fines are now being issued on a regular basis and you can expect more to come.’

These thoughts are echoed across the industry, with Frank Joshi of Mvine continuing “Thankfully, those in the regtech space have known for a while the importance of digital identity and the huge role it plays for use cases such as revenue protection, benefits eligibility, and combating fraudulent activity. Driven by the challenges posed with data privacy and cyber security, digital identity sits right on top of the priorities for regtech sector from here on in”

Verizon’s 2018 Data Breach Investigations Report identified more than 2,200 breaches in 2018, 76 percent of which were financially motivated and 28 percent of which involved insiders. The Verizon report also showed that 75 percent of breaches are tied to credential theft and otherwise ineffective IAM (including RAM scrapers (malware), phishing and privilege abuse). In 2018, seven UK retail banks, including Barclays, Santander and Royal Bank of Scotland, were forced to shut down or limit their systems after hacks that cost them hundreds of thousands of pounds to fix.

Cyber criminals’ numerous approaches include; 

  • external actors exploiting vulnerabilities 
  • coordinated phishing campaigns 
  • rogue employees
  • Trojan malware 
  • lone wolf hackers-for-hire

These new and evolving attack vectors are increasingly difficult for regulated institutions to combat against, evidenced by IBM’s 2019 Cost of a Data Breach Report stating the average total cost of a data breach in the UK is upwards of $3.85m. 

Conclusions 

Despite successful innovation, vulnerabilities remain across the market, not least from the lack of compliant and joined-up governance. The financial services industry needs to address problems more broadly, and explore how organisations can collaborate (rather than compete) with each other to tackle threats and promote best practice. In doing so, synergies can be leveraged – sharing knowledge, spotting threats and developing solutions faster. 

Internal teams within institutions need to work in partnership also. It is imperative that front office business units, Cyber / Data teams, as well as risk and compliance groups are in alignment. No single group can make the informed, risk-based decisions crucial to a company’s success in isolation, hence companies which  adopt a ‘First, second and third line of defence’ model, often realise the greatest success. 

The landscape is competitive for technology solutions in this space, due to innovation in both the attack and defence methods deployed. Where process improvements and technology changes can either provide a game changing competitive advantage, or cause unnecessary risk and a myriad of other potential negative impacts, inter and intra company collaboration is paramount.