Open Banking cyber security – opportunity knocks and back to the future?

27 September 2018


by Michael Roberts Senior Manager, Cyber Security

Email +44 (0)7730 598424

In the previous two blogs in this series on Open Banking, we’ve spent time looking at what banks can think about when they start to consider security.

We’ve been using the NIST framework as our guide: we’ve covered Identity and Detect previously, and this blog considers the rest of the framework.

Our next stop is Protect: what do you need to do keep your customers safe and secure (especially given the potential change that Open Banking could herald)?

There are two ways to approach this. The first is to take the lessons of blog 2 and apply those to your testing strategies, to your current and planned controls framework and how you might need to adjust accordingly.

There is a second approach however that is potentially much more interesting: could Open Banking be an opportunity? Can you use Open Banking to have a conversation with your customers about identity and data sharing in today’s world?

Start by asking them the following:

  • Do they understand that their personal data is very valuable, not just to them but to just about every company operating on the internet today?
  • Do they understand that they have a digital identity, that they use this to book holidays, get an appointment at the doctor, manage their finances?
  • Do they understand how their personal data and digital identity is used and shared in today’s world? Whom are they sharing this with, and are they happy to do so?

I’m going to make a prediction – connectivity is here to stay. By this I mean that banks, customers and third parties are going to continue to link up and form relationships with each other, as digital banking continues to evolve and grow.

Open Banking’s role will be to help shape these connections, and banks should get familiar with the technical regulatory standards that will apply. But this theme of connectivity should also apply as banks think about Response and Recovery, the final parts of our framework, with regards to Open Banking and security.

Put simply, banks need to update their recovery (incident management, crisis management, call it what you will) plans to recognise the new relationships they hold, and will start to hold, with new and existing parties.

As third parties enter the market and start to connect with you to gain access to your customers’ data, what will you do if something goes wrong? Who would you call and do you have an agreed approach lined up, for instance on communicating to impacted customers, or sharing potential threat indicators? If you haven’t already, now is the time to start thinking about this theme and the wider need to consider security and Open Banking.

by Michael Roberts Senior Manager, Cyber Security

Email +44 (0)7730 598424