« December 2018 | Main | February 2019 »

3 posts from January 2019

31 January 2019

Securing the Innovations within Financial Services Blog Series: Part 2 - The Investment Management Industry

by Anton Tkachov Financial Services - Chief Security Architect

Email +44 (0)20 7212 5216

In part 1 of this blog series, we discussed the security challenges facing payment innovations such as digital wallets, blockchain technology, and card-less transactions. We identified key security risks that need to be considered within the supply chain in order to prevent compromise of critical assets and service disruption.

In this second blog we will be discussing the innovations within investment banking and the direct security threats that need to be addressed.

We are seeing a high level of market disruption within the investment banking industry, with automated investment platform providers threatening the market shares held by investment management companies. These new market entrants use automation and big data analysis to provide affluent groups of customers with tailored investment plans without the need for an intermediary. This also creates opportunities for investment managers to embrace this technology and streamline internal processes and lower the cost of service delivery, allowing them to serve the mass market.

Investment managers are under the security spotlight

Naturally, organisations are considering the outsourcing of their processes and operations to these investment technology providers, however questions need to be raised about the security of integration, supply chain assurance and liability. Attacks on investment and fund managers are increasing, and investors and regulators are paying close attention. The Financial Conduct Authority (FCA) has been particularly vigilant recently over the precautions the industry needs to take to protect themselves and their clients from attacks and outlines the requirements expected by businesses within the FCA Handbook. For example, under Article 11 businesses are required to report ‘material cyber incidents’ which covers specific characteristics of an incident such as significant loss of data, unauthorised access or malicious software present on your information and communication systems.

Managing the essential security risks

The reduction of controlled access to funds and data by these providers is empowering consumers to take more control and can subsequently increase the likelihood of a cyber attack. Therefore, the following will need to be considered when evaluating the security risks to integrating this technology:

  • Data integrity - when assessing the business’ security compatibility of integrating advanced analytics and algorithms into their traditional operations, questions will need to be asked about the potential loss of data integrity. Accidental or malicious change could cause financial damage and subsequent loss of trust. Regulators are scrutinising businesses to have appropriate access controls in place and investors expect their data and funds to be protected, as part of their trusting relationship, and monitor failures to data integrity.
  • Third-party attacks - with the core processes of financial institutions being transitioned to online platforms, third-party suppliers providing this technology will become an attractive target to cyber attackers. The dependency on this technology creates an opportunity for these attackers to disrupt their operations and open new avenues to data breaches.

The tendency to adopt new business models driven by innovative technologies without including the proper security controls up front can result in a costly post-mortem exercise and an organisation that is not able to adapt effectively to mitigate future threats. Therefore, it is important for security, risk, and business leaders to evaluate how they are protecting their data and ensure the right controls are in place to fully monitor and respond to cyber attacks.

Download our free whitepaper to learn more about the threats facing the investment management industry and the ways organisations like yours can address them.

Have any questions? Contact our experts.

by Anton Tkachov Financial Services - Chief Security Architect

Email +44 (0)20 7212 5216

25 January 2019

Securing the Innovations within Financial Services Part 1 - The Payments Industry

by Alex Petsopoulos Financial Services - Cyber Security Lead Partner

Email +44 (0) 7941 454 210

by Anton Tkachov Financial Services - Chief Security Architect

Email +44 (0)20 7212 5216

Consumers have been increasingly demanding more transparency and interaction with their products and services, which has driven businesses to adopt technological innovations to optimise customer engagement. But how confident are these businesses that they fully understand the level of security risk they are facing when exploring these disruptive initiatives?

In this series of blogs, we will be looking into the widespread innovations taking place within the financial services (FS) sector, the key security related risks that come with them for businesses to consider. This is the first part of this blog series, where we look specifically into the security risks associated with payment innovations.

Innovating in a vulnerable payments industry

The payments industry has undergone a dramatic transformation in the use of technology innovation to optimise the customer experience, reduce operational costs and make payments easier and more efficient. Examples include digital wallets, machine-to-machine payments and in-app purchasing but also include more infrastructural developments such as the use of blockchain technology in augmented money transfer models. These have, however, opened up doors to new vulnerabilities.

Recent cyber breaches on the FS sector demonstrate the security vulnerabilities within the supply-chain being exploited by cyber attackers. Consequently, this can damage customers’ trust and result in regulatory penalties if the appropriate security measures aren’t in place. Business leaders in charge of digital, user-experience and innovation need to bring security and risk leadership to the table to ensure cyber security risk management is embedded within these digital programmes from the outset.

Key areas of concern point to the supply chain

When examining these innovations, it becomes increasingly evident that understanding the supply chain liabilities and risks is key when understanding the cyber security impact to the payments market, particularly in the following areas:

  • Compromise of third-party digital wallet providers - The rapid increase of digital payments attracts opportunities for cyber criminals to indirectly access an organisation’s critical assets. The widespread use of digital wallets has seen emerging threats facing stakeholders involved in the supply chain such as mobile payment applications, card issuers and payment network providers.
  • Card-less service providers - The intricacies involved in card-less transactions such as vendor financing schemes elevate the risk of unauthorised access and fraud, due to multiple customer-triggered integrations between the bank and vendor finance company. However, consumers today are increasingly informed about the likelihood of a breach to their personal data through their service providers and will have no hesitation in moving their business to another service provider if they feel their personal data could be vulnerable to attackers.
  • Obfuscation via Blockchain - Blockchain is being adopted by numerous service providers, however the market opportunity for adoption has left a steep hill to climb when monitoring illegitimate transactions. At the same time, the level of ambiguity over regulatory standards leaves these organisations with little security guidance they can trust.

It is important for security, risk and business leadership to fully understand these risks and take appropriate measures to protect and enable these technologies. If you would like to learn more about securing innovations within the payments industry, download our free whitepaper or contact one of our experts:

by Alex Petsopoulos Financial Services - Cyber Security Lead Partner

Email +44 (0) 7941 454 210

by Anton Tkachov Financial Services - Chief Security Architect

Email +44 (0)20 7212 5216

07 January 2019

Using the ‘Rapid, Effective, Expert’ model when evaluating incident response retainers

by Gabriel Currie Incident Response - Manager

Email +44 (0)7802 658893

Cyber security incidents are on the rise; in the last 12 months a reported 72% of large businesses (and 63% of medium businesses) in the UK experienced cyber security breaches or attacks. Unfortunately, the cyber security skills gap is similarly a real threat, presenting a major challenge for organisations looking for the right expertise to defend themselves.

As such, many organisations are turning to incident response retainer services to ensure that they have access to digital forensics and incident response expertise and experience when it is required. As the market expands, it’s important to remember three core qualities to look for when choosing your provider:

  • Rapid: Your incident response retainer provider must be on hand 24/7 and be able to rapidly respond in the event of an incident, providing both remote and on-site support. This response time should be formally agreed as an service level agreement (SLA). Remote support should be accessible within a matter of hours (with the technology to support this), and on-site support shortly after. Consider the location of your provider’s staff relative to yours, and any administrative tasks that can be performed in advance to allow your retainer provider access to sites during both working and non-working hours.
  • Effective: A rapid response is irrelevant if it is ineffective; your incident response retainer provider must be able to hit the ground running. This means working alongside your internal teams and leveraging the right set of tools to identify the nature of the breach and its associated risks, contain and eradicate the threat, and recover to business as usual. Doing so effectively requires an up-to-date understanding of your organisation, business priorities, IT environment, and service providers.
  • Expert: Your incident response retainer provider must be able to provide the expertise and experience needed in a crisis, able to work equally with your executive board as with your first responders and technical teams. Consider organisational accreditations, such as membership of the National Cyber Security Centre’s CIR scheme, or CREST’s CSIR scheme, as well as analyst reporting (for example, Forrester’s Digital Forensics and Incident Response service providers report1) and peer recommendations. Also consider conflicts of interest: you may want an incident response retainer provider to be independent from other managed IT service or SOC providers when serious issues need to be dealt with.

Ensuring you evaluate incident response retainers with these three qualities in mind will prove integral to minimising the impact of a cyber incident when you need to call in support.

The ‘rapid, effective, expert’ model is also a key indicator that your incident response provider is able to support your organisation throughout the entire incident lifecycle (incident readiness, response and recovery), providing technical expertise coupled with business insight. While many incident response service providers focus on technology, consider the other services that you may need to call on in the event of an incident: cyber security and data protection legal advice, crisis management and communications, regulatory relations, data analytics, threat intelligence, threat detection, and more.

1 The Forrester Wave™: Digital Forensics And Incident Response Service Providers, Q3 2017

by Gabriel Currie Incident Response - Manager

Email +44 (0)7802 658893