The common image of a cybercriminal is that of a slovenly, yet highly-skilled, individual sitting alone in a basement having not seen daylight in weeks. The modern cybercriminal, however, is far removed from this.
Cybercriminals are organised in large networks, often well-funded and highly talented which allows them to unleash devastating attacks. According to online crime figures from the National Fraud Intelligence Bureau and Get Safe Online, fraud and cybercrime cost the UK £10.9 billion in 2015/16. But this figure underestimates the true cost as it only includes reported cybercrimes. Websense’s report entitled “2015 industry drill-down report – financial services” showed that financial service providers experience security incidents 300% more often than organisations in other industries.
Financial service providers are right to fear cybercriminals, given the potential fines and damage to a firm’s reputation that can occur from a breach. A distinction, however, should be made between cybersecurity and data privacy. According to Clearswift’s research of 300 IT decision makers across various sectors, including financial services, 58% of cybersecurity threats are internal. These threats from internal breaches are evidently dissimilar to the aforementioned common image of cybercriminals and subsequently require different solutions.
Instead of responding with a culture of internal paranoia and cowering in fear of cybercriminals, financial service providers must respond by strengthening their control over data by adopting regulatory technology and pursuing collaborative efforts to guide compliance through the ever-expanding regulatory landscape. This article will focus on how firms can adapt to multiple contradictory regulations on data protection, protect against data breaches and centralise the responsibility and organisation of data to overcome the structural weaknesses that are exploited by cybercriminals.
Poor data controls are as scary as cybercriminals
The debate over protecting data has been around since the inception of data, so why has it become so popular again? Its resurgence cannot be accounted for solely by the increased sophistication of cybercriminals. Situating its relevance in the regulatory landscape of more data protection requirements explains why data protection has reared its head again.
MiFID II, GDPR and PSD2 are huge pieces of regulation that affect what and how data is stored, but complying with these is hampered by financial service providers treating them as entirely separate entities and not identifying crossover areas. In JWG’s most recent article on GDPR, we noted the regulatory crossover between requirements for transaction reporting in MiFID II and data storage under GDPR.
This crossover demonstrates how regulatory initiatives are working against each other on certain points. On the one hand, MiFID II demands that firms record and store all communications that lead to a transaction for up to five years. On the other, GDPR requires data to be kept no longer than is necessary and to record conversations that are specific to the transaction. This example is one of many where regulations have significant crossover but divergent aims and requirements.
As MiFID II applies from 3 January 2018 and GDPR not until 25 May 2018, most financial services providers are focusing on preparing for the former. This means that GDPR is being left as an afterthought by financial services. Waiting until the MiFID II framework is in place will make it particularly difficult to implement the necessary changes under GDPR due to the contradictory elements and can only increase the regulatory headache for firms. Firms must tackle both beasts simultaneously. To streamline complying with multiple regulations affecting data controls, a more holistic approach to compliance must be adopted by identifying crossover areas and not treating regulations as separate entities. Any poor data controls will remain open to abuse by cybercriminals.
Preventing cybercrime: where does the buck stop?
The necessity of adapting to new regulatory requirements is accentuated by initiatives that allow regulatory discipline against individuals who are responsible for implementing data controls. The Senior Managers and Certification Regime (SMCR) was introduced on 7 March 2016 to designate specific responsibilities and conduct rules for more responsible banking. Where there has been a breach within a senior manager’s remit, action can be taken against the senior manager by regulators.
If there is a data breach by cybercriminals and it is apparent that adequate data controls were not in place, regulators could punish senior managers for failing to put those controls in place. In this instance, firms should be as scared about poor data controls as they are about cybercriminals, because senior managers can be held liable in the same way as cybercriminals or internal attackers for a breach of data.
Although liability for a data breach can be extended to senior managers, it is still difficult to ascertain who is responsible and accountable for reducing cyberattacks. In November 2016, the head of the Treasury Select Committee, Andrew Tyrie MP, wrote to Ciaran Martin, head of the new cybersecurity centre of GCHQ, about this exact issue. He cited the case of the banking division of Tesco being hacked in November 2016 where £2.5 million had been stolen from 9000 accounts. Currently the PRA, FCA and GCHQ are responsible for dealing with cyberthreats, which makes it difficult to establish singular responsibility in the face of cyberattacks. Andrew Tyrie considered “whether a single point of responsibility for cyber risk in the financial services sector, with full ownership of – and accountability for – financial cyber-threats is now required.”
Andrew Tyrie’s proposal underlines how traditional methods of establishing accountability and responsibility are not always effective in countering cybercriminals. Forbes Insights and BMC released a survey in January 2017 entitled “Enterprises re-engineer security in the age of digital transformation” that received responses from various financial service providers across North America and Europe. The research showed that 52% of respondents claimed that accountability for security breaches had increased for operations teams and that there was still a lack of cooperation between operations teams and security, with 65% of CIOs and CISOs believing that security would increase if there was further cooperation.
The issue of cooperation is made more difficult by old fragmented legacy systems that do not communicate with each other. This lack of communication results in slow responses to data breaches, lack of information on who is accessing data and a fragmented response to serious data breaches. In line with Tyrie’s proposal, central accountability is the key for protecting firms from both internal and external cyberthreats. Financial service providers should centralise their databases to allow them to effectively monitor internal access and reduce outside cyberattacks that target discrepancies between old fragmented systems.
Escaping the regulatory quagmire
The lack of collaboration between departments within firms means that poor data controls have the potential to be scarier than traditional cybercriminals in the current framework, as their organisation and technical skills can overwhelm disjointed teams within firms. Reducing the threat of cybercrime, however, will not result from increased organisation alone … this must be coupled with technological innovation.
Stopping cybercrime requires mutual compliance across the financial service industry with the latest financial regulation, but antiquated legacy systems are not effective with keeping up with the flurry of regulatory standards. Instead, firms must not only adapt their organisational structure and pursue collaboration to combat the growing threat of cybercriminals, but also upgrade their technological infrastructure with modern regulatory technology to organise and effectively implement regulatory standards.
JWG seeks to guide the financial services industry through conflicting regulations by creating the collaborative platform to crowdsource ideas from a diverse range of experts in order to identify and provide solutions to the key areas of crossover.
One of the ways in which this guidance will be achieved is through our Data and Security SIG (DSS) which will be launched in April. This group will cover issues around data security and privacy relating to record keeping requirements across a wide range of regulations, as well as looking at the associated technology risk and risk data requirements. If you would like to find out more, please contact firstname.lastname@example.org.
In addition, we will debate these issues at our 300+ person RegTech Capital Markets Conference, which Business Insider noted as one of the world’s top RegTech conferences to attend in 2017. The afternoon parliamentary-style roundtable on ‘Poor data controls are as scary as cybercriminals’ will cover all the issues discussed in this article in greater depth. Please sign up here if interested.