Cybersecurity and operational resilience: challenges for the financial sector
Finance expert Dr. Anastasia Kotovskaia discusses the role of corporate IT security, the ongoing threat of cybercrime, and the challenges the industry is currently facing.
11 min read
Dr. Anastasia Kotovskaia, LL.M., heads the Financial Markets & Information Technology Department at the Centre for European Policy in Berlin. As a seasoned legal expert, she provides this political think tank with comprehensive background knowledge in regard to ongoing EU policy proposals, evaluates their potential impacts, and offers feasible solutions for the greater EEC. She has published several articles in the fields of law, finance, and information technology. We recently asked her to give an opinion on the role of IT security within the financial sector.
The information revolution has dramatically contributed to the development of digital technologies throughout the financial sector. Banks now provide their business affiliates and customers with mobile applications and online banking systems that allow basic banking transactions to be conducted remotely. Unfortunately, these very same services present tempting targets for cybercriminals, due to potential security vulnerabilities. In 2021 alone, annual losses due to cybercrime amounted to over $6 trillion worldwide. Perhaps more concerning is that these threats are becoming increasingly more sophisticated. As a result, secure online banking solutions are an absolute must. Cyberattacks typically aim to gain access to, alter, or fraudulently use sensitive data, steal money from affiliated users, or disrupt everyday business operations. Implementing effective measures to protect operating systems, programs, and financial networks from cyber attacks is essential to the smooth functioning of a financial enterprise.In order to expedite transactions and provide targeted fiscal services, financial companies are obligated to access sensitive customer information. Typical data sets include payment data, credit reports, and similar private details. Unfortunately, these are all attractive to cybercriminals. Should a security vulnerability arise, hackers can access and use this information to their advantage. This is why it is crucial for financial firms to implement powerful storage solutions, as well as promptly identify and remedy possible security flaws.
Financial firms are under intense competitive pressure. In order to gain an edge, they are often required to implement new digital products and services to meet the needs of their customers. Employing modern (and potentially less-proven) technologies can lead to profound cyber risks in the financial sector. Banks and FinTech companies often use third-party software, which can create a security bottleneck. Hackers may be able to exploit systemic weaknesses to access sensitive data and steal valuable information. Additionally, the increasing prevalence of cloud storage is associated with its own set of risks. Financial organizations need to ensure that the proper technical infrastructure is in place and securely configured to protect against malicious attacks.Financial firms are under an increasing amount of pressure to comply with legal requirements and to ensure a high level of operational cybersecurity resilience.
In recent times, a number of pioneering EU-wide regulations have been adopted. One primary directive involves Network and Information Security 2 (NIS2). The main intention is to establish a recognized horizontal framework for cybersecurity. This is followed by the Digital Operational Resilience Act (DORA), highlighting the rules and guidelines specifically intended to be used by financial service providers. Both of these regulations were adopted on November 28, 2022.
Both DORA and the NIS2 Directive are expected to adopt additional regulatory and technical implementation standards in accordance with other governmental bodies, such as the EBA, ESMA, and EIOPA. These changes and the associated obligations are predicted to come into effect by late 2023 or early 2024.
The main goal of these European regulatory frameworks is to augment the overall levels of security proposed by the Cyber Resilience Act (CRA), which is still in the legislative process.The Network and Information Security Directive 2 is tasked with establishing and implementing high levels of cybersecurity throughout the European Union, particularly in regard to companies considered to be essential in maintaining a functional society. Examples include banks, central counterparties, and trading houses. All entities falling within the scope of NIS2 are obligated to take the necessary technical, operational, and organizational measures to address potential security risks and mitigate the negative consequences of a cyber attack.
This directive provides comprehensive guidelines in relation to risk management. One example may include the adoption of a company-wide system designed to immediately report security incidents to supervisory authorities. The NIS2 is also associated with the development of contingency plans to be applied before and during a cyber attack.
The NIS2 Directive clearly stipulates that risk mitigation procedures are the responsibility of managerial stakeholders. This essentially signifies that management will be liable for any losses resulting from a failure to comply with NIS2 provisions. Risk management is particularly focused on the following elements:In the financial sector, prior to the adoption of DORA, there were already various requirements covering key categories of financial risks, such as credit, general compliance, liquidity, counterparty defaults, and risks associated with the open market. These regulations were meant to deal with issues such as the allocation of capital and operational threats. However, not all concerns had been addressed, especially in relation to operational resilience. When combined with security incidents, such as a cyber attack, the stability of the entire financial system may be jeopardized. DORA is intended to circumvent such a possibility by clearly defining uniform requirements for the security of network and information systems.
However, it is not only banks that fall within the scope of DORA. These regulations will apply to a wide range of financial institutions, including investment firms, crypto asset service providers, alternative investment fund managers, payment providers, e-money institutions, central securities depositories, UCITS firms, critical benchmark administrators, and crowdfunding service providers.
Not only will DORA increase operational resilience within the digital domain, but it will strengthen existing cybersecurity protocols while simultaneously addressing many of the risks associated with Information and Communication Technology (ICT) across the EU. This arises from the fact that financial service companies are becoming increasingly connected to third-party firms offering dedicated ICT products and services. European legislators are specifically focused on the potential threats posed by cloud service providers. According to statistics, approximately 45% of all worldwide data breaches now occur within the cloud.
DORA specifies the following requirements for financial companies:The European Commission presented an initial draft of the Cyber Resilience ACT (CRA) on September 15, 2022. These regulations provide legal provisions for software and hardware products related to cybersecurity and remote data processing solutions. The CRA will have far-reaching effects on manufacturers, distributors, and importers of products who are required to validate their digital services. This act does not impose regulations on financial entities unless they offer the services mentioned above. However, the CRA is still likely to have an immediate and significant impact on the financial market. The requirements set out in the CRA will address the security gaps in products with digital elements that financial firms use to provide their services. Strengthening operational resilience and cybersecurity measures is not merely a legislative concern. Implementing the proper solutions is in the best interests of the firms themselves. There are several reasons for this. First, security vulnerabilities will negatively impact the reputation of any company. Customers must be confident that their money is protected at all times. Secondly, successful cyber attacks can impact the liquidity of customers as well as the financial firm. Research indicates that the annual cost related to operational security incidents in the financial sector is between €2 billion and €27 billion in the EU alone. Additionally, these very same security incidents pose a threat to financial stability. This arises from the fact that financial companies have become increasingly interconnected, enabling a single incident to spread quickly throughout the financial sector and cause significant economic damage. Finally, implementing effective tools to address security protocols will help reduce long-term operational costs for financial firms.Considering how much is at stake, it would be foolish not to take security risks seriously. This is why continually strengthening the integrity of cybersecurity systems is crucial to improve operational stability, regardless of legislation and legal obligations. Vulnerability assessments should be regularly performed in order to assess ongoing ICT protocols, detect any suspicious activity, and adopt the latest strategies.
The ability to link cybersecurity concerns with operational and digital stability will help take the guesswork out of the equation, especially when we consider how closely these systems are related. Therefore, it is critical that financial institutions develop an approach that takes the latest regulatory requirements into account.
When developing systems to mitigate and prevent cyber threats, the entire sector is fighting a common enemy. Therefore, financial firms should be proactive and advocate for greater security through means that go above and beyond benchmark regulatory requirements. This will help guarantee a greater degree of safety. Effective methods include sharing best practices learned from personal experience and voluntarily disclosing anti-fraud measures. Furthermore, companies must conscientiously train employees so that responsible behavior becomes standard practice. This form of education should be used in tandem with effective customer communications in order to protect against cybercrime. N26 explicitly agrees with all of the above points and employs state-of-the-art security mechanisms, such as biometric authentication and 3D Secure, to ensure secure online transactions. N26 security teams operate on a 24/7 basis to analyze potential threats and test technical product security. The N26 blog also informs customers of new threats and how to prevent them, such as bank transfer scams, debit card fraud, voice phishing, and other online scams. The financial sector suffers an average of 1,130 cyber attacks each week. This number has doubled compared to the previous year. Without a doubt, financial institutions will continue to be affected by all types of cyberattacks in the future. At the same time, cybercriminals are becoming more resourceful every year. Financial institutions must, therefore, keep abreast of the latest developments and regularly develop new approaches to effectively combat these ongoing threats.
The information revolution has dramatically contributed to the development of digital technologies throughout the financial sector. Banks now provide their business affiliates and customers with mobile applications and online banking systems that allow basic banking transactions to be conducted remotely. Unfortunately, these very same services present tempting targets for cybercriminals, due to potential security vulnerabilities. In 2021 alone, annual losses due to cybercrime amounted to over $6 trillion worldwide. Perhaps more concerning is that these threats are becoming increasingly more sophisticated. As a result, secure online banking solutions are an absolute must. Cyberattacks typically aim to gain access to, alter, or fraudulently use sensitive data, steal money from affiliated users, or disrupt everyday business operations. Implementing effective measures to protect operating systems, programs, and financial networks from cyber attacks is essential to the smooth functioning of a financial enterprise.
Where Can Security Lapses Be Found?
European Regulations Meant To Ensure a High Standard of Security Within the Financial Sector
NIS2
- Risk analysis
- Security concepts for information systems
- Cyber incident management and prevention mechanisms
- Backup protocols and crisis management
- Measures to ensure supply chain security
- Training of personnel on cybersecurity
- Use of multi-factor authentication and encryption techniques
DORA
- Regarding the management of ICT risks: DORA requires all financial firms to have a comprehensive ICT risk management plan in place. This includes specific ICT strategies, as well as dedicated in-house tools and processes that enable them to identify risks at an early stage. Furthermore, such approaches can help downplay the severity of a cybersecurity incident. Firms will also need to implement backup plans in order to recover from incidents as soon as possible. It is also necessary to evaluate the potential threats associated with third-party services and ensure that only reputable providers are used.
- Testing operational resilience: Firms must test and evaluate their operational resilience on a regular basis. This process should embrace a risk-based approach and go well beyond a one-size-fits-all solution. The intention is to guarantee that tailor-made strategies can satisfy the needs of specific business models.
- Reporting serious ICT-related incidents to financial regulators: Companies are obligated to record any type of cyber attack or similar security incident and report it to the proper regulatory authority. This procedure is similar to reporting data breaches to the competent data protection authority under the General Data Protection Regulation. The deadlines for reporting incidents will be outlined in the upcoming regulatory standards recommendations.
CRA
Why Must Banks Strengthen Their Security Protocols?
Taking a Proactive Stance Will Benefit All Parties
The Future Outlook
Find similar stories
BY DR. ANASTASIA KOTOVSKAIA, LL.MHead of Department for Financial Markets & Information Technology at the Centre for European Policy
Related Post
These might also interest youTechnology & Security
How scammers are using QR codes to steal your data
Not all QR codes are harmless. Here’s what to look out for to avoid falling for a “quishing” scam.
4 min read
Technology & Security
5 popular holiday scams to watch out for this season
Don’t let scammers ruin your holidays. Get informed about these 5 popular holiday scams to protect your wallet.
5 min read
Technology & Security
AI: Banking’s New Superpower
The AI-powered future of banking is already here in areas like fraud detection, risk assessment, and customer service, says digital finance expert Xavier Lavayssière. Read on to learn more.
7 min read