The Covid-19 pandemic has transformed the way businesses operate. Within a few weeks from the onset of the pandemic in early 2020, corporations had to shift to a remote working model. This change was marked by rapid adoption of cloud technologies and a significant proportion of workforce suddenly using personal devices to access their official documents. While this enabled business continuity, it also expanded the threat perimeter, making businesses more vulnerable to cyber-attacks.

The banking, financial services, and insurance (BFSI) sector is no exception. From February 2020 to April 2021, the BFSI sector experienced a 40-fold increase in cyber-attacks including phishing, malware and ransomware.¹ In 2020, the average cost of a data breach for a global financial services firm was $5.85 million, significantly higher when compared to the average cost across all the sectors.²

Within BFSI, capital market firms are likely to witness a significant impact, given that they accounted for over one-fourth of all cyber-attacks targeted on the BFSI sector from January 2020 to March 2021.³ Recent technology trends in capital markets are increasing the number of participants on the enterprise network, making it more vulnerable to cyber-attacks. The adoption of open architectures — which allow corporations to quickly add, upgrade, and swap system components with third-party companies — are also making it more difficult to align cybersecurity controls across the extended enterprise network. Similarly, commercial off-the-shelf products are often cost-effective and simplify installation but can create unknown cyber risks in the enterprise network.

Top cyber risks in the post-pandemic era

CIOs and CISOs can help minimize the impact of cyber-attacks by pro-actively checking the key sources of these attacks. Wipro’s recent report State of Cyber Security 2020 highlighted three top sources of cyber risks for BFSI firms in the post-pandemic era:

• Unprotected services from third-party vendors
  With the advent of open APIs, a number of third-party vendors have emerged as the authorized service partners of leading BFSI firms. Because these vendors are granted access to confidential client data, unprotected services from these vendors have become a key targets for cyber-attacks.
• Employee negligence/Unknown cybersecurity protocols
  More than half of the organizations surveyed experienced cyber-attacks owning to lack of cyber awareness or negligence of their employees. This was also because, amidst lockdowns, some employees had to use personal devices which lacked adequate security.
• Over-allocation of high-risk permissions on cloud
  On an average, organizations provide over 95% of their employees with high-risk permissions on cloud. However, employees typically use only 10% of these permissions. This inability to effectively grant, manage, and monitor permissions across a multi-cloud environment is posing a serious risk to BFSI firms.

In addition, aligning regulatory requirements across multiple jurisdictions (for instance, GDPR and the California Consumer Privacy Act) also remains a challenge, increasing latency in cybersecurity processes supporting operational resilience. 

Developing a consistent, functional capability model based on governance, people, process and technology helps alleviate these problems and presents an integrated view of cybersecurity from a compliance perspective. Making wise use of security and compliance data to establish clear linkage between threats and risks enables firms to make more strategic decisions.

Key assets and associated processes capital market firms need to secure

In the context of capital markets, cyber-attacks typically target certain assets across the value chain, as shown in Figure 1. CISOs need to pay special attention to ensure cyber resilience of these assets.

Figure 1: Key assets across capital markets value chain targeted by cyber-attacks.

Buy Side

Asset and wealth managers possess confidential client data including investment portfolio, funds committed, returns earned, etc. Hackers may spy, breach, or manipulate this data by attacking the data warehouses managers use to store client data. Cyber-attackers may also target client devices to breach their login credentials and make spurious transactions. Similarly, hackers may attack asset manager’s proprietary investment strategies and trade books to disrupt operations. CISOs need to address these risks as they can lead to loss of investor’s trust and significant business loss.

Market Infrastructure

The pandemic sparked a surge in trading volumes across global exchanges as stock valuations dipped and recovered in a short span of time. This momentum is likely to continue given strong investor confidence. However, it may also attract intruders targeting order management, matching, and pricing engines of exchanges. An unmanaged attack may halt exchange operations until the issue is resolved. To prevent disruptions, CISOs must pro-actively address these risks. Similarly, clearing and settlement firms need to secure their data and algorithms because an attack on either may lead to fraud in the transfer of funds or securities. Lastly, financial data providers must secure the networks through which they disseminate trade data to their clients. Potential corruption of data networks can mislead clients and lead to significant loss of business.

Sell Side

Broker dealers and investment banks are home to vast volumes of confidential information associated with capital markets trading and M&A deals. These organizations need to secure their trading systems as any interference can lead to significant business loss. Similarly, they need to be cautious about the security of investment banker’s mobile devices, which are often attacked to steal intelligence on highly sensitive rumored deals. For M&A deals in progress, data rooms contain confidential information of the target. These must be protected against cyber-attacks as potential breach of information may lead to legal issues. Lastly, auctions are highly confidential processes. Investment banks must ensure security of their buy-side client’s biding information and their sell side client’s auction data.

Roadmap to operational resilience through a reimagined approach to cyber security:

With the continued rise of remote working and open API-based services, the perimeter of the enterprise network is expanding beyond traditional boundaries. Against this backdrop, future enterprise networks will be forever evolving, growing increasingly complex — and leaders need to prepare for the all new set of cyber-attacks.

Hackers are now targeting enterprise cognitive systems aimed at extracting and poisoning confidential data fed into machine learning (ML) models. Similarly, intruders are now attacking APIs to breach data feeds shared with third-party service partners.

To ensure operational resilience, capital market firms need to reimagine their traditional approach to cyber security. Figure 2 illustrates a framework for a holistic cybersecurity strategy with a focus on governance, people, process, and technology.

Figure 2: Framework to develop a holistic cyber security strategy.

Governance

A strong governance framework with clearly defined roles, responsibilities, and accountabilities for key stakeholders is the foundation of a robust cyber-security program.

• Corporate board: Boards needs to actively participate and clearly define the vision of the enterprise cybersecurity program. This vision will subsequently guide the actions of executive leadership and cybersecurity professionals.
• Executive leadership: Leaders must commit to aligning the cybersecurity program with their business plans and allocate appropriate budgets and resources. Additionally, close alignment between all three lines of defenses (security operations team, cyber risk team and internal audit team) bolsters efforts to run an integrated program.
• Enterprise risk management: Cybersecurity needs to be an integral part of the overall risk management function, where risk management policies govern key priorities of the firm’s security operations center, which is responsible for ensuring operational resilience from cyber-attacks.
• Third-party security policies: Capital market firms need to define robust security policies for third-party vendors and monitor their activity to avoid potential API abuse and breach of their data feeds.
• Zero-trust model: CISOs need to presume that attackers are already present in the network and enforce appropriate security controls to prevent and contain any attack or breach.

People

In the post-pandemic era, ensuring operational resilience will not only be the responsibility of cybersecurity professionals but of the broader workforce as well. Below are key elements of a cybersecurity strategy from the People perspective:

• Security Operations Center (SOC): Capital market firms need to develop a centralized function to continuously monitor and improve operational resilience to cyber-attacks. The SOC is the hub which decides how to manage or respond to a security threat.
• Secure remote working environment: Firms which are planning to continue using remote or hybrid working models need to ensure that they have the necessary controls in place to provide a secure, productive working environment.
• Cybersecurity talent: Given the increasingly complex nature of cyber-attacks, CISOs need to ensure that they have the right talent in place to combat them. They may look to outsource some specialized areas to leading cybersecurity service providers, or employ a hybrid co-source model to enable organic growth.
• Employee awareness and training: With remote working, employees define the perimeter of an enterprise network. To ensure that employees know how to keep this network secure, capital market firms need to train employees in basic cybersecurity protocols, with advanced training for anyone handling critical assets or data.
• Adaptive trust model: Because employees can unknowingly trigger a cyber-attack, CISOs should use dynamic, adaptive trust models to provide access to critical data or processes. These models continuously assess and rate employees basis their behavior towards the data or systems on which they have been granted permissions. For instance, if a user accesses sensitive data not needed to perform their job, that user’s privileges should be revoked. 

Process 

The following five-step, closed-loop approach allows capital market firms to effectively detect, prevent, and respond to increasingly complex cyber threats across the enterprise network:

1. Identify: Develop a detailed understanding of the critical assets including data, systems, people and capabilities across different functions of the organization. This may help the SOC team prioritize and focus its efforts.
2. Protect: Develop appropriate safeguards against potential cyber security threats, such as identity management and access controls, data security, application security, adequate monitoring tools.
3. Detect: Use the appropriate tools to discern legitimate and illegitimate activity throughout the enterprise network. SOCs may use AI & ML to embed cognitive capabilities in threat detection.
4. Respond: Plan and execute the appropriate actions to a cybersecurity incident. This includes preventing the expansion of a breach, communicating with relevant internal and external stakeholders about the incident. Running enterprise-wide table-top exercises provides reasonable assurance for response.
5. Recover: Take appropriate action to timely restore any services or functions that were impacted by the cybersecurity incident. Develop a robust plan to enhance the firm’s operational resilience and protect against potential attacks in the future following forensics analysis of an incident.

Technology

Technology is key to operational resilience as it provides intelligent, automated tools that enable continuous detection and prevention of cyber-attacks.

• DevSecOps: Integrate cybersecurity into DevOps to assess the security of applications right from the design and development stages. For instance, they may assess the code written in every build against various security assessments.
• AI & ML: CISOs may leverage AI & ML to develop cognitive capabilities of their SOC. These technologies can help SOCs recognize patterns and faults which can be used to detect suspicious transactions, phishing attacks, and fraud indicators.
• Zero-trust architecture: To implement a zero-trust model, it is critical to have an aligned technology architecture in place. One common approach is micro-segmentation, which divides the network into granular segments to better monitor, evaluate and authorize intra- and inter-segment communication.
• Hybrid-cloud security: Using a mix of on-premise, private cloud, and public cloud environments can enhance operational resilience by reducing exposure of critical data and processes to public cloud. Hybrid-cloud environments also allow firms to take responsibility for critical data-related security controls while sharing responsibility for broader security controls with cloud-service providers (CSP).
• Security orchestration, automation and response (SOAR): SOAR platforms consist of three components: First, orchestration integrates disparate cybersecurity tools via custom APIs to gather all data in one place. Second, automation uses AI/ML algorithms to ingest and analyze data feeds from orchestration to detect threats faster. Third, response offers an interface to plan, manage, monitor, and report the actions to be taken once a threat is detected.

In the post-pandemic era, robust cybersecurity systems will be critical to ensure operational resilience. Corporate boards need to make cybersecurity a strategic priority and a business imperative, and push for alignment among executive leadership, risk-management functions, SOCs, and the entire workforce running day-to-day business operations. CISOs will need to leverage the right technology architecture, tools, and platforms to ensure that business-critical assets are well protected against potential cyber-attacks across the enterprise network.

References:

1. Work from home fueling cyber-attacks, Reuters, July 2021
2. Cost of a data breach report, IBM, 2020
3. Timeline of cyber incidents involving financial institutions, Carnegie Endowment for International Peace