How has the cyber risk landscape evolved over the past year? What new threats have emerged?
We have not really seen any ‘new’ types of threats emerging—the majority tend to be phishing and spear phishing efforts that have been around for years. However, malicious actors continue to develop their capabilities, both in terms of their knowledge and in their sources of funding. At the same time, firms’ internal environments and infrastructures have become more complex, with more potential entry points and interconnections.
It remains a cat and mouse game, and as an industry, we must ensure that we continue to evolve our capabilities to counter this ever-present, ever-growing threat.
Can new fintech solutions help address cyber risks?
Certain forms of fintech have been used by cybersecurity management teams to combat cyber risks. Solutions underpinning artificial intelligence (AI) and machine learning (ML), for example, are proving to be effective tools in cyber defence and response.
How can AI and ML bolster firms’ cybersecurity capabilities?
Specifically, AI and ML have enabled firms to create data leaks and query vast amounts of data, looking for anomalies and suspicious behaviour in order to respond to issues.
In addition, AI and ML have enabled teams to more accurately assess and respond to cyber threats in real time.
It is important to note that the process today often remains a reactive approach, for example, scanning data, looking for problems and mitigating them.
Moving forward, it will be interesting to see if the industry will successfully leverage AI and ML in a greater capacity, so as to be more predictive around cyber threats, like detecting patterns and behaviours to head off an issue before it manifests.
Are there any risks associated with an overreliance on fintech tools?
Fintech offers an exciting opportunity to shape the way that the financial markets operate, but we must balance these capabilities with any implementation risks, including cybersecurity. As highlighted in DTCC’s recent research—fintech and financial stability: exploring how technological innovations could impact the safety and security of global markets, October 2017—cybersecurity risks have been reported as top concerns by firms setting up fintech partnerships.
These concerns are already being addressed on an industry level. For example, the World Economic Forum (WFE) recently created an industry consortium focused on improving the cybersecurity of fintech companies, as a collaboration between fintechs and established financial institutions and infrastructures grows. DTCC is one of the founding members of this initiative and together with WFE’s new global centre of cybersecurity, the consortium is developing a set of common principles for cybersecurity assessments, guidance for implementation, a point-based scoring framework, as well as guidance on improving an organisation’s score.
Is there a need for a greater regulatory intervention to ensure the industry’s ability to respond to cyber attacks?
Regulators around the world have been active in the cybersecurity discussion for quite some time, and have been proactive in introducing mandates and best practices to promote increased safety across financial markets. Unfortunately, these mandates and best practices have often been introduced at the local level, with different requirements, terminology and approaches.
That said regulators are having conversations across jurisdictions on how to best harmonise mandates and best practices. For example, regulators are assessing whether they can harmonise around the two-hour detection and recovery timeframe, as specified in the US. Harmonisation around cybersecurity regulatory guidance and rules would be a welcome development by industry participants and vendors alike.
What is more, an industry effort is underway to harmonise the cybersecurity lexicon, with the goal of creating a standardised list of terms that can be leveraged by regulators, providers and market participants.
DTCC is an active participant and contributor to these discussions, with the project overseen by the securities industry and Financial Markets Association and the former BITS organisation, a division of the financial services roundtable.
