The Future of Financial Services Cybersecurity
By Matt High
The cybersecurity threat landscape is changing for fintechs, incumbents and other financial services organisations. As the pace of digital disruption accelerates and innovative new technologies reach the market, those in the sector are having to adapt. They must also place trust at the heart of any cyber agenda. According to KPMG’s Global Co-Leader Cyber Security, Akhilesh Tuteja: “Financial services organisations are competing not only with their traditional peers, but also with an increasing number of agile, digital disruptors such as virtual banks.
How can digital transformation happen with confidence in the financial services sector? KPMG discussed this in a cybersecurity round table.
The pace at which these new players are developing is forcing traditional banks to adopt more agile approaches to managing their own IT infrastructure.”
Tuteja was speaking as part of a round-table discussion between KPMG’s cybersecurity practice leaders, titled Securing the Future of Financial Services: Driving Innovation with Confidence. This was framed around the context that, amidst constant change, leaders are presented with several new challenges when it comes to actively managing customer trust. For example, the rise of virtual banks forces greater IT infrastructure transformation on behalf of incumbents in order to maintain a competitive edge – this presents greater security risks. Similarly, new technologies such as AI or chatbots must be secure and trustworthy; they must also contribute to the user experience.
Against this landscape, KPMG sought answers to several key questions facing financial services leaders – Chief Information Officers, Heads of Cyber Risk and so on – when it comes to securing their future endeavours.
Key points for discussion under the topic of virtual banks included speed of change, customer experience, regulatory fragmentation and the supplier ecosystem. Here, speed is crucial. This is largely as a result of the financial services landscape becoming increasingly competitive – no longer are incumbents competing with each other, for example, they now face a direct challenge from virtual banks, fintechs and other digital disruptors. These new entrants to the market are geared towards the latest technologies, are more flexible and have built their business from the ground up in a digital way; they have an advantage as a result.
According to Tuteja, for example, “a major transformational change of a bank’s platform used to take anything between two and five years. But now they’re up against players with no legacy systems to upgrade and they are forcing the pace. Suddenly people are talking about upgrading banking systems every four to six months.” Understandably, this places considerable pressure on IT infrastructure for incumbents. Even more so within the context of this article, as any accelerated change or increased complexity in terms of IT and digital technology places strain on those responsible for managing the change.
Digital disruptors and new market entrants rely entirely on technology – cloud-enabled ecosystems, digital banking platforms etc – due to their having no physical branch locations. As a consequence, they often work with several technology partners. Henry Shek, Head of Cyber Security, KPMG China, raised this as a particular risk, noting that while this approach increases speed to customers, it “also adds increasing complexity to cyber risk management, which is still in its infancy”.
With regards to digital disruption and new technologies in the broader sense, those in KPMG’s roundtable found that risk management cybersecurity remains a challenge. In their haste to innovate and retain their competitive edge, financial services players are embracing technologies such as AI, chatbots, real-time data analytics and biometrics for customer identification and management. These bring their own challenges. For example, according to KPMG: “Cyber criminals are already using new and advanced methods to manipulate security weaknesses and traditional security and protection mechanisms may not be sufficient to deal with AI and advanced technology-enabled attacks.”
To combat this, it predicts, financial institutions will likely embed cybersecurity into their broader digital strategy and invest in it on a greater level to the point where it becomes a central part of every digital adoption throughout the sector.
AI and maintaining security
AI is having a significant impact on the financial services sector. According to Deloitte’s How Artificial Intelligence is Transforming the Financial Ecosystem report, for example, AI and the advances that it brings will reshape every building block of success in financial services. It states: “Technology will make operations efficient enough that asset size will no longer be sufficient to sustain cost advantages. Meanwhile, revenue will not come from standardisation but from the highly customised products and personalised interactions that AI makes possible.” It is also recognised that exclusive relationships with customers will no longer be a differentiator, and that customers will stay with a bank, not because it is difficult to walk away, but because the personalised benefits are better than any other.
In KPMG’s roundtable, Tuteja recognised that AI will power the new age of financial services, but questioned how to make the technology secur when legacy programming technology is not applicable and AI is becoming increasingly complex. Bots were also discussed. Specifically that, while they are designed to interact with the customer and make decisions based on ‘question and answer’ type algorithms, the process for how they manage that customer interaction must be seamless – best practice being a balance between the robot and the physical, for example. It was also stressed that security and privacy is embedded into AI and bot applications from day one, and that all financial institutions must demonstrate AI integrity and robustness in order to minimise the security threat. There may even be, it was argued, a case to govern AI as you would a person rather than a technology in future.
The changing risk landscape
The role of those tasked with managing risk is changing. Even, it was suggested during KPMG’s roundtable, “breaking up”. According to Charlie Jaco, Global Financial Services Lead, Cyber Security, the role of the CISO no longer stops as “simply telling the board how many vulnerabilities were discovered last month”. Jaco suggested that for most large financial services institutions in the US, the role of CISO should migrate to that of Head of Cyber Risk.
It was discussed that many organisations have centralised their fraud risk and operations – fraud risk being second line and operations first line. However, as this shift occurs it was questioned what a new operational model that accommodates this change looks like, and how it would be governed. Technology could play a role too. Tuteja, for example, suggested a shift towards allowing machine learning and bots to understand fraudulent activity but that they are currently not smart enough to do so. Where the technology can, and will be used to great effect however is in the identifying of patterns of fraudulent activity – this is already being activated by several leading organisations.