The average cost of cybercrime for financial services organizations has increased by a staggering 40 percent in three years, from $13 million per institution to $18 million, according to a recent study by the Ponemon Institute. A colossal 60 percent of banks' total security spend is on containment and detection of data breaches. The costliest type of attacks are denial of service, phishing campaigns, social engineering and malicious insiders.
"Hacking groups are getting very professional, and they have a lot of resources behind them to create malware. Every day, they are getting stealthier and more difficult to detect, which is making it difficult for financial institutions to stay ahead," explains Laurent Lacroix, Business Development Director, Connectivity and Cyberdefense at Orange Business Services.
The availability of sophisticated cyber skills in the underworld is becoming more prevalent. Ransomware-as-a-service is generally available on the Dark Web. The Massachusetts Institute of Technology (MIT) predicts that this year we’ll see machine learning models, neural networks and artificial intelligence (AI) being exploited by cyber criminals. It will allow them to design malware, for example, that can get around malware detection software.
The move to online and mobile banking has opened up a new treasure chest for cybercriminals to plunder, with any weak links providing a target point for access. "It can’t be assumed that fintechs have the same level of security maturity as banks. We need to make sure that security is at the core of the development of these apps, which is something we help companies address," adds Lacroix. Orange Cyberdefense collects 250,000 malware per day, 30,000 of which are banking malware.
Fintech security challenges
Fintechs are introducing transformative new business models that are disrupting the traditional banking model – but with this innovation comes risk to customer data. As new players come into the banking arena and banking apps become more popular, the attack surface is expanding. This is increasing the risk of cyber extortion, botnet attacks and fraud, putting increased pressure on security initiatives.
At the same time, banks are increasingly linking fintechs to their system infrastructure, either as part of a partnership or because of regulation, such as the European Union's Payment Services Directive (PSD2), designed to open up banking data to third parties who can create new products. We are seeing the adoption of technologies such as bank-as-a-marketplace, bank-as-a-facilitator and bank-as-a-service business models, which all demand robust security and data privacy.
In a bank-as-a-service model, the bank provides the back-end services for fintech start-ups and other businesses who lack their own infrastructure or banking licenses. This can include facilities for digital banking and cards, PSD2-compliant payment services, consumer and SME lending, Know Your Customer (KYC) checks, and general account services. The consumer-facing brand will be heavily reliant on the bank-as-a-service provider for core security capabilities.
With a bank-as-a-marketplace scenario, banks become platforms or portals through which existing third-party services can be accessed. These range from travel insurance, payment-based loyalty schemes and mortgage brokerage to pension aggregator services. Banks need to carefully audit the cyberdefense capabilities of these third-party providers, as any breaches will directly impact their brand. They also have a legal responsibility to safeguard their customers' data wherever it resides.
Finally, with a bank-as-facilitator business model, the bank creates APIs that provide third parties with access to data for accounts, cards, loans and notifications. Controlling data privacy is the over-riding concern here.
In a bid to secure this "open banking" trend, the World Economic Forum (WEM) created a consortium earlier this year focused on improving the security of fintechs. The consortium is working in several key areas, including developing common principles for cybersecurity assessments.
"Fintechs can only deliver on their customer experience promises if the financial system is able to manage the risks adequately," explains Matthew Blake, Head of the Financial and Monetary System Initiative at the World Economic Forum. "This consortium will offer technology companies a clear goalpost and thus enable them to implement sound cybersecurity measures at the product design stage."
The changing attitudes of consumers
Consumers expect to be able to carry out banking transactions 24/7, wherever they are. To do this, they're actively seeking out service providers that can fulfill these demands. As McKinsey points out in an open banking disruption report, technology innovations – such as digital payments and cloud-based applications – have heightened customer expectation for both convenience and security.
While open banking poses a threat to traditional banks, it also provides them with an opportunity to compete as technological innovators, mining valuable customer insight from their vast data mines. Banks, however, must be able to guarantee customers that their data is being protected while at rest, in transit and in use. This means it will always be crucial to have secure communications channels, including encryption methods. The UK, for example, has adopted OAuth 2.0, an industry-recognized secure method for verifying digital identities.
Privacy protection, however, can work to a bank's advantage. Financial institutions such as UBS, for example, have established secure data vaults for customers to store important documents, such as contracts, insurance policies and identity papers.
A new era of open banking
Open banking brings exciting new possibilities, making financial services faster and easier with greater product choice. But with so many interconnected entities, robust security will be a vital ingredient in building and retaining consumer trust. This will require proactive cyber threat detection capabilities, a skilled cyber workforce, robust incident response plans and collaboration between the banking community on threat and attack intelligence.
The revolution reshaping the financial services industry is creating countless opportunities for financial institutions to reinvent their business models through innovation. Discover our IT services dedicated to banks and financial services, and how we can help you be prepared for a changing threat landscape.
Jan has been writing about technology for over 22 years for magazines and web sites including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.