Stephen Scharf, Chief Security Officer, DTCC
How can firms foster technological innovation while upholding a rigorous cyber-defense strategy? Problems can arise when companies run head first into innovation without considering potential risks.
The financial services industry has seen technological innovation accelerate at an unprecedented rate in recent years. Cloud computing, distributed ledger technology (DLT), artificial intelligence (AI) and robotics have demonstrated their potential to fundamentally transform global markets, but with greater efficiency comes the possibility of heightened risk.
As a result, an industry-wide focus on cyber-security has run parallel with the wave of innovation. This trend is hardly surprising; the more technology in use, the greater opportunity for cyber-criminals to breach it. This leaves the industry with a critical question: how can firms foster technological innovation while upholding a rigorous cyber-defense strategy?
RELATED: How Will Fintech Impact Cyber Defense and Recovery?
The sharpened focus on cyber-resiliency is evident across the industry. Cyber-security is consistently ranked as the number one risk facing the global financial system in DTCC's Systemic Risk Barometer, and industry players are actively collaborating to develop cyber security standards and best practices to improve firms' defenses while fostering innovation. An example of this is the establishment of a new World Economic Forum consortium led by DTCC, Citigroup and Zurich Intelligence that will look closely at bolstering cyber-security across fintechs. With global cyber-security spending predicted to reach US$200 billion £144 billion per year between 2017 and 2021, investing in cyber-defenses has become a widespread priority.
Some technologies naturally lend themselves to stringent cyber-defenses. The public cloud enables firms to encrypt and distribute applications and data across millions of servers and various centers, preventing malicious actors from identifying the resources used by a specific enterprise. Moreover, best practices, standards, data encryption and application programming interface (API) logging are validated at every level.
However, problems can arise when companies run head first into innovation without considering potential risks. For example, when organizations embark on a large-scale technology project, such as cloud adoption, they may find themselves in a transition period which can leave security gaps exposed and allow attackers to more easily infiltrate their network and infrastructure. These vulnerabilities are compounded as older IT systems tend to suffer from lower levels of security.
"This leaves the industry with a critical question: how can firms foster technological innovation while upholding a rigorous cyber-defense strategy?"
So how can firms avoid putting themselves at risk as they adopt new technology? There are a number of effective defense strategies that are being deployed to mitigate this growing risk. National and international collaboration across jurisdictions, information sharing and regulatory and industry engagement are key to addressing cyber-threats and preparing for recovery in the event of an attack. There is acknowledgement among firms that the likelihood of a cyber-breach is high due to the determination of a growing community of well-resourced actors and the sophisticated nature of attacks. As a result, many firms are placing increased focus on response, while continuing efforts around prevention. Now is the time to go “back to basics” and ensure cyber-security defenses are built in at an architectural level.
Take DLT as an example. DLT has two primary areas of focus. The first is the protocol itself in terms of a hacker's ability to enter and alter its framework and the second is at the end points. DLT's immutability means that if a hacker writes a bug into the ledger it could be significantly difficult to rectify. Therefore, firms must account for such actions by unwinding the system. Ensuring that the defenses are built in from the moment the technology is launched allows firms to build stronger resiliencies and reduce the risk of contagion.
The consequences of failing to do so are high. As an example, vulnerabilities were recently discovered in the chip security architecture of several large IT providers which made millions of systems susceptible to external access from unknown actors, putting sensitive personal data at risk. The scope of exposure caused widespread panic both within and outside of the financial services industry, reinforcing the belief that when it comes to security, complacency is not an option.
The technological innovation revolution is taking place amid a growing number of new threats and constantly evolving defense strategies, so firms must be vigilant and adapt to keep their infrastructure and critical data secure. Firms should start by ensuring that their defenses are embedded at an architectural level. Security should not be viewed as a hindrance to growth. In fact, the right defense strategy can propel innovation. With so much at stake, the risks are simply too large for cyber-security measures to be left as an afterthought.
Reproduced by permission from SC Media UK.