Jason Harrell, DTCC Head of Business and Government Cybersecurity Partnerships
The financial services industry has experienced a rapid acceleration of technological innovation in recent
years. The interconnectedness of the global marketplace has simultaneously risen to an unprecedented level. Consequently, firms are exploring the benefits of technologies like blockchain, artificial intelligence and robotics while increasingly relying on third-party vendors to handle some functions. New technology and outsourcing can lead to significant efficiency improvements and reduced operational costs, but those benefits come with a possibility of elevated risk. Moving certain operational and non-core functions to outsourced providers or using third parties to develop products and services opens the door for external vendors to gain some level of access to the firm and its confidential data. To further complicate matters, the vendors themselves sometimes employ external providers to deliver their services. While this expansion of the supply chain allows firms to minimize costs and provides an opportunity to introduce innovative solutions more rapidly, it also widens the surface area that could be used for a cyberattack against the firm and, due to the interconnectedness of the financial industry, against the sector as a whole.
A firm’s ability to swiftly onboard new technology is often perceived as a positive, enabling the deployment of new technological solutions, ultimately leading to client adoption and enhanced client satisfaction. However, a rush to implement new technology introduces potential risks, and so it is vital that firms understand exactly how it is going to be applied and prepare for any potential vulnerabilities that may arise after implementation.
Regulators and standard setting bodies (SSBs) have taken notice of these new risks and are collaborating with the industry to establish best practices to guide how firms should manage these potential operational impacts.
The UK Supervisors, including the UK Bank of England, Prudential Regulation Authority, and Financial Conduct Authority, recently published a discussion paper detailing the Supervisors’ view on what would be required to enhance an organization’s resiliency and the steps the supervisor could take to support the sector. In the US, the industry has rallied around the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), a collection of cybersecurity best practices and evaluation criteria. Building upon the advancements of NIST, the Financial Services Sector Coordinating Council (FSSCC), which collaborates with government agencies to protect the US infrastructure from cyberattacks, has introduced a new Cybersecurity Profile, a framework that integrates supervisory expectations to help guide financial institutions in demonstrating compliance with cyber risk management requirements.
As an industry-owned critical market infrastructure, DTCC continues to take steps to further enhance cyber and operational resiliency beyond our own operations. We have been involved in numerous industry-wide testing initiatives, support the sharing of threat information and remain focused on helping to improve cyber and operational resilience sector-wide.
Furthermore, we work closely with participants in other critical sectors to help them determine what controls they possess and how they can continue to improve to guard against cyberthreats. Effective defence mechanisms and resiliency plans are achieved by working collaboratively and implementing best practices, ensuring there are robust measures in place capable of both defending against threats and ensuring the resiliency of critical operations across financial market infrastructure.
This article was originally published in Eurofi Magazine.