Comforte AG’s Trevor Morgan on why financial institutions must address the growing cyber threat
Investments into the cybersecurity industry have grown since the start of the pandemic, with cybersecurity, privacy and security startups raising over $10.7 billion in 2020 alone. This has led to many investment houses touting cybersecurity as a lucrative market. Indeed, the rapid rise of cybersecurity products has created a “global boom in fighting online crime”. However, as the implications of poor cybersecurity become all the more pertinent, both individuals and consortium groups should be aware that cybersecurity entails more than an easy return on investment. The recent and far reaching SolarWinds attack serves as an important reminder of this. From hedge funds and asset managers to venture capitalists, all have been impacted by cloud security challenges in some way. It has even been reported that the financial sector is among the most vulnerable targets of attack due to data-rich systems and honeypots of personally identifiable information (PII). In fact, as a direct result of a cyberattack, one hedge fund had to cease operations completely due to the reputational and financial damage sustained. With sensitive and valuable financial information collected and stored within portfolios and data silos, data security cannot be an afterthought as the likelihood of suffering a significant attack increases daily, especially with the influx of cloud computing and a chronic lack of visibility into potential threats.
Financial organisations need to adopt better cybersecurity practices to prevent the waves of complex and costly cyberattacks, especially considering the sensitive nature of the data stored within the internal systems of these organisations. But in recent times, the financial services sector has been under immense attack from cybercriminals, particularly within the investment realm. As cloud adoption rises, many companies have attempted to expeditiously implement digital transformation to maintain business continuity, all at the expense of data security, which has too often been relegated to an afterthought. Financial institutions must realise that they are adding to their data risk if sensitive and regulated data is not secured across its entire lifecycle. How investors are being targeted and why they must heed the warning signs from regulators In the past two years, ransoms from cyberattacks on financial companies have soared. The rush to equip employees to work remotely put countless firms at risk, and in the first half of 2020, when many countries were implementing a mandatory lockdown, the frequency of cybersecurity incidents targeting financial institutions rose by more than 54% in the UK, compared to the same time last year. And more recently, US Federal Reserve Chairman Jerome Powell told 60 Minutes he is on alert for cyberattacks against U.S. financial systems and companies, above and beyond any other risks to the economy.
The threat facing many financial institutions has been echoed by the U.S. Securities and Exchange Commission (SEC), which warns that the increasingly complicated cyber threats could change the face of ecommerce. As a matter of fact, the SEC recommends that “documents containing sensitive personal financial information (e.g. account numbers, passwords, and PINS) should be stored offline. If you decide to store any personal financial information in the cloud, carefully research the provider and utilise tools such as two-step verification and encryption, to protect your financial information”. Failure to secure sensitive data can have catastrophic consequences. The recommendation to secure highly regulated personal information and trade secrets with data security processes should not go unheeded. In many cases, appropriate data security is a competitive differential. Ask yourself this simple question: given the choice, would you trust your investment portfolio with a firm that has suffered a damaging data breach? Your answer will most likely be the same as your clients’. Vital steps to help address the key data security issues to reduce the risk posed to portfolios The first step that financial institutions and investment firms should undergo is to understand their risk profile. Without understanding which risks you are open to, you cannot possibly manage them. This may mean conducting an internal audit into current data security practices and understanding what weak points may make these systems vulnerable. Only once a risk profile has been established can financial institutions and investment houses take the next step to secure sensitive information and client trust. While the SEC recommends encrypting all sensitive data to ensure appropriate due diligence when securing information, it is important to stress that encryption is not a silver bullet for data security. Encryption requires a key that, if intercepted, can render all encrypted files as readable clear text. However, other data security methods are more suited to fit the precarious needs for financial institutions. Of these alternative methods, tokenisation is widely promoted as the most reliable method of data security. What sets tokenisation apart from its competition is that sensitive information, although obfuscated from unauthorised access, is still able to be used for analytical purposes. Instead of encrypting information based on a cypher or code, data is replaced by a ‘token’ that preserves its original format, facilitating effective data analysis of information without the need to reveal it in its entirety in plain text. This allows organisations to maintain a high level of data security while still retaining the value of the information. Tokenisation has the added benefit of traveling with the data it protects and is therefore always active, regardless of where the data lies or moves, and throughout its entire lifecycle. Tokenisation can be used to actively and continually safeguard personal and financial data and assets within a database, the cloud, or wherever it may reside. This means that financial institutions and investor houses will not be expected to prioritise security over business operations (or sacrifice security for productivity) and can continue to carry out digital transformation through cloud adoption, without the concern of a damaging data breach or loss of client trust.