Financial institutions continue to grapple with the ever increasing complexities of cyber security. As online services across all channels grow, so does the security risk. The underlying questions are - how do organisations modernise the legacy platforms that were not designed for the open, connected world of today’s demanding consumer base, and provide the services and interfaces in a secure manner?

The continual growth and competitiveness in digital services continues to disrupt the market. Whether they like it or not, financial firms and their customers will always be seen as targets and those that take this lightly, or avoid the gravitational pull of online services due to security concerns, will be left behind.

That being said, many organisations are trying to put the right protection in place. The key responses to any security incident are monitoring, reacting and remediating. We have seen from recent breaches that the way that a financial institution reacts and addresses its customers that have been affected can make all the difference. Admitting that a security breach has happened is never easy but your customers are more likely to stay loyal to your brand if you openly discuss the security breach, what information or even money was taken and the remedial activities that you are promptly taking.

Open Banking is getting closer – are you ready?

This August, the Competition and Markets Authority published the final report on its retail banking market investigation. By requiring banks to implement Open Banking by 2018, it has reinforced the UK’s transition to a transformed banking landscape based upon a foundation of Open Banking. While certainly a positive step, Open Banking raises more questions around security. Financial institutions need to look at the security around their APIs, covering both internal and external protection layers – what data is exposed through the APIs, and who may be calling the API? In moving to this new world, what competencies in the organisation exist to create and test these new services? The IT organisation that was designed around creation of services for a customer must now address service management and governance of an estate that exists in a digital always-on connected ecosystem of consumer and business relationships.

Data and information are new focal points for the industry, and this is being highlighted by the new General Data Protection Regulation (GDPR) which will be introduced in 2018. The days have gone where we have one, two or three front doors. We now have multiple connections in and out of networks with services being hosted in cloud, hybrid and SaaS services.

Do you know where your information assets sit – especially your most critical and vital assets?

General Data Protection Regulation – honesty and openness

Looking to 2017 and 2018, notification of breaches will look quite different for a large number of financial institutions. Unlike the directive in the Data Protection Act which was silent on the issue of data breach, GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects. 

This notification to the authority must “at least”: (1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer’s contact information; (3) describe the likely consequences of the personal data breach; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases.

The last sentence will undoubtedly give some pause for consideration and needs to be thought through. Whilst being open and honest with customers following a breach is essential, how much information is satisfactory to release, and under what circumstances should some information be held until the precise nature of method and impact is understood?

We find ourselves in an information conundrum. We know that open and honesty following a breach are important, but that full clarity on a situation is not always instantly available. Security breaches can take place and it can take time before a complete story is put together – but the longer it takes, the greater the concerns from customers that a security breach is not being effectively managed. It’s why it is essential to prepare in advance and have processes in place in the event of a breach. Testing of these plans and creating play books of certain scenarios is something a lot of organisations are doing.

Criminals work on Christmas

Financial organisations have had to adjust to the requirements of their customers who want services online 24/7. We have seen high street financial institutions opening on weekends, evenings and even Sundays. The world of internet banking allows customers to access financial systems all day, every day.

On the other side of the coin, cyber criminals don’t mind working weekends, holidays or Christmas Day. An organisation’s incident plan needs to be able to react to whatever, whenever, and in a way that is adequate to develop one or a number of alternative approaches. The Security Operations Centre (SOC) needs to be sufficiently resourced with access to on-call technical expertise, and they in turn need to be able to have access to evidence and activities.

Most people feel confident that their SOC is 24/7 – but it goes further than this. Imagine that you have had a breach on Christmas Day. Can you pull together a legal representative, someone who can talk to the press, the CEO and other important members of staff within your organisation?

We all have business continuity plans and disaster recovery plans, but it’s time we started thinking about security incident response plans that are truly organisational wide.