Don’t let cyber attacks get you down. Improving tech resilience in Financial Services | Deloitte UK has been saved
Limited functionality available
Over the past two years, we’ve seen a sustained level of high-profile technology glitches, cyber attacks and system outages. While all sectors have been affected, the financial sector has been a particular target, leading to increased scrutiny from customers and regulators.
In late 2018, the Financial Conduct Authority (FCA) fined a bank for failing to address warnings about ‘deficiencies’ in its systems ahead of a cyber attack in 2016, which netted fraudsters more than £2m. The regulator criticised the bank for deficiencies in the design of its debit card, financial crime controls and its financial crime operations team. However, the FCA added that following the attack, the bank had immediately put in place a comprehensive redress program and devoted significant resources to improving the things that left the bank vulnerable to attack.
Taking action and putting in place sufficient levels of technology resilience to withstand threats is an absolute must for all banks, and financial service firms in general. Fortunately, senior leadership are recognising this need for preventative measures. Furthermore, with hackers getting more audacious in their methods and using considerable resources to attack large organisations, senior leaderships also recognize that the likelihood of a successful cyber attack is always present.
In response to this mounting pressure on the financial sector to get it right when it comes to effective cyber risk management, the Bank of England, Prudential Regulation Authority and FCA published a discussion paper, Building the UK financial sector’s operational resilience. The message is loud and clear: the banking sector needs to reconcile its past investment in technology with its ambitious plans for the future, in order to address the risks it faces in the present.
By going back to basics when it comes to technology resilience, organisations will be able to address risks at an institution-wide level and develop a sustainable approach to limiting technology-related disruption. Such measures could be as simple as ensuring processes are in place for a consistent and quality response, or tapping into experience across the business so that the right people are in the right place to deliver on a cyber resilience strategy.
Constantly evolving definitions, technology and processes make it easy to lose sight of what we are actually talking about when we refer to technology resilience. In a nutshell, it is about identifying what is critical to your organisation’s survival, creating an environment capable of withstanding sustained threats, and developing practiced and proportionate recovery measures that can be deployed in the event of disruption.
The main technology resilience challenges facing the financial services sector today are not radically different from those faced in the past. Namely, they are change management, business process and data mapping, and knowledge transfer. However, what we are seeing differently today is significantly increased cost for failing to provide a comprehensive answer to historical challenges. Under-investment and lack of focus on reducing known risks in existing technology has given rise to the need for a radical solution to traditional problems.
Reliance on legacy technology, complex relationships between systems and historic organic growth of IT environments can create a Rube Goldberg machine of risks, with minor inputs resulting in a chain-reaction of unforeseen outputs.
Effective classification, aggregation and mapping of data is the biggest barrier to the development of robust data resiliency measure. The lack of business-critical and core infrastructure data testing means there’s little assurance that the backed-up data will be usable if needed.
It can be easy to think that technology disruption is primarily the result of deliberate rogue agents or human error, but this is increasingly untrue. Business pressure to reduce the time and cost of changes has resulted in institutionally-embedded change management frameworks that are not fit for purpose, along with a lack of comprehensive pre-implementation testing. The issues are further compounded by hidden dependencies and processes that lead to disruption far beyond the initial scope of the change.
While organisations are racing to embrace new technology, more often than not we see digital add-ons rather than transformation. Reliance on legacy systems comes with a continued demand for people with the skills to update and maintain them. Unfortunately, practitioners in legacy programming languages such as COBOL and BASE24 are a dying breed, yet in high demand. Without making skills transfer a priority, firms will likely experience a considerate skills shortage for business-critical legacy systems in the next few years. The publicised costs to those operating in the financial sector as a result of IT outages, cyber attacks and data breaches are only the beginning, and are likely to increase in the coming years.
In this always-on digital age where any hint of an outage or breach is immediately made public, business leaders must rethink and re-prioritise their IT spend to focus on getting the basic principles of technology resilience right:
Overall, the decisions over re-prioritisation and budget allocation in the next 18 months (at least) by senior business leaders will be critical in shaping how their organisations better prepare for imminent technology and cyber resilience risks. The inevitable upcoming end-of-life hardware and software support and expected international financial regulatory scrutiny must be addressed, and the basics of technology resilience must be adopted for full digital transformation to be successful.
Here is some of the most important advice from Building the UK financial sector’s operational resilience:
This article was originally published in ICAEW’s FS Focus magazine.
Narjis is a Technical Director in Deloitte’s Cyber Risk Services practice. She leads Technology Resilience in the UK, helping clients across financial services and TMT globally to address the vulnerabilities in their technology, processes and people domains. Additionally Narjis has built strong alliances with third party solution providers for off-network data backup and recovery solutions to help clients address and protect against immediate and emerging cyber threats. She has more than 17 years of experience across a broad range of technology areas as well as performing Business Analysis and technology process engineering. For further information on Technology Resilience services, industry and regulatory insights, and how we are helping our clients, please reach out to her.
William is a Senior Manager in Deloitte’s Cyber Risk Services team. Since joining Deloitte in 2013 he has worked in both the UK and Hong Kong offices, leading the delivery of a range of Technology Resilience, Cyber Strategy and Risk Management projects. He has worked across the globe with a wide range of clients in the Financial Services, TMT, Public and Gaming sectors. He has a special interest in innovation and digital transformation having won several firm-wide innovation challenges and has subsequently engaged heavily with Deloitte’s innovation agenda. Please reach out to William if you would like to hear more about Technology Resilience.