Posted: 20 Mar. 2019 13 min. read

Don’t let cyber attacks get you down. Improving tech resilience in Financial Services

Over the past two years, we’ve seen a sustained level of high-profile technology glitches, cyber attacks and system outages. While all sectors have been affected, the financial sector has been a particular target, leading to increased scrutiny from customers and regulators.

In late 2018, the Financial Conduct Authority (FCA) fined a bank for failing to address warnings about ‘deficiencies’ in its systems ahead of a cyber attack in 2016, which netted fraudsters more than £2m. The regulator criticised the bank for deficiencies in the design of its debit card, financial crime controls and its financial crime operations team. However, the FCA added that following the attack, the bank had immediately put in place a comprehensive redress program and devoted significant resources to improving the things that left the bank vulnerable to attack.

Taking action and putting in place sufficient levels of technology resilience to withstand threats is an absolute must for all banks, and financial service firms in general. Fortunately, senior leadership are recognising this need for preventative measures. Furthermore, with hackers getting more audacious in their methods and using considerable resources to attack large organisations, senior leaderships also recognize that the likelihood of a successful cyber attack is always present.

In response to this mounting pressure on the financial sector to get it right when it comes to effective cyber risk management, the Bank of England, Prudential Regulation Authority and FCA published a discussion paper, Building the UK financial sector’s operational resilience. The message is loud and clear: the banking sector needs to reconcile its past investment in technology with its ambitious plans for the future, in order to address the risks it faces in the present.

By going back to basics when it comes to technology resilience, organisations will be able to address risks at an institution-wide level and develop a sustainable approach to limiting technology-related disruption. Such measures could be as simple as ensuring processes are in place for a consistent and quality response, or tapping into experience across the business so that the right people are in the right place to deliver on a cyber resilience strategy.

What do you mean?

Constantly evolving definitions, technology and processes make it easy to lose sight of what we are actually talking about when we refer to technology resilience. In a nutshell, it is about identifying what is critical to your organisation’s survival, creating an environment capable of withstanding sustained threats, and developing practiced and proportionate recovery measures that can be deployed in the event of disruption.

The main technology resilience challenges facing the financial services sector today are not radically different from those faced in the past. Namely, they are change management, business process and data mapping, and knowledge transfer. However, what we are seeing differently today is significantly increased cost for failing to provide a comprehensive answer to historical challenges. Under-investment and lack of focus on reducing known risks in existing technology has given rise to the need for a radical solution to traditional problems.

Common problems

Reliance on legacy technology, complex relationships between systems and historic organic growth of IT environments can create a Rube Goldberg machine of risks, with minor inputs resulting in a chain-reaction of unforeseen outputs.

Effective classification, aggregation and mapping of data is the biggest barrier to the development of robust data resiliency measure. The lack of business-critical and core infrastructure data testing means there’s little assurance that the backed-up data will be usable if needed.

It can be easy to think that technology disruption is primarily the result of deliberate rogue agents or human error, but this is increasingly untrue. Business pressure to reduce the time and cost of changes has resulted in institutionally-embedded change management frameworks that are not fit for purpose, along with a lack of comprehensive pre-implementation testing. The issues are further compounded by hidden dependencies and processes that lead to disruption far beyond the initial scope of the change.

While organisations are racing to embrace new technology, more often than not we see digital add-ons rather than transformation. Reliance on legacy systems comes with a continued demand for people with the skills to update and maintain them. Unfortunately, practitioners in legacy programming languages such as COBOL and BASE24 are a dying breed, yet in high demand. Without making skills transfer a priority, firms will likely experience a considerate skills shortage for business-critical legacy systems in the next few years. The publicised costs to those operating in the financial sector as a result of IT outages, cyber attacks and data breaches are only the beginning, and are likely to increase in the coming years.

The basic principles

In this always-on digital age where any hint of an outage or breach is immediately made public, business leaders must rethink and re-prioritise their IT spend to focus on getting the basic principles of technology resilience right:

  1. Adopt a top-down strategic approach
    Use a clear and universal framework to identify critical business services. Keep in mind that focus should be kept on elements vital to the business’ survival, rather than what is needed to reach its current normal state.
  2. Map IT and data dependencies
    Building a foundation of understanding is essential to being able to effectively measure existing risk. Remember, this is not a one-off exercise, and governance procedures need to be included to maintain and update dependency maps.
  3. Simplify your environment
    Once you have clarity on what makes up your IT environment and how it fits together, you should try to reduce unnecessary complexity that has occurred as a result of organic growth. This not only reduces risk, but enables digital transformation, making it easier to evolve sustainably.
  4. Protect your most important data off-network in a vault
    The rise of ransomware has shown how networks can be devastated by a single breach. Storing your critical ‘business DNA’ data elsewhere provides a viable contingency in the event that all other controls fail.
  5. Perform restore tests on critical data
    This may pose a challenge and place additional demands on over-subscribed change management windows, but the benefits will outweigh the inconvenience of fitting in additional tests. Deploy increased scale of data integrity checking tests and embed this into existing backup and recovery standards and processes.
  6. Create a single source of truth
    A robust, fit-for-purpose configuration management database acts as a single place for you to understand your environment and data, so that you can response effectively in a disruption.
  7. Enhance the service management processes
    Instil a culture of ownership and accountability supplemented by a stringent governance and management framework that fits the changing needs of pro-technology businesses. In particular, consider adopting ITIL4, which is due for release in 2019. ITIL is a set of detailed practices for IT service management, with a focus in aligning IT services with the needs of business.
  8. Strengthen capability to support legacy environments
    Businesses need to acknowledge the realistic timelines of transformation and the requirements that come with retaining legacy technology. By taking ownership of learning or teaching skills through training and making use of the existing in-house wealth of experience to transfer older legacy knowledge, you will be better able to avoid a skills drought.

Overall, the decisions over re-prioritisation and budget allocation in the next 18 months (at least) by senior business leaders will be critical in shaping how their organisations better prepare for imminent technology and cyber resilience risks. The inevitable upcoming end-of-life hardware and software support and expected international financial regulatory scrutiny must be addressed, and the basics of technology resilience must be adopted for full digital transformation to be successful.

Tips from the regulators

Here is some of the most important advice from Building the UK financial sector’s operational resilience:

  • Focus on identifying critical business services to enable proportionate development of resiliency measures;
  • Organisations need to comprehensively map their systems, processes and dependencies (including with third parties) to these critical business services;
  • Organisations should adopt an approach driven by concept of ‘impact tolerance’, encouraging businesses to assume disruptions will occur and focus on minimizing impact; and
  • The measurement of impact tolerance could be captured in metrics such as tolerable duration/volume of disruption, the criticality of ensuring data integrity or customers affected.

This article was originally published in ICAEW’s FS Focus magazine.

Key contacts

Narjis Zaidi

Narjis Zaidi

Technical Director

Narjis is a Technical Director in Deloitte’s Cyber Risk Services practice. She leads Technology Resilience in the UK, helping clients across financial services and TMT globally to address the vulnerabilities in their technology, processes and people domains. Additionally Narjis has built strong alliances with third party solution providers for off-network data backup and recovery solutions to help clients address and protect against immediate and emerging cyber threats. She has more than 17 years of experience across a broad range of technology areas as well as performing Business Analysis and technology process engineering. For further information on Technology Resilience services, industry and regulatory insights, and how we are helping our clients, please reach out to her.

Wil Hamilton

Wil Hamilton

Senior Manager

William is a Senior Manager in Deloitte’s Cyber Risk Services team. Since joining Deloitte in 2013 he has worked in both the UK and Hong Kong offices, leading the delivery of a range of Technology Resilience, Cyber Strategy and Risk Management projects. He has worked across the globe with a wide range of clients in the Financial Services, TMT, Public and Gaming sectors. He has a special interest in innovation and digital transformation having won several firm-wide innovation challenges and has subsequently engaged heavily with Deloitte’s innovation agenda. Please reach out to William if you would like to hear more about Technology Resilience.