A matter of when, not if? has been saved
A matter of when, not if?
Can firms truly protect themselves against the risk of cyber-attacks
Cyber security is a key stay-awake issue in financial services, for both incumbents and FinTechs alike. There have been a number of cyber breaches in recent years, which have drawn attention to this issue. In January, the head of the UK’s National Cyber Security Centre, Ciaran Martin, said “it was a matter of when, not if” the UK would be victim of a major cyber-attack. Martin Arnold of the Financial Times, moderating a panel on cyber security at the 2018 Innovate Finance Global Summit entitled Cyber Security: Can We Present a United Front?, described a “threat that is so existential for our FS industry”.
In the panel, there was a focus on the need for increased collaboration between the public sector and the private sector in an attempt to mitigate this threat. In an audience poll, a quarter of respondents said they thought “that public/private partnerships are a complete failure”. However, there was near universal agreement that “a ‘united front’ [would] increase our overall security”.
The banking sector’s sharing of information about cyber-attacks was held up as a prime example of how collaboration can help guard against the threat. As Andy Bates of the Global Cyber Alliance said, “banks compete in financial markets, but have decided that cyber is not somewhere that they are going to compete”.
Ruth Davis, Head of Commercial Strategy and Public Policy at BT Security, said that “if you have tangible outcomes that you’re working towards”, for example taking down a certain number of malicious websites, that “public/private partnerships can be more effective than not”. However, Stewart Bertram of Digital Shadows, while confessing he was playing the role of ‘devil’s advocate’, believes actors involved in such partnerships may be “becoming exposed to more risk”.
Interestingly, while cyber criminals are becoming increasingly sophisticated, Andy Bates ranked the top three risks as “phishing, phishing and phishing”, as it currently represents “90 per cent of cyber-crime in the UK”. For this reason, Andy was positive about the UK government’s GOV.UK Verify digital identity solution, as “two-factor authentication is always better than one-factor authentication”. However, there were concerns expressed that a digital identity may impinge upon the right to anonymity online.
There was a question from the audience about whether distributed ledger technologies, or blockchain, could enable a more secure digital identity. However, Andersen Cheng, CEO of Post Quantum, stressed that “blockchain gives you immutability, which is not security”, using the analogy of a newspaper headline which, while permanent after being printed, could be altered before going to print. However, he struck a more optimistic note when he said “blockchain collaboration is wonderful if it’s used in a trusted and heterogenous environment”, such as in a supply chain and trade finance.
Nigel Houlden, Head of Technology Policy at the Information Commissioner’s Office, explored the role of the upcoming General Data Protection Regulation (GDPR) in the EU in terms of cyber security. In his opinion, “companies are taking cyber security a lot more seriously because of GDPR”. This is not just because of the scale of potential fines, which could amount to four per cent of annual global turnover, but because of the reputational damage. He described GDPR as “an evolution, not a revolution”, in that, for companies “that are already protecting data properly, GDPR just goes a little bit further”. He also spoke positively of how GDPR was raising awareness of cyber-security issues.
The importance of awareness among the general public and companies was also highlighted by Ruth Davis. She drew a comparison between the success of public campaigns to raise awareness of the risks of drink-driving, to the “clear and simple messages” that need to be pushed out in order to “get the message into the public consciousness”. Moreover, she called for “very clear information on the ‘packaging’ of digital products”.