Cybersecurity In Financial Services

The US Department of the Treasury has released a report on best practices for Financial Institutions to manage AI-specific #cybersecurity risks. Based on discussions with representatives from FIs, there are a few great learnings from the report which I have tried to condense below: Focus and challenges - The report focused on the use of AI for cybersecurity and fraud management as being the implementations with importance to banks' operations. - Collaboration in the fraud protection space is less coordinated than cyber protection, with smaller FIs struggling to have sufficient data to build predictive capabilities. Firms have highlighted that data-anonymisation techniques could help to mitigate some of these issues. - FIs that have moved data and services to the cloud have the advantage of leveraging AI more rapidly, and will have more time to experiment and refine their AI systems. - However, generative AI models are still developing, costly to implement, and difficult to validate for high-assurance applications. Hence most applications of it are for internal productivity initiatives and using RAG related implementations. - Most implementations have opted for enterprise solutions deployed on their own virtual cloud network or tenanted environments. Risk management approach - Some of the frameworks used by FIs in enhancing their existing risk management practices are NIST RMF, OWASP AI Security and Privacy Guide, OECD AI Principles, and the FSISAC guide for the evaluation of AI vendor risks. - Embedding the management of AI risks into existing policies around model risk, technology risk, cybersecurity risks, and third-party risk management processes. - There will be an expanding role of the Chief Data Officer (or equivalent) to support the innovation and risk management in the integration data supply chain. - There will be an increasing emphasis on effective third-party risk management due to the reliance on third-party providers of data and technology (often extending beyond third-parties). This is definitely worth a read to glean insights from the survey that had been done to create the report. #TrustworthyAI

There’s a pretty good chance that the shocking rate at which AI is advancing is out-pacing your cyber security training, policies and maybe even technologies. Have you addressed the use of AI and deep fakes in your cyber security policies? In a recent and alarming development that seems to have leapt straight from the pages of a science fiction novel, a Hong Kong based finance worker at a multinational firm was defrauded of $25 million, falling victim to an elaborate scam that employed deepfake technology to impersonate the company's CFO. This incident, which unfolded during a video conference call, marks a disturbing milestone in the intersection of cybercrime and AI, underscoring the urgent imperative for companies to bolster their cybersecurity frameworks, particularly against the backdrop of deepfake technology. The mechanics of the scam were deceptively simple yet devastatingly effective. The finance employee was lured into a video call with several participants, believed to be colleagues and the CFO, only to discover later that each participant was a digital fabrication. The deepfake avatars, mirroring the appearance and voice of real company personnel, instructed the employee to initiate a "secret transaction", leading to the unauthorised transfer of $25.6 million. This incident is not an isolated event but rather a harbinger of the potential threats posed by AI-driven disinformation and fraud. The use of deepfake technology to bypass facial recognition software, impersonate individuals for fraudulent purposes, and undermine the integrity of personal and corporate identities presents a clear and present danger. The case in Hong Kong, where fraudsters successfully manipulated digital identities to orchestrate financial theft, exemplifies the sophistication of contemporary cybercrime. The implications of this event extend far beyond the immediate financial loss. It serves as a stark reminder of the vulnerabilities inherent in digital communication platforms and the necessity for robust verification processes. The reliance on video conferencing and digital communication, accelerated by the global pandemic, has exposed systemic weaknesses ripe for exploitation. In response to this escalating threat, it is incumbent upon companies to adopt comprehensive cybersecurity strategies that address the unique challenges posed by deepfake technology. This includes implementing advanced authentication protocols, raising awareness and training employees on the potential risks of deepfakes, and deploying AI-driven security measures capable of detecting and neutralising synthetic media. As AI output become increasingly indistinguishable from reality, the line between authentic and artificial communication will blur, challenging individuals and organisations to navigate a new frontier of digital authenticity. It compels a reevaluation of the assumptions underpinning digital trust and identity verification, urging a proactive approach to cyber defence.

The recent regulatory guidelines, viz RBI Master Directions of Nov 2023 and SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) of Aug 2024 lay added importance to cyber resilience, business continuity and disaster recovery, incident response and recovery from cyber incidents. Boards are being increasingly attentive and seeking deeper insights on the organizations' preparedness to respond to and recover from cyber incidents. Being part of the Boards of regulated entities, I saw this quarter's IT Strategy and Technology Committee meetings, as well as the Board meetings delve deep and enquiring with the security and technology leadership and sometimes, directly from the MD/CEO, on : 1. Cyber incidents reported, their impact and root-cause assessments. Note : for the organizations, these were mostly hits or false positives. 2. Resilience scores, with Q-o-Q and Y-o-Y comparatives 3. Business Continuity Drills and results 4. Disaster Recovery exercises and results 5. Health check report on the primary as well as the recovery sites, including cloud DR assessments 6. Cyber / technology risk assessments 7. Compliance and reporting (technology) 8. Ongoing governance and improvement around the Cyber Crisis Management Plan (or similar plan, by whatever nomenclature it's defined) 9. Adequacy of technology & security resourcing and training 10. Data protection, with special emphasis on vendor / third party access to critical data & resources and controls around the same The above were some of the top discussion points, but not the only ones. As Boards are made more and more involved and responsible over governance of the organizations' cyber security, resilience, technology governance and risk assurance, Board members will engage more regularly on discussions about cyber risks, inquire of the management their capacity-capability-readiness to respond to and recover effectively from cyber incidents. And above all, the Board would like to ensure compliance to all the relevant regulatory provisions, including on technology and #cybersecurity. To all Technology and Security leaders - the message is very clear, the regulators and the Boards would like to see much more than mere tick mark exercise, specially if you're a regulated entity. - read through each clause in the directions & circulars from regulators - assess thoroughly your current status, including process, operations, technology architecture, procedures, documentation et all - perform risk assessment - technology and operations, over each part of your business - conduct data flow analysis, ascertain your data protection strategy - analyze your third party / vendor connections at all business touchpoints Once you analyze your current state, compare with the requirements given by regulatory directions. Then, step-by-step, put in the measures, updates, upgrades. These are critical steps and require expert acumen - take help from external experts, as required. #technologygovernance

A 'secure SDLC' is a much broader term than DevSecops or application security. It incorporates security (CIA controls) into all phases of software development, from requirements gathering to maintenance. While individual security measures such as web security, SAST, DAST and secure coding are effective in their own right, they do not provide comprehensive end-to-end software security. Product security is another emerging term along the same lines. To truly fortify software against evolving threats, organizations should consider embracing the concept of Secure SDLC. By embracing Secure SDLC, organizations build a foundation of proactive risk mgmt, robust change mgmt., secure architecture, thorough testing, and ongoing vigilance, ensuring the software's cyber resilience. Additionally, organizations can focus on: 1. Building a security culture - This can be achieved through a variety of means, such as setting security goals, providing security training, and rewarding security-minded behaviour for its software and technology specialists. 2. Security tools and technologies - Leveraging technology solutions for tasks such as static and dynamic analysis, and penetration testing. 3. Engaging with security partners - Partners can provide security expertise, tools, and technologies that can help to identify and mitigate security risks within secure SDLC space. #applicationsecurity #websecurity #softwaresecurity #ethicalhacking #devsecops CYTAD #apisecurity #penetrationtesting

IT General Controls (ITGC) Checklist Financial data's accuracy and reliability depend on the robustness of systems and data controls. These controls may fall under the jurisdiction of IT. However, ensuring these controls are implemented and monitored should be the paramount priority of the finance leaders. Specifically, the head of accounting must work closely with the head of IT to ensure the security of systems and data. Security, reliability, and accuracy of financial data is your responsibility. You need to take charge of the process. Please review this checklist with your IT department to ensure your financial data is secure and reliable. This is what you need to ensure: 1- Access Controls - the accounting system is capable of role-based controls. 2- Change Management - system changes are logged, monitored, and reviewed. 3- Backup & Recovery - disaster recovery policies and processes are in place to backup and restore data. 4- Incident Management - security breach incidents are monitored and addressed promptly. 5- Network Security - intrusions are detected and dealt with without losing or impacting financial data. 6- Data Privacy - sensitive data is encrypted in transit and stored. 7- Monitoring & Logging - the logging mechanism is implemented and reviewed to detect security incidents. 8- Vendor Management - when contracting with vendors for cloud-based services, ensure they comply with the company's internal security protocol. 9- Compliance & Audit - third-party monitoring and assurance are paramount to ensuring a regular review of the controls. Abdul Khaliq

ECB published its "Evolving IT and Cybersecurity Risks" newsletter on November 13, 2024 and here are some key takeaways: ● Cybersecurity incidents are increasing. While there hasn’t been a major incident yet, banks need to remain vigilant and improve preparedness to address the evolving threat landscape. ● Ransomware poses a significant threat to banking operations and sensitive information. ● Banks rely heavily on third-party ICT service providers, increasing the risk of attacks spreading quickly across the sector. ● Some banks struggle with basic cybersecurity controls, such as security testing, vulnerability management, and incident response. ● The reliance on third-party providers continues to grow, raising concerns about concentration risk. ● The Digital Operational Resilience Act (DORA), effective January 2025, emphasises that banks are ultimately responsible for managing outsourcing risks. ● IT changes often cause unplanned downtime in critical systems, requiring banks to manage IT projects thoroughly. ● Data quality management is a weak point for many banks, impacting risk assessment and decision-making. ● The ECB highlights the importance of strong IT governance, risk management, and IT audits to ensure cybersecurity and risk management robustness. The ECB emphasizes that banks must improve their resilience by: ● Strengthening cybersecurity controls ● Managing IT outsourcing and change risks ● Developing robust incident management and business continuity plans ● Ensuring strong IT governance The ECB will continue to assess these risks through on-site inspections and targeted reviews, with increased efforts to ensure compliance with DORA from 2025 onwards. #Cybersecurity #ITRiskManagement #OperationalResilience #DORA

👏 Cryptography management and cryptoagility closer to become regulation after the three European Supervisory Authorities (European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) – the ESAs) published today the first set of final draft Regulatory Technical Standards (RTS) under the DORA. (Find the relevant links at the end) DORA is the Digital Operational Resilience Act for the financial sector with rules for the protection, detection, containment, recovery and repair capabilities against IT incidents. The draft RTS on ICT risk management framework covers encryption and cryptography in section IV (page 49). I would like to highlight Article 6, point 4: "Financial entities shall include in the policy on encryption and cryptographic controls provisions to, where necessary, on the basis of developments in cryptanalysis, update or change the cryptographic technology to ensure they remain resilient against cyber threats [...]. Where the financial entity cannot update or change the cryptographic technology, it shall adopt mitigation and monitoring measures to ensure they remain resilient against cyber threats." These final draft technical standards have been submitted to the European Commission, who will now start working on their review with the objective to adopt these first standards in the coming months. So, proper cryptograhy management and cryptoagility will soon be part of the regulatory compliance obligations of financial entities in Europe. Links: 🚩 Announcement of the publication of the final drafts: https://lnkd.in/dnzDP9PG 🚩 Final report on draft RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework: https://lnkd.in/dp2aUj75 🚩 DORA: https://lnkd.in/dtJguGHf Thanks to Nuria González Martín for her continued monitoring of the regulatory space. #pqc #cybersecurity #cryptography

More than half of web traffic now comes from bots. A third of it is malicious. Banks are squarely in the crosshairs. The latest Imperva Bad Bot Report is a wake-up call for financial services. Bot traffic has crossed the 50 percent threshold, with 37 percent of all traffic classified as “bad bots” carrying out scraping, payment fraud, and account takeovers. Nearly 40 percent of API-targeted attacks in 2024 were aimed at the financial sector. Attackers are using generative AI not just to build bots, but to test, learn, and evolve them in real time. These aren’t just scripts. They’re AI-powered agents designed to bypass detection, mimic human behavior, and exploit vulnerabilities at scale. As my colleague Valerie Abend put it: APIs are no longer just the perimeter. They are the supply chain of the bank. Securing them is non-negotiable. Key defenses include: Accurate API inventories and strict authentication protocols Rate limiting, anomaly detection, and threat intel sharing AI-aware web application firewalls and deception tools like honeypots The rise of bad bots isn’t new, but the pace and precision of their evolution is. We need to meet automation with automation, and treat API security as core infrastructure. 📖 Worth the read in American Banker: https://lnkd.in/ep--nQ4x Accenture #CyberSecurity #Banking #GenerativeAI #APIsecurity #DigitalRisk #FinancialServices #AI #BotDefense

The days of CFOs and CISOs only meeting to fight over budgets are over. With cybersecurity incidents, like the recent one with Qantas, this could not have been more timely! I had the privilege of sitting with Abid Adam, Group Chief Risk and Compliance Officer at Axiata, and a global thought leader on Risk and Governance, for an exclusive interview for CFO Magazine A/NZ. One thing was clear...Cyber risk is now a boardroom issue, and the CFO-CISO relationship is at the centre of it. This partnership needs to evolve to include: → Risk Management: Making informed trade-offs between business objectives and de-risking. → Investment Allocation: Aligning substantial cyber investments with business strategy. → M&A Due Diligence: Factoring cybersecurity findings into valuations. → Cyber Risk Quantification (CRQ): CFOs' financial modeling expertise is crucial for assessing risk and value. → AI Governance: Collaborating on risk classification and the financial implications of AI deployment. CFOs are no longer just budget gatekeepers. They are the navigators of business growth and resilience. This collaboration is key to managing risks and enabling innovation. Read the full article.

Detecting fraud is no longer just about manual checks; advanced analytics and AI-driven insights allow companies to anticipate risks before they escalate. This shift minimizes financial loss and fosters a data-driven culture of transparency and trust. Behavioral analytics transforms fraud detection by leveraging data patterns, machine learning, and NLP to identify suspicious activities. Unlike traditional rule-based approaches, this method adapts dynamically, learning from transactional and contextual data to detect anomalies. For example, an insurance claim from an unusual location or an inconsistent medical history can trigger alerts. Machine learning refines these insights, reducing false positives while improving accuracy. Ethical considerations remain critical, ensuring privacy and fairness in automated decisions. By integrating analytics into business processes, organizations strengthen fraud prevention, optimize investigations, and protect consumers from financial exploitation. #AI #Insurance #InsurTech #DigitalTransformation