Accenture: fintech, cybersecurity and how to manage risk
What is the cybersecurity threat landscape for fintechs in 2020? Accenture’s insight provides some clarity
The pace of digital transformation across the financial landscape continues to quicken.
In such an environment the digital or cyber threat proposition evolves rapidly, making it essential to maintain the highest standards of technology and preparedness, and keep up to date with the impact of cyber trends.
According to Accenture’s 2019 Ninth Annual Cost of Cybercrime report, financial services incurred the highest cybercrime costs among all industries studied in 2018.
In this research, Accenture explains: “As industries evolve and disrupt the current environment, threats are dramatically expanding while becoming more complex. This requires more security innovation to protect company ecosystems. The subsequent cost to our organisations and economies is substantial - and growing.”
Across all industries, Accenture found that information theft is the most expensive and fastest rising consequence of cybercrime. However, it noted that there are several drivers behind the evolving global cybersecurity threat for all sectors:
- Evolving targets: data is no longer the only target according to Accenture. Rather, companies worldwide are seeing their core systems - controls systems and infrastructure - being hacked, which can lead to greater disruption.
- Evolving impact: it’s no longer just about theft. For example, cyberattacks are changing approach from simply stealing data to destroying or altering it to create distrust. Today, data integrity itself is vulnerable.
- Evolving techniques: attack methods are adapting quickly. Accenture found a focus on “the human layer” that targets the weakest link - people - through phishing and malicious insiders.
Fintechs and banking: cybersecurity threat
The largest financial services industry data breach occurred in September 2017 when Equifax, one of the three largest consumer credit reporting agencies, exposed the personal information of 147 million people.
The breach was caused by an unpatched Apache Struts vulnerability - Apache Struts being a framework on one of the company’s US-based web applications. It saw the names, social security numbers, dates of birth and other information being disclosed and resulted in several members of Equifax’s C-suite stepping down.
This was by no means an isolated incident. After Equifax, other significant financial services data breaches have seen as many as 130 million, 90 million and 76 million people and households affected.
In a 10 December blog, Be Safe: Cybercrime in the Financial Services Industry, Accenture defined a cyberattack as “malicious activity conducted against an organisation through the IT infrastructure via the internal or external networks or the internet. Cyberattacks also include attacks against industrial control systems.”
Malicious insider attack, or threats from inside a company’s firewall are the most dangerous, it says, costing an average of $243,000 per incident and taking more than 50 days to resolve.
As to why this is concerning for banks and financial services institutions, Accenture found in its research that, in the banking and capital markets, only 18% of Chief Information Security Officers (CISOs) believed their employees to be held responsible for cybersecurity.
Historically, banks and other organisations had one mission: to keep money and information safe from all. Beyond that, says Accenture, additional investment in preventing insiders from accessing data or other information was never prioritised.
Technology vs cyberattack
Innovative and advanced technologies are not being used to their full potential in cybersecurity applications, Accenture finds.
For example, it reports that only one-third of companies are deploying technologies such as machine learning or AI, while only 24% said they were using cyber analytics and user behaviour analysis to their advantage. The latter figure had actually decreased from 31% a year previously.
Accenture calls this trend discouraging, noting that it “suggests financial services firms are struggling to keep up with the rapid pace of new technologies and, as a result, are not making the appropriate investments to increase operations efficiency and reduce risk”.
Because the cyber threat landscape continues to diversify, more focused investment in the right technology can pay dividends.
Accordingly, it set out five key steps for financial services companies to take to begin corrective action:
Increase defenses against web-based attacks
Focus on reducing ransomware occurrences
Invest to prevent disruption to business
Increase the deployment of technologies that have a high return on investment, such as automation, machine learning and AI
Manage the use of ‘less effective’ technologies liek enterprise governance, advanced perimeter control and the extensive use of data loss prevention.
Cybersecurity: man vs machine
Despite malicious insider attacks growing at pace, Accenture reveals in its Cybercrime in Banking and Capital Markets: Technology and Human Vulnerabilities blog that spending on the ‘human layer’ of cybersecurity is insufficient - with only 9% of total budget being spent upon it (network and application layers have the most investment at 37% and 27% respectively).
The largest proportion of investment is being made in security intelligence and threat sharing (79%), although Accenture expects technologies such as AI and machine learning to take precedence in the future due to their delivering the highest cost savings for enterprises.
The blog also calculates that, over the next five years $347bn of economic value is at risk for the banking sector and $47bn for the capital markets.
This can be prevented by measures such as greater employee education around the threats that exist, a focus on privileged access management to ensure no single employee can compromise security, and the use of technologies such as advanced analytics and automation.
For more information on all topics for FinTech, please take a look at the latest edition of FinTech magazine.