The banking sector is made up of an ecosystem of partners, which work together to provide the different financial services we rely on. Director of Sales, Sean Arrowsmith, sums up a recent conversation with cybersecurity professionals from the banking sector to get their perspective on the cybersecurity risks in the supply chain.
Deeper digital and data connectivity between organisations in recent years has increased the risk of cyber breaches across all sectors, and the financial services sector is highly exposed. Regulators are responding with cybersecurity initiatives such as the EU’s Digital Operational Resilience Act (DORA), to help increase financial sector defenses.
Some of the biggest challenges lie in securing banking supply chains. What is the extent of these challenges? And how can financial institutions and companies, large and small, prepare? Is there a role for cyber insurance?
We recently spoke to the chief security officer (CSO) of a leading bank, the chief information security officer (CISO) from a banking tech provider and a professor of cybersecurity for a panel discussion about the cyber risks faced by the financial services industry. Here’s what we learned.
(The following is an excerpt from a longer report – download the full story here).
Supply chains are only as strong as the weakest link
Any bank or financial services firm today, large or small, is plugged into an ecosystem of partners that provide, for instance, data analytics or compliance services. Large incumbent banks are also often working with fintechs in areas such as app development or back-office automation.
The innovation benefits of collaboration can be offset by the cyber risks that come with having more supply-chain partners. No matter how strong a company’s own cyber defences, their security is only as robust as the weakest link in their supply chain. “If you don’t think you do business across borders, think again, because your supply chain goes across borders,” argued the tech company panellist.
“The supply chain is where the biggest challenges exist,” agreed the panellist from the bank. “Over a 10-year time frame large organisations have invested in their own capability, but that has displaced the risk into the supply chain and organisations that simply can’t resource and build security in the same way.”
Incumbent banks run into challenges when collaborating with fintechs, too. “A large organisation can work with a fintech company in a well-controlled [pilot] phase, but during hyper-growth, they run into a ‘controls cliff’ in terms of all the requirements, standards, assurance and regulation,” he added. “The interesting thing is how to navigate that cliff while keeping the secret sauce, the reason why that fintech company was successful in the first place.”
More optimistically, the technology panellist pointed out that large companies can strengthen suppliers and the entire supply market by setting their own cyber-protection standards and obliging vendors and partners to raise the bar. “One client of ours spent a huge sum, causing us a lot of trouble – but it was the right kind of trouble, forcing us to become the partner they needed.”
No amount of preparedness can guarantee zero cyber risk. Supply-chain insurance could add an extra layer of protection, but products are still in their infancy. Today, such insurance “is unwieldy and it doesn’t reduce risk,” said the banking panellist. The professor said insurance companies “are not ready. Underwriters still don’t know how to price the premium for cyber insurance”. While they have decades of experience and data to price car insurance, in the cyber domain insurers struggle to measure and quantify threats.
But the banking panellist added that the insurance industry is starting to wise up. “If insurers are paying out, that leads to action. The way cyber insurance gets priced is changing fast and the way they are probing an entity [to which] they are providing a policy… that is changing quickly. It’s an interesting thing to watch, how they assess and price risk. The corpus of data is growing very fast.”
To read the summary of the full discussion, click here.
So what can be done? Well, it’s important to get the basics in place in your own organisation first. Is your organisation Cyber Essentials certified? Next, you need to make sure your suppliers have the essentials in place too, but running a robust third party assurance programme.
You can find out more about how we can help with supply chain cybersecurity here.
Comments