When we began the year as professionals in the compliance industry, few could have predicted what would happen as a result of the COVID-19 crisis. One challenge that’s taken centre stage is the rise of cyber-attacks, accelerated by actors taking advantage of COVID-19 chaos. This makes cybersecurity even more of a top priority for organisations around the world.
Some good news: Despite the amount of cyber-attacks during the COVID-19 crisis, the volume of security breaches has actually been declining, suggesting that huge investment into cybersecurity is beginning to pay off for organisations.
However, what is still apparent is the weariness of many teams and individuals. Operating in an environment where human resources are working remotely, where sensitive data is being processed on potentially unsecure networks, and access to data may involve sharing and printing on personal equipment, many players are amending their risk appetite to reflect the new normal.
Organisations have likely never experienced operating within business continuity protocols for more than a few days, and this extended period of balancing multiple challenges is beginning to worry CCOs and their compliance teams. The ability for organisations to balance multiple incidents while maintaining BAU compliance activities is vital, especially in situations where Regulators have been unable or unwilling to make concessions (such as AML and CDD activities). The impact on customer experience, reputation, integrity, and resilience are some of the more immediate reasons to take cybersecurity seriously, and the longer-term impact of regulatory fines, censure, and customer restitution should be front and centre as well, especially as many organisations will be operating under pressure for the foreseeable future.
An uncharacteristically stressed workforce?
We are already in the heart of a deep recession, and while we are all looking for shreds of optimism, we know the impact of COVID-19 is likely to be deeper than it is today.
With a stressed workforce, attacks are more likely to occur. People may be pressured to take unnecessary risks or even commit internal fraud to help address their own personal financial circumstances. This uncharacteristic response is just one of the challenges we face. Organisations must stay vigilant and be aware of fraudsters who will look to take advantage of the instability of home working arrangements, system integrity issues, or other vulnerabilities within organisations.
Geo-Political Cybersecurity Threats
2020 was always going to present a unique combination of challenges and threats. Of course, the US Presidential Election in November and the end of the UK’s transition from the EU on 31 December have the capacity to add considerable turbulence in the financial services industry.
Added to these known risks, the rapid pace of decoupling the US/Chinese and EU Tech Sector is already affecting flows of talent and investment. This acrimonious separation is challenging for those with cybersecurity in their job titles, with the Huawei 5G fallout likely to increase threats emanating from state-sponsored actors.
Organisations also need to consider other state interference in political, governmental, and corporate entities. While espionage is nothing new, the speed and pace of change and our reliance on the connected world ultimately means that organisations need to be more aware of overt and covert surveillance and interference than ever before.
Terrorism, activism, and small-scale protests can impact organisations. While threats from these are often short-lived and local, if they coalesce, the repercussions can be quick, unexpected, and reputationally damaging.
Understanding Metrics and Investing in Resilience
There are several cybersecurity factors organisations should consider:
- How many attacks are deflected?
- How many attacks become breaches?
- How many breaches create outages?
- How long do systems stay offline?
- How quickly can normal services resume?
In addition to these, regulatory factors and impact reporting should be taken into account, and each organisation will need to quantify the reputational and financial impact of each cybersecurity incident accordingly.
Of course, organisations want to reduce the time spent reacting to and reporting incidents, therefore a greater emphasis on infrastructure investment and systems risk assessment should be undertaken. Some of the cybersecurity initiatives recommended are:
- Root and branch risk assessment of all Cloud IaaS platforms: A clear understanding of the providers’ own resiliency will help when constructing your own plans.
- Mapping of all internal and third-party systems’ architecture and dependencies: Complex organisations across multiple sites (and WFH/BYOD environments) may quickly lose track of suppliers and interdependencies. Consider how your company’s procurement professionals will keep you abreast of supplier M&A activity to ensure your go-to points are maintained.
- Cataloguing and phased replacement of all legacy hardware and operating systems: All players should know where their hardware risks are greatest and take appropriate action to disconnect vulnerable hardware and patch/update software as required.
- Taking a risk-based view of recruitment, training, and retention: Ensure that budgets are available to maintain and reward the best performers in the workforce.
- Deploying tech to drive an intelligent view of the entire network infrastructure: Knowing where vulnerabilities exist allows for highly responsive and effective interventions, preventing breaches and loss.
Don’t get blindsided by concurrent stress factors
We’ve already highlighted the practical challenges of the current climate. Now let’s consider how you can manage the multiple risks emerging concurrently right now. Below are important questions to consider when navigating these complexities.
Human Resources: How to ensure your checks and balances are operating as usual
- Who is ready to step up?
- Who has the skills to retrain?
- Who has the knowledge to help manage areas of maximum stress?
- How will supervisory activities be continued in a remote environment?
- How do you maintain the mental and physical wellbeing of your workforce while working at a distance?
Technology: Quickly integrate software solutions to help automate quantitative tasks
- If the organisation can automate quantitative tasks, can existing resources be repurposed to other business critical areas?
- Can you upskill your human resources to do more with the information provided by software solutions?
- Can you afford not to automate processes if the current operational environment continues for the foreseeable future?
- Can you establish a clear business case across the company to support investment in third party compliance software solutions?
- How can you do more with less?
BAU: Have disparate and remote teams undertake business critical activities
- Can your organisation demonstrate BAU trading conditions when working from multiple business continuity plans?
- How are mandates, approvals, and reporting tasks maintained in an out-of-office environment?
- Does your organisation understand your responsibilities to regulators in every jurisdiction in which it operates – even in extenuating circumstances?
What comes next?
Cybersecurity risks will continue to take precedence. Fortunately, technology, software, and AI are driving change in financial services. While successfully implementing RegTech is often an intricate process that involves navigating dependencies, budget provision, and required deliverables, given the amount of risks in this uncertain world, it’s more important than ever to have reliable systems and processes in place. Now is the time to rebuild resilience in your company, learn from what went well (and not so well) in the last few months, and prepare for what’s ahead.