Global collaboration needed to mitigate cyber threats

At the first day of the ASIC Forum 2019, taking place in Sydney between 16 and 17 May, delegates from across the finance and regulatory sectors heard how the threat of cyber espionage and “hacktivism” was an increasing and global problem – but one that should not make the sector afraid of digitising the finance world.

Speaking during a panel discussion titled “Global risks, local solutions”, financial regulators from Australia and the UK as well as the CEO of Macquarie Bank agreed that collaboration, rather than competition, was needed in order to protect against cyber crime.

Mary Reemst, Macquarie Bank’s managing director and CEO, told delegates that while financial institutions are experiencing a “departure from face-to-face servicing models to one where the client happily self-services or integrates digitally”, the importance of protecting the information that is passed over digitally is becoming increasingly sophisticated in tandem with more sophisticated attacks.

“We are working in an environment where adversaries are harnessing new technology and adapting their strategies with motivation varying from criminal intent to cyber espionage and hacktivism.

“To counter this, cyber security must keep pace with this innovation and continuously evolve to address changes in risk, compliance, business and technology.”

She continued: “The drive to deliver great client experiences that manage security risk in a simple but effective manner is a challenge across the whole industry. To achieve it successfully, a collaborative approach across the industry, law enforcement, regulators and government needs to be achieved.

“The industry needs to be open to sharing data and information on solutions between each other and the other agencies. By doing so, we can leverage our collective knowledge and resources to deliver better outcomes for all financial service clients and better attack the criminals.”

When asked to elaborate her thoughts further, Ms Reemst said: “Regulators, governments, and so on, are in relatively new paradigms of technology… there are many players and many bad actors who are well resourced, are very capable and efficient and very, very patient. And that is a threat. And I think that we all have a combined interest in pooling together resources.

“There is no competitive advantage of having the best cyber security… So, the best thing is sharing resources, bringing together law enforcement agencies, bringing together governments, and we are starting to do this in Australia (and there are a lot of examples of where this is happening overseas) because what it actually brings is not only prevention but near real-time information about frauds that are trying to be perpetrated or are being perpetrated.”

Likewise, Andrew Bailey, the chief executive of the UK Financial Conduct Authority, said that the risks had changed radically in the past decade.

Mr Bailey said: “If you sat here and asked us [10 years ago] to do a league table of risks, operational risk would have been in the league table but it would not have been very high up. That is not true today. It has come up the league table very rapidly, for reasons that we well understand – it is a different world.

“There are a lot of different risks than some of the ones we traditionally see in the conventional world… I think the approach towards regulation is different in terms of how you think about calibrating the accountable affordability buffers for a given risk tolerance.

“What we know, particularly with cyber risk, is that it is different because it never stops at all. Whatever we do today is important but it isn’t the end of the story, we know we are going to have to come back in the future.”

Mr Bailey added that when he is asked by parliamentary committees whether he can assure them that security breaches will not happen again, he responds that not only can he not assure them that, but that breaches would have probably occurred during their conversation.

“That is the reality of the way we have to think of this risk,” the FCA chief said.

“And of course, it inherently knows no borders. So while we all have to address it in our domestic systems, the more we can do to collaborate on this, absolutely, the better.”

He concluded that many of the laws in place today were “designed for a previous world”.

Speaking from an Australian regulatory perspective, the chairman of the Australian Prudential Regulation Authority (APRA), Wayne Byres, agreed that work in this area should not be seen “as a competitive battleground” or “be an issue of friction or tension between regulators and industry or industry participants and each other”.

Mr Byres explained: “To get any sort of reasonable level of comfort, we’ve really got to work together in a coordinated way.

“So, for us, there are a range of strands of activity: one is obviously focusing on the extent to which individual institutions are taking the issue, one is the network of regulators domestically and strengthening engagements and partnerships with key regulators (and not just the traditional financial regulators, but those who are much more knowledgeable than either of us in that space) and then also, the developing international regulatory network, so being engaged in all of those things.”

However, Mr Byres added that the financial market should not be “afraid” of digital adoption because of cyber risks.

“The thing we have to think about, and we’ve thought about it a lot in our strategic planning process, is that the evolution of the system and increasing digitisation of the world that we live in has both benefits and costs,” the APRA chair explained.

“And so the real challenge is to avoid just being focused on the risk, because then you end up stifling the opportunities and the benefits and the flow.

“In many cases, for institutions in financial markets – and I’m sure I’m not just speaking for Australia here – there is a lot of risk in the old way of doing things. And so, the adoption of technology is something that we have to be careful not to be afraid of because of the risk – because a lot of risks already exist,” he said.

[Related: 2 in 5 financial sector data breaches due to human error]