Rebuilding Customer Trust in Financial Institutions
Written by: Isabelle Noblanc
Last month, The UK’s Prudential Regulation Authority (PRA) published its business plan, within which the issue of cyber security and operational resilience took centre stage. In introduction, the PRA’s Chief Executive, Sam Woods, stated that Britain’s financial system was “under almost constant cyber attack”.
It’s clear from recent press, that cyber threats are a world-wide problem: victims of cyber attacks in the last year alone have included banks in more than 10 countries around the world. 2017 also saw cybercriminals trying to penetrate a range of financial institutions, including bank infrastructures, e-money systems, cryptocurrency exchanges, capital management funds, and even casinos.
Criminals are also using a range of innovative new methods to gain access to financial institutions. In addition to recent attacks on systems connected through the SWIFT network, cybercriminals have been using malware to infect ATM’s, including those on financial institution’s own networks, as well as attacking remote banking systems through remote API’s, attacking PoS terminal networks, and going as far as making changes in banks’ databases to manipulate card balances.
Clearly the impact on the bottom line is important, but given the extent to which customers rely heavily on online, mobile, wearable tech and interconnected systems using state-of-the art websites and mobile apps, reputational damage and loss of trust are now the key concern for all financial institutions.
We know that operational resilience is one of paramount importance. Financial services need to give equal importance to keeping the front door open and the back door closed. But while there are well-established industry testing and exercise programmes, nowhere in the world is there an overarching prudential standard for operational resilience.
This raises the principal issue of the day: how do financial institutions drive innovation, deliver exceptional customer experience while maintaining safe networks? Well, at a basic level, there are two key considerations that should be considered as fundamental principles for development and implementation of any new technology.
Firstly, security should be embedded within solutions right from the development stage, not just attached as part of the solution at the time of going to market. Although more and more organizations are subjecting their solutions to security testing once developed, it can be costly to wait until the very end of the development cycle to address security needs, as a failure could mean having to go right back to the drawing board again. In addition security is not a bolt-on feature to be added later to a solution, it must be integrated throughout the different layers of solution to provide a defence in depth solution.
Secondly, security should be implemented to cover potential risks along the whole supply chain. Doing so is crucial, not only to better manage and safeguard transactions, but to ensure you have considered and fully covered any legalities around the potential for risk in third part components over which you have no control.
Many solution vendors leverage third-party components as part of their solutions, but security is only as strong as its weakest link. And when it comes to trust, it is the customer-facing brand that end users will blame if something goes wrong.
But beyond the initial development stages, what else can be done? Prioritizing ongoing cyber hygiene is a perennial issue: the constant threat of cyber attacks highlights the importance of making sure your solutions remain free from known vulnerabilities and other software weaknesses.
On a more ongoing basis, as well as maintaining industry standard security protocols, it’s important to build solutions that allow for software updates, thereby making sure security keeps up to speed with the evolving risk landscape. Security is a process that entails continuously updating and adapting to the threat landscape and updating solutions is a crucial part of this process.
In addition, it’s important to ensure that these updates are cryptographically authenticated prior to installation and execution, as well as deploying ‘anti-rollback’ features to prevent installation of previous vulnerable versions, in order to prevent hackers getting in via the back door.
Ensuring the security of your solutions is a challenge, and partnering with the right expert to implement and maintain this security means finding a provider that really understands this landscape.
But there is also a competitive advantage to be had. Integrated security and robust testing is also pivotal in being first to market. Customers are discerning and are not likely to use even the most exciting of new products unless they know that their money is safe. This problem increases exponentially when considering how the world is becoming increasingly cashless and interconnected.
Balancing innovation and security is a challenge – one that is levied in equal measure to both established financial institutions and the brightest fintech start-ups. Those that fail to test their solutions and obtain the required certifications as part of their product development will fall at the first hurdle, causing them to lose the race.
Delivering a trusted solution must be prioritised over speed, building in security as part of the solution from the ground up means getting to market first and remaining there with integrity intact.
To keep up to date with our latest thinking on trusted security solutions for an interconnected world, sign up to our [newsletters].