Cybersecurity: What you need to know

Businesses typically consider cybersecurity as an afterthought, despite growth in both the number and types of attacks. In this article, an expert offers his three top cybersecurity trends that financial advisers should be across in today’s increasingly digitised society.

Cybersecurity will increasingly need to be part of the solution if the financial services sector is to embrace new reforms and technologies that enable consumers to have an improved experience with their provider.

Cybersecurity will increasingly need to be part of the solution if the financial services sector is to embrace new reforms and technologies that enable consumers to have an improved experience with their provider.

The increasingly digitised and connected business landscape means organisations need the help of third parties, which can increase the likelihood of a data breach. Richard Watson, Ernst & Young (EY) Asia-Pacific Cybersecurity Leader, believes three key trends will drive the evolution of cybersecurity in Australian financial services over the next 12 months.

1. The spectre of regulation will continue to dominate

Australian Prudential Regulation Authority (APRA) regulated organisations will need to keep a close eye on how the regulator responds to their efforts to implement new information security prudential standard CPS 234, which came into effect on 1 July 2019. The key requirements of this prudential standard are that businesses must clearly define information security-related roles and responsibilities, maintain an information security capability commensurate with the size and extent of threats to its information assets, and notify APRA of any major security incidents.

“A particular area of focus will be how organisations are managing their cyber exposure through third parties – those companies they are connected to digitally and with whom they often share their data,” Watson says.

“While a simple concept, it is an incredibly difficult problem to manage, as determining the cyber maturity of your third-party business partners is not straightforward and neither is knowing how to respond once you do understand their maturity.”

When polled by EY, chief information security officers (CISOs) generally believe that regulation is a good thing. EY’s 2020 Global Information Security Survey found that 59% of Asia-Pacific CISOs believe regulation drives the right cybersecurity focus and behaviours.

However, the real changes will need to come at board level. Directors will need to demonstrate not just a cursory understanding of cybersecurity practices but be able to prove their oversight and commitment to both managing data and the information security practices associated with that data.

 2. Companies need to be focused on cyber resilience, not living in ‘fear of breach’

With high-profile cyber breaches often compromising the personal records of millions of people, it is easy to see why these incidents have been top of mind for large corporates considering their cybersecurity spend. However, Watson thinks this is changing.

“Up until mid-to-late 2018, cybersecurity was dominated by ‘fear of breach’ – the reputational damage of a data loss event, or a breach of confidentiality,” he says. 

“Following the large global incidents of 2017-18 (the Wannacry and Not-Petya ransomware attacks) there was a shift in attitude, and the principles of availability and integrity of systems and data came to the fore.

“This will continue in Australia this year. Ransomware attacks, triggered by phishing emails are among the most feared attacks for organisations and their boards.”

For advisers, it is worth noting that there are four new malware samples created every second, so phishing remains one of the most successful attacks due to its speed and return on investment. It is also worth reminding clients that the escalation of the coronavirus situation has seen an increase in phishing emails and SMS messages claiming to be from governments or other trusted organisations. Recipients are tricked into clicking on malicious links, or entering confidential details.

3. Cybersecurity is still seen as an afterthought

According to Watson, organisations need to begin taking a ‘security by design’ approach, whereby security measures are considered and built in from the very first stages of a new business initiative. 

“In EY’s 2020 Global Information Security Survey, only 36% of respondents said their cybersecurity team is involved in new business initiatives right from the start. There may be a number of reasons for this – it’s now very easy to spin up a new initiative by buying access to a cloud and apps that our outside of the span of control of the CIO and security team, but also traditional CISOs tend to be more technically focused than business focused, meaning it’s hard for them to get a seat at the table when new business ideas are launched. 

“The biggest piece of advice here: whatever you are considering doing as a business, take time to stop and think about the cyber risks your idea might open you up to and seek advice to manage them now, not the day before launch.”

More broadly, for Australian financial services companies, this may mean partnering with reputable organisations that conduct extensive security assessments, as the potential threats are vast and evolve quickly.