When most people think of cybersecurity, they think of IT departments protecting corporate networks, or individuals at home on their personal computers. But cybersecurity is differentiating rapidly as more people realize its actual goal is to improve the reliability of some other business process or product, and not an end in itself. Since these business processes vary widely from one industry to another it makes sense to talk about the unique issues and approaches faced by individual market verticals. Today: the financial industry.
The financial industry, including banks but also financial markets (stock exchanges), credit card companies and others, were one of the first commercial industry verticals to realize this need for cybersecurity. In part of course this realization came about because the financial industry is where the money is, and so they are subject to direct, frequent attacks for purposes of fraud or theft. Additionally however, as we have learned during the occasional market glitch or through the application of international sanctions, the financial industry is an essential component of commerce both domestically and internationally. As such it is also the target of attacks from those seeking to do economic damage or bring down portions of our country’s critical infrastructure, including very high volumes of Distributed Denial of Service (DDoS) attacks whose goal is simply to disrupt.
As a result of these pressures, the industry has been a leader and early adopter of security technology. Most banks now routinely use two-factor authentication, for example, for online transactions. The Financial Services – Information Sharing and Analysis Center (FS-ISAC) was one of the first and still one of the strongest information sharing groups, as the banks realized they were not competing on the basis of security, but rather treated it as a common good. The industry has it’s own established mechanisms (BITS) for vetting technologies of interest, and its own FinTech technology accelerators for transitioning new technologies. Many banks have thousands of employees and millions of dollars dedicated entirely to cybersecurity as one aspect of their overall security posture.
But the picture is not entirely rosy, and the industry seems to be entering a period of rapid change. In spite of all the security measures, financial institutions routinely write down several percent of their revenues to loss or fraud, increasingly online. Banks are increasingly pushing back on their liability for these losses. Financial institutions DO compete on ease-of-use for their customers, so the cumbersome two-factor authentication processes remain open to significant improvement.
On the technology side, mobile payments from Apple, Google and others are bringing structural change to the industry as well as technology changes such as “tokenization” that stop the transmission of actual credit card or other account data by replacing it with transaction tokens. For the insurance side of the industry cyber-insurance is growing rapidly in spite of the fact that the equivalent of actuarial tables for risk or even best practices for reducing risk remain a work in progress. And e-currencies such as Bitcoin and the underlying technologies they use, initially fought by the industry, are now beginning to gain traction as the transactional, regulatory and technology components of the industry all try and understand the implications.
As a user of financial services there is not much that you can do to directly affect these evolutions. Probably the best you can hope for is understanding the risks of various types of financial transactions and your level of comfort with them (do you use e-pay systems? how about Bitcoin?), and adjusting your behavior accordingly. I’m certainly not a financial advisor, but for me segmenting financial accounts across various institutions and transaction types provides a direct method for comparison shopping across security features, and at least feels like it reduces my overall exposure to any given fraud or attack. There is a lot at stake in the continued effective functioning of our financial institutions, and the future of this critical infrastructure depends on the collective ability of the industry to manage and adapt to change.