The Banking, Financial Services, and Insurance (BFSI) industry, known for its cautious stance on technology, is swiftly undergoing a transformational modernisation journey. Areas such as digital customer experiences, automated fraud detection, and real-time risk assessment are all part of a technology-led roadmap. This shift is transforming the cybersecurity stance of BFSI organisations, which have conventionally favoured centralising everything within a data centre behind a firewall.
Ecosystm research finds that 75% of BFSI technology leaders believe that a data breach is inevitable. This requires taking a new cyber approach to detect threats early, reduce the impact of an attack, and avoid lateral movement across the network.
BFSI organisations will boost investments in two main areas over the next year: updating infrastructure and software, and exploring innovative domains like digital workplaces and automation. Cybersecurity investments are crucial in both of these areas.
As a regulated industry, breaches come with significant cost implications, underscoring the need to prioritise cybersecurity. BFSI cybersecurity and risk teams need to constantly reassess their strategies for safeguarding data and fulfilling compliance obligations, as they explore ways to facilitate new services for customers, partners, and employees.
The primary concerns of BFSI CISOs can be categorised into two distinct groups:
- Expanding Technology Use. This includes the proliferation of applications and devices, as well as data access beyond the network perimeter.
- Employee-Related Vulnerabilities. This involves responses to phishing and malware attempts, as well as intentional and unintentional misuse of technology.
Vulnerabilities Arising from Employee Actions
Security vulnerabilities arising from employee actions and unawareness represent a significant and ongoing concern for businesses of all sizes and industries – the risks are just much bigger for BFSI. These vulnerabilities can lead to data breaches, financial losses, damage to reputation, and legal ramifications. A multi-pronged approach is needed that combines technology, training, policies, and a culture of security consciousness.
Training and Culture. BFSI organisations prioritise comprehensive training and awareness programs, educating employees about common threats like phishing and best practices for safeguarding sensitive data. While these programs are often ongoing and adaptable to new threats, they can sometimes become mere compliance checklists, raising questions about their true effectiveness. Conducting simulated phishing attacks and security quizzes to assess employee awareness and identify areas where further training is required, can be effective.
To truly educate employees on risks, it’s essential to move beyond compliance and build a cybersecurity culture throughout the organisation. This can involve setting organisation-wide security KPIs that cascade from the CEO down to every employee, promoting accountability and transparency. Creating an environment where employees feel comfortable reporting security concerns is critical for early threat detection and mitigation.
Policies. Clear security policies and enforcement are essential for ensuring that employees understand their roles within the broader security framework, including responsibilities on strong password use, secure data handling, and prompt incident reporting. Implementing the principle of least privilege, which restricts access based on specific roles, mitigates potential harm from insider threats and inadvertent data exposure. Policies should evolve through routine security audits, including technical assessments and evaluations of employee protocol adherence, which will help organisations with a swifter identification of vulnerabilities and to take the necessary corrective actions.
However, despite the best efforts, breaches do happen – and this is where a well-defined incident response plan, that is regularly tested and updated, is crucial to minimise the damage. This requires every employee to know their roles and responsibilities during a security incident.
Tech Expansion Leading to Cyber Complexity
Cloud. Initially hesitant to transition essential workloads to the cloud, the BFSI industry has experienced a shift in perspective due to the rise of inventive SaaS-based Fintech tools and hybrid cloud solutions, that have created new impetus for change. This new distributed architecture requires a fresh look at cyber measures. Secure Access Service Edge (SASE) providers are integrating a range of cloud-delivered safeguards, such as FWaaS, CASB, and ZTNA with SD-WAN to ensure organisations can securely access the cloud without compromising on performance.
Data & AI. Data holds paramount importance in the BFSI industry for informed decision-making, personalised customer experiences, risk assessment, fraud prevention, and regulatory compliance. AI applications are being used to tailor products and services, optimise operational efficiency, and stay competitive in an evolving market. As part of their technology modernisation efforts, 47% of BFSI institutions are refining their data and AI strategies. They also acknowledge the challenges associated – and satisfying risk, regulatory, and compliance requirements is one of the biggest challenges facing BFSI organisations in the AI deployments.
The rush to experiment with Generative AI and foundation models to assist customers and employees is only heightening these concerns. There is an urgent need for policies around the use of these emerging technologies. Initiatives such as the Monetary Authority of Singapore’s Veritas that aim to enable financial institutions to evaluate their AI and data analytics solutions against the principles of fairness, ethics, accountability, and transparency (FEAT) are expected to provide the much-needed guidance to the industry.
Digital Workplace. As with other industries with a high percentage of knowledge workers, BFSI organisations are grappling with granting remote access to staff. Cloud-based collaboration and Fintech tools, BYOD policies, and sensitive data traversing home networks are all creating new challenges for cyber teams. Modern approaches, such as zero trust network access, privilege management, and network segmentation are necessary to ensure workers can seamlessly but securely perform their roles remotely.
Looking Beyond Technology: Evaluating the Adequacy of Compliance-Centric Cyber Strategies
The BFSI industry stands among the most rigorously regulated industries, with scrutiny intensifying following every collapse or notable breach. Cyber and data protection teams shoulder the responsibility of understanding the implications of and adhering to emerging data protection regulations in areas such as GDPR, PCI-DSS, SOC 2, and PSD2. Automating compliance procedures emerges as a compelling solution to streamline processes, mitigate risks, and curtail expenses. Technologies such as robotic process automation (RPA), low-code development, and continuous compliance monitoring are gaining prominence.
The adoption of AI to enhance security is still emerging but will accelerate rapidly. Ecosystm research shows that within the next two years, nearly 70% of BFSI organisations will have invested in SecOps. AI can help Security Operations Centres (SOCs) prioritise alerts and respond to threats faster than could be performed manually. Additionally, the expanding variety of network endpoints, including customer devices, ATMs, and tools used by frontline employees, can embrace AI-enhanced protection without introducing additional onboarding friction.
However, there is a need for BFSI organisations to look beyond compliance checklists to a more holistic cyber approach that can prioritise cyber measures continually based on the risk to the organisations. And this is one of the biggest challenges that BFSI CISOs face. Ecosystm research finds that 72% of cyber and technology leaders in the industry feel that there is limited understanding of cyber risk and governance in their organisations.
In fact, BFSI organisations must look at the interconnectedness of an intelligence-led and risk-based strategy. Thorough risk assessments let organisations prioritise vulnerability mitigation effectively. This targeted approach optimises security initiatives by focusing on high-risk areas, reducing security debt. To adapt to evolving threats, intelligence should inform risk assessment. Intelligence-led strategies empower cybersecurity leaders with real-time threat insights for proactive measures, actively tackling emerging threats and vulnerabilities – and definitely moving beyond compliance-focused strategies.
As people continue to work remotely to cope with the effects of COVID-19, organisations are revamping their infrastructure, educational institutions are adopting eLearning, brick and mortar shops are going online, and businesses across the globe are focusing on enhancing customer and employee experience to ensure business continuity.
Evolving Cyber Threat Landscape
These digitalisation trends are here to stay. However, as organisations strengthen their digital transformation agenda, this will unfortunately also make organisations more susceptible to cyber incidents. While cyber-attacks were already on the rise pre COVID-19, we have seen a marked increase with several high-profile global incidents coming to light post COVID-19 – which includes attacks not only on financial services companies, healthcare providers, local and national government infrastructure but also on numerous SMEs, that may not be geared to respond to these incidents.
A recent Global CXO study conducted by Ecosystm on behalf of Asavie found that around 44% of organisations faced cyber-attacks during COVID-19. The Future of the Secure Office Anywhere study, with feedback from over 1,000 business and technology leaders globally, also finds that of the organisations that faced cyber-attacks, a staggering 87% acknowledged that their employee devices had been compromised.
The pandemic also exposed the shortcomings of existing security measures, requiring organisations to shift their focus on cybersecurity. Another Ecosystm study on Digital Priorities in the New Normal indicates that the top IT priority for organisations in the midst of COVID-19 has been to re-focus their efforts on managing cyber risks and measures.
Need for Cyber Risk Insurance
Our research finds that 71% of organisations think that a data breach is inevitable, irrespective of how much IT and cybersecurity teams evolve their prevention, detection, and response plans; and educate their employees of the potential cyber risks. Organisations face immense risks around sensitive data loss, financial consequences, cyber extortions, and loss of reputation. Cyber risk cannot be treated and viewed in the same way as other traditional risks to the organisation.
While cybersecurity remains a key priority, Ecosystm’s ongoing Cybersecurity and Data Privacy Research finds that only 45% of organisations globally have a Cyber Insurance policy. Given the strategic importance of Singapore as a regional hub, this figure is alarmingly low for the country. Perhaps Singapore’s strong Cyber and Data Governance frameworks are making businesses complacent?
An inhibitor to Cyber Insurance adoption is that organisations consider the process of evaluating their risks, defining their policy requirements, and the conversations with their insurance providers complicated.
InsureTech Increasing Accessibility
Armed with innovations and leveraging data-driven intelligence, InsureTech companies are providing answers to some of the major customer issues. Cloud-based platforms make it easier to purchase on-demand policies and products. They are also able to provide more personalised products and services, taking into consideration organisations’ business strategies and culture.
InsureTech companies are creating innovative solutions to address cyber risks, calculate business risk, and provide digital resilience to help companies prevent breaches. In addition to this, InsureTech is enabling corrective actions to protect risk-assets that could help vulnerable organisations prevent catastrophic losses.
InsureTech Innovations from New Zealand
As a Kiwi, and a NZTE Beachhead Advisor, one thing I know is that people look to New Zealand for the human-centric approach we bring to almost everything. So it’s not surprising to see technology innovations that originate from ‘Aotearoa’ – ‘the land of the long white cloud’ – that exude simplicity and customer centricity. New Zealand has also seen an impressive growth in the number of FinTech and InsureTech start-ups that are expanding across international borders. What was once New Zealand’s limitation on the global stage with the tyranny of distance, has now been nullified with the advent of the digital economy – and the country finds its footing as a key player in the new global ‘Digital’ order. The technology sector has become a significant contributor to the New Zealand economy, in terms of jobs, GDP and exports, and has also led to the creation of a strong technology innovation partner ecosystem for international growth.
One area that is seeing innovation and start-up participation in New Zealand is InsureTech with a focus on cybersecurity. The sector is starting to see the emergence of an impressive pool of promising high growth companies. We have seen a recent example of a note that demonstrates the focus on accelerating international expansion. The partnership between two of New Zealand’s prominent InsureTech companies – the Delta Insurance Group and Sentro – is aimed to drive a global growth expansion agenda. Delta Insurance Group with its presence in Asia, UK and Europe have offerings in cyber risk security, data protection and cyber liability and recently introduced their group Personal Cyber insurance (PerCy) into the Singapore market. Their newly launched product will be powered by Sentro – another Kiwi startup – that has recently won significant acclaim for their cloud-based platform hosted on Microsoft Azure. Their SaaS solution works behind the scenes to provide digital dashboards and cloud capabilities to Delta Insurance customers. For me, it is always encouraging to see such examples of New Zealand companies collaborating to offer their innovations to the world and punching above their weight.
Leveraging InsureTech Innovation
The adoption of technology – analytics, automation and cloud platforms – is bringing innovation to Insurance and benefits by optimising tasks across the value chain. Insurance companies are starting to understand the need to become more focused on digital transformation, to offer flexibility and responsiveness for a better customer experience.
The post-COVID-19 world is an opportune time for Cyber Insurance companies, and they have immense market potential. All they need to do is to be visionary, be customer-centric and re-imagine the future through a digital lens to extend value to customers. With the greatest FinTech showcase – The Singapore FinTech Festival 2020 from 7th to 11th December 2020 – round the corner in Singapore, I am looking forward to what promises to be an exemplary show of some of the world’s most resilient and innovative start-ups. And I am confident that New Zealand is going to find its spot front and centre! The Delta and Sentro partnership is just a preview of the innovation brewing in Middle Earth!