Which were the biggest cyber threats that 2017 has brought to the online banking sector?
The cyber threats have been increasing generally over the last few years, as our digital dependency continues to rise. One of the most common ways into an organisation is still to target customers or staff directly via emails or phone calls to gain access to systems or to trick an individual into transferring payments to another bank account. We’ve also seen a sharp rise in ransomware attacks, which prevent access to systems unless an unlock fee is paid, plus automated attacks aimed purely at causing the maximum damage to systems.
Because of the potential rewards on offer in the banking sector, cybercriminals are investing time to understand the intricacies of how business processes and systems work, as seen with recent attacks on payment networks. Hackers have found ways to access these networks by exploiting the vulnerabilities in several banks’ systems. This has enabled them to create untraceable malware, allowing them to transfer large sums of money around the world.
Under the current security context, what are your recommendations for banks? What should they be aware of and how can they prevent fraud more efficiently?
With attackers getting ever smarter, financial services organisations need to shift their thinking from protecting the perimeter to embedding cyber resilience into their organisation – looking at how business processes work and where the potential weaknesses might be
It’s important to think about your risk profile and know your data: what you have, where it is, what it is used for, and what third parties you rely on to protect it. Once you know the facts, then you can build an effective targeted strategy to secure your critical assets.
Make sure you’re investing in the right areas and don’t wait until it’s too late. So many of the large-scale attacks happen by exploiting simple known vulnerabilities. You need to have the right skills in place to monitor systems for suspicious behaviour or access, but also to back up data and patch systems regularly. Educating staff, building awareness amongst customers and working with secure partners is also key.
Cyberattacks are now a case of ‘when’ rather than ‘if’, but our recent Global State of Information Security Survey found that nearly one in five UK organisations admit they don’t prepare for when the worst does happen. Having an incident response plan in place, and testing it regularly, is essential to make sure that everyone involved knows what to do in a crisis.
What opportunities will General Data Protection Regulation bring for bank customers and what regulatory challenges will it bring for financial institutions in terms of data privacy?
One of the primary aims of the GDPR is to give more control to the consumer over their personal data, including increased rights around the collection and processing of personal data, and more visibility into how it is used. The right to data portability also means that customers will be able to move from one bank to another more easily, with direct transfer of personal data.
Apart from the obvious regulatory challenges that the GDPR introduces, such as fines of up to 4% of global turnover, we are seeing many financial institutions trying to tackle the operational challenges involved, so they can effectively and efficiently:
Know where personal data is being stored and transferred to, so they can have the right controls in place;
Appropriately manage and change the data in line with customer requests and expectations;
Whilst this is not an easy challenge, the most forward-thinking organisations are those that approach this not purely as a compliance exercise, but consider how they can use this opportunity to rethink operations. Getting your data privacy approach right can be a business differentiator, while also bringing a competitive advantage.
What actions has PwC been taking for 2017 in order to help financial institutions prevent fraud? Can you share some plans and predictions for 2018 as well?
This year, we have been working to establish several joint business relationships with innovative technology companies to improve fraud detection with advanced analytics. When it comes to investigation work in large-scale fraud cases for our clients, this helps understand root causes and then strengthen the controls in place.
In 2018, the trend of open banking (and associated regulations like PSD2) will introduce new potential channels for fraud within the payments and banking ecosystem. These need to be handled with the right combination of business, risk and technology considerations
We’ll see a stronger focus on digital identities and multi-device customer authentication. But also the continued increase in popularity of machine learning and behavioural analytics tools, with many advanced systems being deployed across the industry.
This interview was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.
About Ian Benson
Ian is a Partner in PwC’s Financial Services practice. He has over 17 years’ experience working with banks and other financial institutions to help them understand and manage their cyber risk.
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now