The financial sector’s risk management approach has changed significantly in recent years. While some of these changes were expected, such as continued constricted regulations, others were less expected, including an increasing realisation that cyber and financial crime are closely-linked, and need to be addressed as an integrated security risk with an integrated strategy.
Sanjay Samuel, Head of Financial Crime Asia Pacific at BAE Systems Applied Intelligence, said: “These changes to risk management have been driven by significant cyber penetrations driven by financial crime. With the evolution of malware, the threat landscape has evolved and criminals are specifically targeting financial organisations; the volume of which is increasing ten-fold.
“In addition to this, continued problems with compliance monitoring has been uncovered after the fact, showing these regimes have been ineffective. There are a number of large financial institutions that have significant and what they have thought are sophisticated monitoring regimes in place and yet have been unable to protect themselves effectively when an attack has occurred.
“There is a lack of cyber security analytics capability and technology in organisations. Most have a vast array of security technologies but these technologies don’t talk to one another and are often managed by different teams within the organisations.
“This means attacks may go unnoticed or not be responded to from a holistic security perspective, even though the organisation’s security technologies may actually have detected the incidents.
“As companies become aware of these gaps, it has led to higher budgets, increased integration of risk and security teams, and the emergence of conscious convergence strategies across cyber and financial crime monitoring services,” she said.
BAE Systems have identified four key risks financial institutions may be vulnerable to in the coming months and years:
1. Lack of integrated approach One of the continued risks for the financial sector is the lack of an integrated approach to cyber and financial crime. This could lead to some institutions being a soft target for ever more sophisticated fraudsters.
2. Criminals diversifying their activities Increasing use of automation and the growth of identity compromises lets financial criminals diversify their activity, making it difficult to detect within a single institution. For example, there is an increase in money mule accounts that are only used once or a few times before moving on, making them harder to track. This could be addressed through more cooperation across the financial services industry.
3. Permeable boundaries To service customers more effectively online in a multichannel environment, financial institutions tend to make their organisational boundaries more interconnected and therefore less secure. This security risk must be considered in order to protect both the organisation and its customers from unwanted perpetrators.
4. Mobile customer base A more mobile customer base requires fast, easy access to services online, posing another risk to financial institutions as these same services offer fraudsters and hackers anonymity. It may prove difficult to identify authentic customers while continuing to provide the same user experience for customers.
“Financial institutions are increasingly aware of the risks, trends and changes in the sector. Traditional financial services institutions are geared up to handle this from a fraud and compliance angle. New entrants, such as telcos, who are becoming financial services providers in some cases, may have to play catch up on the types of systems they need to put in place to protect them and their customers,” Sanjay said.