Last year, the Presidency of the Council of the European Union and the European Parliament reached an interim agreement on the Digital Operational Resilience Act (DORA) to improve the cybersecurity of financial institutions in Europe. Once DORA is adopted by EU countries, financial companies will need to ensure that they can counter, respond to, and recover from all types of information and communication technology (ICT) disruptions and threats, with the ultimate goal of preventing and mitigating cyber threats. Regulation takes a differentiated approach to regulating small, micro and interconnected entities.
The European Supervisory Authorities (ESAs), namely the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) - are developing “technical standards that all financial services institutions must comply with”. In addition, critical third-party ICT service providers, particularly cloud providers to financial institutions in the EU, will need to set up a subsidiary within the EU for appropriate oversight, and auditors will be involved in future reviews of the regulation.
The new law will force FSI companies in the EU to test the resilience of their organizations; that is, they will basically need to manage risks and use a risk governance framework to meet DORA's demands. Therefore, it is recommended that all financial industry CISOs consider working with cybersecurity vendors and partners who are fully up to date on DORA.
Further 2023 recommendations for financial services CISOs
Other more concrete recommendations are also given for financial sector institutions planning 2023. CISOs (Heads of Information Security) working in the financial services industry need to understand that 2023 will not be like 2022; Big changes are taking place and cyber risk is increasing.
Shifting to an intervention and recovery mindset
There is an increase in ransomware, and this is a top issue for all institutions, not just financial institutions. Traditionally, the financial services industry mentality is: “No, we don't want risk.” Until now, it's all been about protection and detection. However, given the nature of cyber risk today, this approach is no longer realistic.
CISOs in the financial industry need to understand the rapidly changing threat landscape and focus on being more resilient. This means that a financial sector institution's strategy should shift from trying to avoid all risks to being able to quickly recover from an attack. This will naturally lead to investments in platforms that enable functions such as endpoint detection and response (EDR), extended detection and response (XDR), and security orchestration, automation and response (SOAR).
The risks that come with embedded finance
Another issue for CISOs in financial institutions to consider in 2023 is the rising trend of embedded finance.
What is embedded finance?
“Embedded finance is the process of integrating all financial services in one place instead of dealing with traditional institutions. It offers a safe, simple and efficient way to collect all the services a retailer can use in a single, easy-to-manage model. Financial solutions can be integrated into a business's infrastructure, facilitating access to financial services such as lending, insurance or payment transactions without directing people to third-party destinations. That means fewer apps to mess with, fewer people to deal with money, less to worry about, and less time spent keeping up with financial logistics. Interest in this industry has grown rapidly over the past few years. The US embedded finance market reached $2020 billion in 22,5 and is expected to grow tenfold to $2025 billion by 230.” (NCR, August 8, 2022)
Finance will become more prevalent in the world of 2023 and beyond. For example, consider embedded finance, where non-traditional organizations use finance products for “buy now pay later” sales. This method increases sales but also increases risk for organizations.
Embedded finance is facilitated by banking as a service (BaaS) and application programming interface (API) technologies. This method is expected to generate more than $2026 billion in annual revenue for banks by 25, and by 2025, incumbent banks will shift 25 percent of small and medium business income to incumbent channels. (Embedded Applications: New Revenue and New Risks for Banks (garp.org)
For 2023 and beyond, CISOs at FSI need to pay particular attention to the following:
- Organizations need to ensure they have robust cybersecurity and data protection policies, including measures to prevent data breaches and unauthorized access to sensitive information.
- Where institutions work with non-financial partners who may not have the same level of expertise or experience in financial services, they must monitor potential risks of data misuse or misuse.
- When integrating financial products and services into non-financial products or platforms, the potential for conflicts of interest should be looked at and institutions should be transparent with customers about the terms and conditions of those products and services.
- It is necessary to stay up to date on regulatory developments related to embedded finance and ensure that the organization complies with all relevant laws and regulations.
- The organization should partner with specialist firms or consider consulting with experts in the field to ensure it has the knowledge and resources to effectively manage cybersecurity and privacy risks in the context of embedded finance.
Awareness is also important because technology alone cannot achieve this. Financial institutions need to start training their employees on DevSecOps, artificial intelligence, machine learning, and API security. At this point, Fortinet emphasizes its commitment to help close the cyber skills gap and increase cyber awareness through the TAA initiative and Education Institute programs.
Günceleme: 12/01/2023 13:20