Digital transformation and cybersecurity: the two new challenges facing the financial sector

Digital transformation has been a decisive issue for businesses for several years now. Especially when it comes to dealing with their customers. There’s no question about it – transformation and adaptation are inevitable. And the financial sector is no exception. But it’s important to remain vigilant in the face of these developments. In fact, the rise of digital technology has been marked by an increase in the risk of computer system vulnerabilities, data theft, and hacking.

According to market research company IDC, the financial sector is perfectly aware of the importance of digital transformation. So, this should allow the industry to improve the quality of existing products, services, and processes, but also to reduce costs.

Simplified access to services

Authorities are progressively taking steps to promote digitalization and curb the rise of cyberattacks at the same time. France, for example, enacted the ‘Digital Republic Act’ on October 7, 2016. A new regulation under this Act orders the review of the legal framework on pre-contractual and contractual relations between organizations in the financial sector and their customers. From April 2018, bank and insurance customers will be able to receive information documents or contracts digitally by default.

“Digital transformation and its related technologies such as APIs are more important for banking than for other industries. Banks and other banking and investment services organizations clearly recognize that the status quo is not sustainable, and they must disrupt themselves before it is done to them.”
Pete Redshaw, Managing VP at Gartner

Digitalization is a key factor in development. But it is also the source of many risks. In a report published in June 2016, the Bank of France said that bank directors “urgently” need to “take the full stock of cybersecurity risks and strengthen their security systems”. According to cybersecurity group ForcePoint, the financial sector is a prime target of hackers, with 300% more attacks than any other sector.

Attacks that come with a cost

Institutions hit by a cyberattack in recent years include the Central Bank of Bangladesh in February 2016 (loss of $81 million), JP Morgan Chase in June 2014 (theft of personal data of 76 million user accounts), and Tesco Bank, a subsidiary of Britain’s biggest retailer, in November 2016 (hack affecting the accounts of 40,000 customers). Recently, hackers stole 2 billion rubles (29 million euros) from accounts opened with the Russian Central Bank.

Remote data exchanges are now at the heart of the business model for banks and insurers, as the preferred target of hackers. If cybercrime continues to rise, it’s the entire digital economy that would be at threat.”
Bernard Delas, VP of ACPR (French Prudential Supervision and Resolution Authority).

The rise of attacks has prompted financial institutions to find solutions to protect themselves. In the report by the Bank of France, another French bank Société Générale indicates that “the number of attacks targeting the group each year is between two and ten times more than the previous year.” Almost 5% of the €1.5 billion that the group will be investing in digitalization until 2020 will be on security. Now banks are investing in ways to deter hackers, providing peace of mind to their customers.

OIV security is paramount

Legislation today seeks to protect sectors that are the most important, the most vulnerable, and the most frequently targeted by hackers. If a cyberattack were to hit a large bank, a telecoms operator, or an airport, the consequences for a country could be catastrophic.

That’s why, in France, certain banks have a duty to comply with the rules imposed on Operators of Vital Importance (OIVs). Article 22 of the Military Programming Act (Loi de Programmation Militaire or LPM) requires these operators to strengthen the security of their critical IT systems. The law also provides that the banking institutions concerned also need to map out their networks and compartmentalize them to prevent attacks from spreading, identify their most critical IT systems, report any incidents, and deploy tools to detect cyberattacks.

Tools needed to face the threats across Europe

The European Union is also seeking to give businesses the tools they need to face the threats. After 3 years of negotiations, the Parliament and the Council of the European Union adopted the Directive on the  (NIS) on July 6, 2016. This legislation requires operators in key sectors, as well as some digital platforms, to strengthen their cybersecurity. Member States have until May 9, 2018, to transpose the legislation into their national law.

Firms supplying essential services, [such as] energy, transport, banking and health, or digital ones will have to improve their ability to withstand cyberattacks,” the European Parliament stated in a press release.

With the desire to improve cybersecurity in mind, banks will now have to declare any attempted hacks which affect them to the European Central Bank (ECB). “We conducted a successful pilot phase in 2016. And now we will implement a long-term solution for all those banks that we directly supervise,” announced Sabine Lautenschlarger, Vice-Chair of the Supervisory Board of the ECB. “This will help us to assess more objectively how many incidents there are and how cyberthreats evolve.”