Are capital markets more secure than payments?
Capital markets, and the financial sector in general, are among the most attractive targets for cyber criminals, particularly those who are seeking financial gain.
As banks, we must recognise this fact and ensure that we protect ourselves and our clients from cyber-attacks – this is increasingly expected of us by financial regulators, and there are many regulatory initiatives that are designed to help financial institutions to fight cyber-crime.
Societe Generale and many of our peers follow the Framework for Improving Critical Infrastructure Cybersecurity developed by the US National Institute of Standards and Technology (NIST). The core of the Framework provides a set of activities to achieve specific cybersecurity outcomes, divided into five phases: Identify, Detect, Protect, Respond, and Recover. The Identify phase requires organisations to identify the business and assets that could be at stake in an attack. Detect involves monitoring and detection of events. Firms must ensure that if their systems detect an activity such as payment or security movement that triggers a control, that transaction is set apart for investigation. Protect covers control of access to systems and awareness of data protection. Respond will cover how firms respond to events, including how they mitigate risk or fight back. Finally, Recovery is about ensuring resilience and having the ability to restore any capabilities or services that were impaired due to a cybersecurity event. In the EU, two important directives are related to cyber security: the EU Directive on Security of Network and Information Systems (NIS Directive) and the General Data Protection Regulation (GDPR). The latter is particularly important because of the heavy fines that will be imposed if a bank fails to protect the personal data of its customers. Complying with these various regulatory initiatives requires significant investment on the part of banks.
Capital markets operate more complex infrastructures than those of payment markets. For cyber criminals that are motivated solely by financial gain, the payment markets represent a faster route to the cash itself. To enter the capital markets and misappropriate assets or contracts is a more complex undertaking. This doesn’t mean that the capital markets are safe from cyber-attack. Because of their complexity, fraudulent asset or contract operation might be more difficult to detect and to trace than fraudulent payments. In Securities Services operations, we apply higher principles of protection than those applied in the payment markets.
Cyber security should be viewed in the same way as any protection that banks provide to their clients. Societe Generale has been a bank for more than 150 years, and the protection of our clients’ assets has been a principle since our inception. Security is in our DNA as a bank. Although the financial sector is coming under increasing attack from cyber criminals, it is also one of the most protected industries. In any case, each time cyber attack levels up, new countermeasures should be set up.
In an environment that is focused on competition, capital markets firms are working together on cyber security, meeting and sharing best practices. It is very important for all of us to reassure our clients that we can work together to protect their assets and create an effective defence against cyber criminals.
Head of Coverage
Digitalisation in the securities industry is continuing as firms seek to mitigate operational risks and become more efficient and agile. While we are doing this, cyber criminals are becoming more sophisticated, so firms must be very careful to protect themselves from attack. By introducing automation, capital markets firms must ensure that they don’t insert any vulnerability to attack. For example, many securities firms are introducing robotic process automation (RPA), which removes the operational risk of manual errors. But there is a potential risk of cyber-attack via the RPA. The use of data lakes, which help firms to become more agile and leverage their data more effectively, could also introduce a vulnerability in being a single source of all the data a firm holds.
In entering the digital era, firms should understand that this potentially implies risks that we previously did not face. To mitigate these risks, firms must follow initiatives such as NIST’s Framework and other regulatory requirements. Cyber security must be tackled at the inception of any new product or service.
Another potential source of vulnerability are third parties, as capital markets firms increasingly collaborate with them to develop digital services. Cyber security must be built into vendor management so that firms ensure they are not introducing a weak link into any processes. Vendors must follow the same cyber security principles as the institution itself.