Christian Garcia is the President of the Gibraltar Bankers’ Association and also the Chief Financial & Operations Officer at Lombard Odier & Cie, Gibraltar
Everything seems to indicate that going forward, the financial sector will continue to be challenged by cybersecurity threats, despite the allocation of significant resources to this ongoing battle. The continuous challenge is brought about by the speed of technological change and the ever increasing level of sophistication of techniques used. Financial institutions currently find themselves attempting to home in on a moving target which substantially increases the risks posed.
The threat matrix is expanding
Threats are continuously evolving and the threat matrix is expanding. At the same time, banks and similar organisations are under pressure to enhance their product offering, normally requiring the integration of new technologies.
Balancing technological expansion with assurance on technological security is an extremely difficult task and a costly (but necessary) exercise. To further complicate matters, organisations also increasingly depend on third party-vendors and specialist product suites, having to rely on systems which are outside their control.
Reports suggest that attacks are becoming more frequent, sophisticated and widespread, targeting not only financial services but also other areas of any given jurisdiction. As far as the banking sector goes, this will include for example all deposit takers, payment services companies, credit card firms and providers of e-money services.
These attacks normally originate from different groups such as activists and units of organised crime and may arise from within the state or abroad. Most firms, irrespective of size and area, experience intrusion attempts. When successful this potentially leads to user account takeovers, identity theft, network disruptions and attempts to alter data integrity.
Firms will be looking to protect themselves by ensuring a robust IT governance framework which will include security policies, relevant education and training, ongoing risk management, third-party assurance (by way of audit) and satisfactory monitoring and reporting. Additionally, financial institutions will look at implementing security technology in an attempt to be immune from attacks.
Such technology normally comes in the form of known software and hardware including anti-virus and spyware/malware detection software, firewalls, access security and intrusion prevention systems.
It is also extremely important that, where possible, data transferred is encrypted. Also of importance is that penetration testing is conducted by the firm itself. Many organisations do not give sufficient importance to this extremely important task.
To be prepared, organisations in the financial sector will need to focus on long-term planning, resources permitting. This will typically include an IT strategy, including budget attribution and project planning.
This is fundamental to ensuring that the balance between technological development and security assurance is fair. This will inevitably have a bearing on budget allocations which are on the increase. Additionally, the IT function will need to be an integral piece of risk management, providing valuable insight to developing the firm’s risk matrix.
Knowledge exchange platforms
As an industry, we need to cooperate and possibly engage via knowledge exchange platforms so that more effective risk mitigation strategies can be implemented. This would also assist smaller firms where resources may be more limited. Ideally, these knowledge platforms need to cross-borders where Gibraltar should attempt to participate in international networks, working together to protect the international community from such threats.
Additionally, the Government of Gibraltar will need to reinforce the importance of cyber security and encourage information sharing forums and specialised task force committees to focus on these issues.
The Gibraltar Banker’s Association takes this important subject very seriously and commits to work together with governments and regulators, both local and in home state of local subsidiaries/branches, to ensure that an appropriate framework and policies exist to mitigate the ongoing threat of cyber-attacks.