Financial Sector Under Threat: How Leaders can Prepare for Advanced Cyber Threats in 2022
Source: Finance Derivative
Bernard Montel, EMEA Technical Director and Cybersecurity Strategist,Tenable
Data is essential in today’s world. Because of this, businesses of all types and sizes are facing one of the most serious continuity and reputational threats of our time: cyberattacks. Cybercriminals capitalise on data, and the more private and/or personal, the more interest cyber criminals will show. This makes financial services a prime target for attackers given the type of information utilised. Cyberattacks go beyond data as, if the attack implicates the digital infrastructure the bank relies upon to function, it can cause system outages which has a direct impact to the entire economy.
According to research by Tenable at least 40,417,167,937 records were exposed worldwide in 2021, but that’s just an indication of the true number. According to the researchers, just 13% of breach disclosures analysed included information on the number of records exposed, meaning this figure will be significantly higher. As the world of work continues to transform, and hybrid working becomes crucial for business growth, leaders must begin to think seriously about security.
The Threat of Ransomware
Ransomware has had a monumental impact on organisations in 2021, responsible for approximately 38% of all breaches analysed for the Threat Landscape Retrospective report, and up to 45% in EMEA. With the rise of ransomware globally, every organisation has been feeling the pressure; but only a few have felt the pain as much as financial institutions and financial service providers.
The most popular way attackers infect organisations is through spam and phishing emails. Others, however, may contain a link to a webpage controlled by the attackers. The goal is to get the target to open the attachment and trick the victim into enabling macros or clicking the link. This can deliver a malicious downloader, leading to the final payload, which is ransomware. Due to the nature of financial institutions as places where individuals and institutions place their money and trust, the severity and potential consequences of a successful ransomware attack can be widespread and long lasting.
Basic security principles can go a long way in blocking the attack path ransomware takes. In the majority of instances, it is a known vulnerability that allows the malware to infiltrate the infrastructure and encrypt systems. Another attack path is the exploitation of misconfigurations in Active Directory. Threat actors will use these to elevate privileges to dig deeper into the network.
The New Normal
During the pandemic, millions of financial services employees, from traders to bankers, transitioned to working remotely. A recent study conducted by Forrester revealed that 78 percent of businesses have reported that some of their staff are still working from home. Stepping into the New Year, businesses must be aware that the digitalisation of financial services and remote working are here to stay. In fact, financial institutions have the highest chance of maintaining remote and hybrid work models, since three-quarters of their employees’ time can be used productively out of the office.
In their shift to remote working, organisations have been migrating their operations to cloud, often without enough thought given to the security implications of this shift. As businesses continue to implement remote working policies, they are simultaneously adopting cloud infrastructure and bringing in more third-party service providers. Business leaders supporting a remote workforce must be conscious of how these changes influence their security posture.
Successfully Connecting Cybersecurity and Financial Institutions
The World Economic Forum’s Global Risk Report 2022 has ranked cybersecurity as the number one risk in Great Britain and Ireland, meaning cyber risk will remain dominant amongst the areas of emergent threats in the New Year.
Attacks in the financial services industry are not a new concept and, in recent years, banks and institutions have become much more sophisticated and regulated. However, it is essential to secure external vendors and potential points of weakness, particularly through implementing audited industry best practises.
Security teams need to adopt solutions that provide appropriate visibility, security and control across the cloud and converged infrastructure. Identify the critical systems organisations rely on to function, identify any vulnerabilities that affect these systems, then take steps to either patch or remediate the risk. Also address excessive permissions in Active Directory that allow attackers to elevate privileges to further infiltrate the infrastructure.
As businesses start to truly understand their expanded attack surface, ensuring that they hold the same level of control and governance over the cloud as they would do for on-premises security is essential. In the post-COVID world, which is increasingly interconnected and digitalised, failing to do the basics means the business is vulnerable and disruption imminent whoever is attacking.
Unlocking the Power of Data: Revolutionising Business Success in the Financial Services Sector
Source: Finance Derivative
Suki Dhuphar, Head of EMEA, Tamr
The financial services (FS) sector operates within an immensely data-abundant landscape. But it’s well-known that many organisations in the sector struggle to make data-driven decisions because they lack access to the right data to make decisions at the right time.
As the sector strives for a data-driven approach, companies focus on democratising data, granting non-technical users the ability to work with and leverage data for informed decision-making. However, dirty data, riddled with errors and inconsistencies, can lead to flawed analytics and decision-making. Siloed data across departments like Marketing, Sales, Operations, or R&D exacerbates this issue. Breaking down these barriers is essential for effective data democratisation and achieving accurate insights for decision-making.
An antidote to dirty, disconnected data
Overcoming the challenges presented by dirty, disconnected data is not a new problem. But, there are new solutions – such as shifting strategies to focus on data products – which are proven to deliver great results. But, what is a data product?
Data products are high-quality, accessible datasets that organisations use to solve business challenges. Data products are comprehensive, clean, and continuously updated. They make data tangible to serve specific purposes defined by consumers and provide value because they are easy to find and use. For example, an investment firm can benefit from data products to gain insights into market trends and attract more capital. These offer a scalable solution for connecting alternative data sources, providing accurate and continuously updated views of portfolio companies. Using machine learning (ML) based technology enables the data product to adapt to new data sources, giving a firm’s partners confidence in their investment decisions.
But, before companies can reap the benefits of data products, the development of a robust data product strategy is a must.
Where to begin?
Prior to embarking on a data product strategy, it is imperative to establish clear-cut objectives that align with your organisation’s overarching business goals. Taking an incremental approach enables you to make a real impact against a specific objective – such as streamlining operations to enhance cost efficiency or reshaping business portfolios to drive growth – by starting with a more manageable goal and then building upon it as the use case is proved. For companies that find themselves uncertain about where to begin their move to data products, tackling your customer data is a good place to start for some quick wins to increase the success of the customer experience programmes.
Getting a good grasp on data
Once an objective is in place, it’s time for an organisation to assess its capabilities for executing the data product strategy. To do this, you need to dig into the nitty-gritty details like where the data is, how accurate and complete it is, how often it gets updated, and how well it’s integrated across different departments. This will give a solid grasp of the actual quality of the data and help allocate resources more efficiently. At this stage, you should also think about which stakeholders from across the business from leadership to IT will need to be involved in the process and how.
Once that’s covered, you can start putting together a skilled team and assigning responsibilities to kick-off the creation and management of a comprehensive data platform that spans all relevant departments. This process also helps spot any gaps early on, so you can focus on targeted initiatives.
Identifying the problem you will solve
Now let’s move on to the next step in our data product strategy. Here we need to identify a specific problem or challenge that is commonly faced in your organisation. It’s likely that leaders in different departments, like R&D or procurement, encounter obstacles that hinder their objectives that could be overcome with better insight and information. By defining a clear use case, you will build a real solution to a challenge they are facing rather than a data product for the sake of having data. This will be an impactful case study for your entire organisation to understand the potential benefits of data products and increase appetite for future projects.
Getting buy-in from the business
Once you have identified the problem you want to solve, you need to secure the funding, support, and resources to move the project ahead. To do that, you must present a practical roadmap that shows how you will quickly deliver value. You should also showcase how to improve it over time once the initial use case is proven.
The plan should map how you will measure success effectively with specific indicators (such as KPIs) that are closely tied to business goals. These indicators will give you a benchmark of what success looks like so you can clearly show when you’ve delivered it.
Getting the most out of your data product
Once you’ve got the green light – and the funds – it’s time to put your plan into action by creating a basic version of your data product, also known as a minimum viable data product (MVDP). By starting small and gradually enhancing with each new release you are putting yourself in the best stead to encourage adoption and also (coming back to our iterative approach) help you secure more resources and funding down the line.
To make the most of your data product, it’s essential to tap into the knowledge and experience of business partners as they know how to make the most of the data product and integrate it into existing workflows. Additionally, collecting feedback and using it to improve future releases will bring even more value to end users in the business and, in turn, your customers.
Unlocking the power of data (products)
It’s crucial for companies in FS to make the most of the huge amount of data they have at their disposal. It simply doesn’t make sense to leave this data tapped and not use it to solve real challenges for end users in the business and, in turn, improve the customer experience! By adopting effective strategies for data products, FS organisations can start to maximise the incredible value of their data.
HOW SMALL BUSINESSES CAN FIGHT BACK AGAINST POOR PAYMENT PRACTICES
Source: Finance Derivative
SMEs across the UK are facing a challenging economic environment and late payments pose a severe challenge to maintaining cash flow. Here, Andrea Dunlop, managing director at Access PaySuite, explores the challenges facing small and medium sized businesses, the risks that late payments carry, and what can be done to secure timely payments, in full.
It’s estimated that UK businesses are currently owed more than £23.4bn in outstanding invoices. For all businesses, managing the outward flow of products and services with a steady incoming cash flow is a fine balance – with unexpected disruptions and complications capable of causing catastrophic problems.
Late and delayed payments have been identified as a significant challenge for SMEs – an issue that has scaled over recent years. In fact, in its latest report, the Federation for Small Businesses (FSB) stated that the UK is “almost unique in being a place where it is acceptable to pay small businesses late”.
The FSB also states that this “will remain the case without further action” and, as such, has called for government action to put a stop to these damaging trends.
Small businesses form a vital part of the economic ecosystem – in 2022, it was estimated that 99% of UK businesses were SMEs – so poor payment systems not only present a very real threat for individual businesses, but for the UK economy as a whole.
Despite this strong case for urgent action to be taken, changes to legislation can be a slow process and, in the face of ongoing economic pressure, small businesses need more immediate solutions.
Although businesses are at the liberty of their customers and clients, there are a number of actionable steps SMEs can take to increase the rate of prompt and complete payments.
The impact of late payments for SMEs
Published in Q4 2022, research published by the ICAEW demonstrates that around half of invoices issued by small businesses are paid late.
More often than not, small businesses operate within a chain of regular suppliers and customers. These chains can include multiple business links, stretching across sectors and regions. As a heavily interwoven ecosystem, if one ‘link’ in the chain is damaged by late payments and unreliable cash flow, the delays can quickly escalate and create a domino effect of complications across the whole system.
With a lack of consistent income, SMEs are more likely to be prevented from paying their overheads and suppliers on time.
As late payments add up and push multiple businesses into a negative cash flow, the problem can continue to snowball.
Simply put, extended periods of unreliable and heavily reduced payments put whole supply chains of companies in very dangerous financial positions – especially as running costs remain high.
Combined, the complexities arising from late payments and the vast scale of the issue, demonstrates a clear need for systemic change.
Current government action
At the end of January, the government published a review of the reporting of payment practices first introduced in 2017 .
This review stated that the government is committed to “stamp[ing] out the worst kind of poor payment practices within the business community”.
The 2017 Payment Practices and Performance Regulations require all large UK companies to report publicly on their payment policies, practices and performance, to ensure accountability.
Following its review, a new consultation has been launched, seeking the opinion of business owners on current regulations – asking whether this existing policy should extend beyond its current expiry date, 6 April 2024. This consultation is part of a wider examination of payments in the UK.
Delving into issues including the emotional and psychological impact of late payments on small business owners – as well as analysing how banks and technology can help – the government’s review is a welcome development, but SMEs need to take more immediate action to strengthen their payment processes.
What can SMEs do?
With the government consultation finalising at the end of April, the future of the payment landscape in the UK will soon be made clearer – but what actions can SMEs take to immediately strengthen their payment processes?
For many SMEs, payment systems are low down the list of priorities, and the fear of disruption or additional costs can lead many to turning a blind eye to problems with their existing systems. But, with challenges around cash flow increasing, investing in a flexible and comprehensive payment system could be an incredibly worthwhile investment.
Issuing regular invoices takes a lot of time, and when working across different clients with different payment frequencies invoicing can lead to unnecessary complexities.
Instead, systems that enable customers to set up direct debits ensure payments are completed on a set date, reduce additional paperwork and still allow bespoke schedules for each client or customer to be arranged.
In many SMEs, missed payments can easily get lost in piles of paperwork and human-error can result in problems down the line. When using digital payment systems, should a missed payment occur, automated capabilities ensure the issue is flagged, and any outstanding challenges can be resolved in a timely manner.
With payments and invoicing automatically managed in a centralised database, countless hours that would otherwise be spent on repetitive and laborious administrative work are saved.
As well as reducing the amount of staff time spent managing processes and tracking financial activity, a reliable payment system delivers benefits for customers too, and contributes towards greater service and boosting brand loyalty.
In the coming weeks and months, new government guidance should clarify legislative expectations for businesses regarding payments. But, with smart investment in specialist software solutions, our country’s vital SMEs can take the necessary safeguarding steps to boost payment security and thrive through this tough financial time.
Less than a year until EMIR Refit: how can firms prepare?
Source: Finance Derivative
Leo Labeis, CEO at REGnosys, discusses everything that financial institutions need to know about EMIR Refit and how they can prepare with Digital Regulatory Reporting (DRR).
There is now less than a year until the implementation date for the much-anticipated changes to the European Markets Infrastructure Regulation (EMIR). The amendments, which are set to go live on 29 April 2024, represent an important landmark in establishing a more globally harmonised approach to trade reporting.
Despite the fast-approaching deadline, concerns are growing around the industry’s preparedness, with a recent survey from Novatus Advisory finding that 40% of UK firms have no plans in place for the changes, for instance.
Much of the focus in 2022 was on implementation efforts for the rewrite of the Commodity Futures Trading Commission’s swaps reporting requirements (CFTC Rewrite), which went live on 5 December. Both the CFTC Rewrite and EMIR Refit are part of the same drive to standardise trade reporting globally. While EMIR Refit was originally anticipated to roll out first, implementation suffered from repeated delays to its technical specifications, in particular the new ISO 20022 format. The ISO 20022 mandate was eventually excluded from the first phase of the CFTC Rewrite, hence the earlier go-live date.
In parallel, the Digital Regulatory Reporting (DRR) programme has emerged as a key driving force in helping firms adapt to continually evolving reporting requirements. Having participated in the DRR build-up for their CFTC Rewrite preparations, how can firms leverage these efforts to comply with EMIR Refit in 2024?
The drive to standardise post-trade
To understand the new EMIR requirements, it is important to first look at the two main pillars in the global push to greater reporting harmonisation.
The first is the Committee on Payments & Market Infrastructures and International Organization of Securities Commission’s (CPMI-IOSCO) Critical Data Elements (CDE), which were first published in 2018 to work alongside other common standards including the Unique Product Identifier (UPI) and Unique Trade Identifier (UTI). These provide harmonised definitions of data elements for authorities to use when monitoring over the counter (OTC) derivative transactions, allowing for improved transparency on the contents of the transaction and greater scope for the interchange of data across jurisdictions.
The second is the mandating of ISO 20022 as the internationally recognised format for reporting transaction data. Historically, trade repositories required firms to submit data in a specific format that they determined, before applying their own data transformation for consumption by the regulators. The adoption of ISO 20022 under the new EMIR requirements changes that process by shifting the responsibility from trade repositories to the reporting firm, with the aim of enhancing data quality and consistency by reducing the need for data processing.
Preparing for the new requirements with DRR
DRR is an industry-wide initiative to enable firms to interpret and implement reporting rules consistently and cost-effectively. Under the current process, reporting firms create their own reporting solution, inevitably resulting in inconsistencies and duplication of costs. DRR changes this by allowing market participants to work together to develop a standardised interpretation of the regulation and store it in a digital, openly accessible format.
Importantly, firms which are using the rewritten CFTC rules which have been encoded in DRR will not have to build EMIR Refit from scratch. ISDA estimates that 70% of the requirements are identical across both regulations, meaning firms can leverage their work in each area and adopt a truly global strategy. DRR has already developed a library of CDE rules for the CFTC Rewrite, which can be directly re-applied to EMIR Refit. Even when those rules are applied differently between regimes, the jurisdiction-specific requirements can be encoded as variations on top of the existing CDE rule rather than in silo.
Notably the UPI, having been excluded from the first phase of the CFTC Rewrite roll-out, is mandated for the second phase due in January 2024. DRR will integrate this requirement, as well as others such as ISO 20022, and develop a common solution that can be applied across the CFTC Rewrite and EMIR Refit.
As firms begin their own build, the industry should work together in reviewing, testing and implementing the DRR model. Maintaining the commitment of all DRR participants will strengthen the community-driven approach to building this reporting ‘best practice’ and serve as a template for future collaborative efforts.
Planning for the long-term
Although the recent CFTC Rewrite and next year’s EMIR Refit are centre of focus for many firms, several more G20 regulatory reporting reforms are expected over the next few years. These include rewrites to the Australian Securities and Investments Commission (ASIC), Monetary Authority of Singapore (MAS) and Hong Kong Monetary Authority (HKMA) derivatives reporting regimes, amongst others.
Firms should therefore plan for the entire global regulatory reform agenda rather than prepare for each reform separately. Every dollar invested in reporting and data management will go further precisely because it is going to be spread across jurisdictions, easing budget constraints.
Looking ahead, financial institutions should establish a broad and long-term plan is to learn from their CFTC Rewrite preparation and how DRR can be positioned in their implementation. For example, firms should ask themselves which approach to testing and implementing DRR works best: via their own internal systems or through a third-party? Firms should review what worked well in their CFTC Rewrite implementation and apply successful methods to EMIR Refit. Doing so will enable firms to have a strong foundation for future updates in the years to come.