Connect with us

Technology

WHY RANSOMWARE READINESS IN THE FINANCE SECTOR IS CRITICAL

Source: Finance Derivative

By Piers Wilson, Head of Product Management at Huntsman Security

Ransomware attacks have been making headlines recently. From AXA to CNA Financial, no part of the finance sector is impervious to the risks. For many organisations, initial worries focus on the logistics and the cost of a ransom, however, the wider damage and costs increasingly relate to rectification, revenue loss and reputational damage. Attacks, such as in the Kaseya case, have also shown the increasing risks that “trusted” service providers and 3rd party supply chain participants can bring – multiplier effects that can quickly  impact one million endpoints, with a ransom set at US$70m.

The network effect in the financial services sector benefits all stakeholders – from institutions to consumers. The increase in shared data and services, however, compounds the risks of successful cyber attacks. And, as we have seen with the impact of ransomware on pipelines and even food processors, the impact on organisations, and individuals, of being locked out of systems is huge. If customers cannot access funds or transact with service providers across the supply chain, anxiety and costs can escalate and commercial reputations quickly trashed.

An easy way out?

Businesses might have once seen the payment of a ransom as a potential ‘quick fix’ to the problem of ransomware attacks. This option, however, is now likely to become a thing of the past as bans on ransom payments are being contemplated in France and in the US by the SEC and OFAC. . In Australia, there are calls for mandatory notifications of ransom payments by ransomware victims.

Finance sector organisations also need to consider that even when ransoms are paid, the decryption process and returning to business as usual can be so slow that the ability to reinstate operations from their own internal backups and security safeguards can be achieved in the same time. As the scale of attacks and disruption of those impacted by supply chain ransomware attacks escalates, the message is increasingly that time is of the essence. If you can’t trust the decryption key from an attacker, then you are best advised to invest your time and effort in reconstructing, reconfiguring and securing your IT systems and services from the ground up so as to be confident in their integrity.

Despite the possibility that the payment of ransoms will become unlawful, cyber insurance will remain an effective tool for organisations to fund the process of getting back up and running quickly and reducing disruption. Insurers are demanding that prior to issuing a cyber policy, organisations must now show evidence of their having adequate cyber security controls in place. In fact, growing ransomware threats make it likely that insurance premiums will increase even further, so getting verifiable cyber risk management capabilities in place is likely to move even further up the list of board priorities.

A challenging environment

The financial sector also faces some other more particular challenges. Many financial institutions hold vast amounts of personal data, whether on accounts, transactions, users or reports. Complicating this is open banking legislation, like PSD2 in the UK/EU and CDR in Australia, which requires that the process of customer approved sharing of their personal data, is easy and accessible. These rights for consumers to have their personal information held and transmitted between financial sector participants will necessarily redistribute the responsibilities for cyber security in the sector and as a result, increase the levels of cyber security risk during this period of adjustment to a changing environment.

The financial services sector is already – and indeed, always has been – an attractive target for criminals at all levels. The requirement that customers have greater control over access to their data adds the requirement for whole new level of ransomware readiness. Organisations could face anything from disgruntled employees, to fraud, to criminal ransomware attacks seeking to enable the wholesale theft of personal data. The stakes couldn’t be higher; so what can the sector do to protect itself?

Preparing for ransomware attacks

Putting in place anti-virus software and network defences – alongside the rise of endpoint detection and response – can certainly help manage attacks. But these solutions rely on detecting malicious activity in the first place. What if your endpoint or network solution misses the attack, without warning? Do you have visibility into what’s happening? Are there other controls in place that can mitigate the threat? Are they monitored and managed as part of an IT risk management program?

More attention must be given to preventing or at least limiting successful ransomware attacks before they do serious damage.  Getting the basic cyber security controls in place and working to protect recognised threat vectors, really pays dividends as these are precisely the weaknesses that ransomware attackers are likely to exploit.

There are three areas to focus on. The first two are the prevention of any initial infection and containment or limitation of the spread if one does occur. These strategies need to be coupled to a third, recovery, which ensures systems and data can be restored and an incident can be successfully managed. The core principles of effective risk management apply – identify and triage the risks and manage them accordingly.

There are some key safeguards organisations can adopt to support each of these elements:

Prevention

  • Application control – ensuring only approved software can run on a computer system, securing systems by limiting what they can execute.
  • Application patching – applications must be regularly updated to prevent intruders using known vulnerabilities in software.
  • Macro security – checking that macro and document settings are correctly configured and to prevent the activation of malicious code.
  • Harden user applications and browsers – use effective security policies to limit user access to active content and web code.
  • Firewalls/perimeter – and even physical on-site security – limit user access outbound and remote connections inbound.
  • Staff awareness – while not a technical control, building a “cyber culture” and a better understanding by staff of cyber security, the threats and mitigation strategies that can minimise cyber attacks, is vital.

Containment

  • Restrict administrative privileges – limit admin privileges by allowing only those staff needing to access systems to do so, and then solely for specified purposes and within controlled access.
  • Operating system patching – fully patched operating systems will significantly reduce the likelihood of malware or ransomware spreading across the network from system to system.
  • Multi-factor authentication – used to manage user access to highly sensitivity accounts and systems (including remote users).
  • Endpoint protection – install anti-virus software and keep it updated.

Recovery

  • Regular backups – secure data and system backups off-site and test your recovery processes.
  • Incident response – in planning for a worst case scenario make sure everyone is well versed in the incident management playbook.

Gaining assurance in controls

Businesses must make sure they are monitoring their security controls to ensure that they are working effectively. If one control is ineffective, the IT teams need to know quickly to mitigate any shortcomings and reinstate an adequate cyber posture. A “cyber security culture” that ensures these risks are a board level issue will improve overall corporate ransomware preparedness.

The board should receive reports that provide clear visibility of these controls, and leverage these KPIs as part of their cyber security risk management process. They can be used as part of a continuous cyber security improvement program. Being able to monitor readiness and assess the risk of attack provides early warning defence and confirmation that cyber security risk management processes are in hand.

Summary

The financial services sector faces many challenges when it comes to putting in place comprehensive cyber security risk management practices. If a bank or insurer was affected by a significant ransomware attack, the wider implications on the economy could be significant. Recent fuel shortages resulting from the Colonial Pipeline incident gave us a glimpse of the resulting widespread public panic and concern. It was reminiscent of the run on Northern Rock bank branches in the UK in 2007, at the start of the financial crisis. It doesn’t take much to imagine the level of public panic that would ensue if a massive ransomware attack locked consumers out from accessing their funds.

Organisations in the sector must have comprehensive cyber defences and controls, backed up by regular monitoring to make sure they are working effectively, and ensure that if one control fails to identify or prevent an attack, other complementary controls are operational and able to limit its impact.

That way the risk of a successful attack can be minimised, and organisations can maintain effective IT governance to better prevent costly disruption to their systems, operations and reputations.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

Resilient technology is the most important factor for successful online banking services

Source: Finance Derivative

By James McCarthy, Director of Solutions Engineering, NS1

More than 90 percent of people in the UK use online banking, according to Statista and of these, over a quarter have opened an account with a digital-only bank. It makes sense. Digital services, along with security, are critical features that consumers now expect from their banks as a way to support their busy on-the-go lifestyles.

The frequency of cash transactions is dropping as contactless and card payments rise and the key to this is convenience. It is faster and easier for customers to use digitally-enabled services than traditional over-the-counter facilities, cheques, and cash. The Covid pandemic, which encouraged people to abandon cash, only accelerated a trend that was already picking up speed in the UK.

But as bank branches close—4865 by April of 2022 and a further 226 scheduled to close by the end of the year, Which research found—banks are under pressure to ensure their online and mobile services are always available. Not only does this keep customers satisfied and loyal, but it is also vital for compliance and regulatory purposes.

Unfortunately, their ability to keep services online is often compromised. In June and July of this year alone, major banks including Barclays, Halifax, Lloyds, TSB, Nationwide, Santander, Nationwide, and Monzo, at various times, locked customers out of their accounts due to outages, leaving them unable to access their mobile banking apps, transfer funds, or view their balances. According to The Mirror, Downdetector,  a website which tracks outages, showed over 1500 service failures were reported in one day as a result of problems at NatWest.

These incidents do not go unnoticed. Customers are quick to amplify their criticism on social media, drawing negative attention for the bank involved, and eroding not just consumer trust, but the trust of other stakeholders in the business. Trading banks leave themselves open to significant losses in transactions if their systems go down due to an outage, even for a few seconds.

There are a multitude of reasons for banking services to fail. The majority of internet-based banking outages occur because the bank’s own internal systems fail. This can be as a result of transferring customer data from legacy platforms which might involve switching off parts of the network. It can also be because they rely on cloud providers to deliver their services and the provider experiences an outage. The Bank of England has said that a quarter of major banks and a third of payment activity is hosted on the public cloud.

There are, however, steps that banks and other financial institutions can take to prevent outages and ensure as close to 100% uptime as possible for banking services.

Building resiliency strategies

If we assume that outages are inevitable, which all banks should, the best solution to managing risk is to embrace infrastructure resiliency strategies. One method is to adopt a multi-cloud and multi-CDN (content delivery platform) approach, which means utilising services from a variety of providers. This will ensure that if one fails, another one can be deployed, eliminating the single point-of-failure that renders systems and services out of action. If the financial institution uses a secondary provider—such as when international banking services are being provided across multiple locations—the agreement must include an assurance that the bank’s applications will operate if the primary provider goes down.

This process of building resiliency in layers, is further strengthened if banks have observability of application delivery performance, and it is beneficial for them to invest in tools that allow them to quickly transfer from one cloud service provider or CDN if it fails to perform against expectations.

Automating against human error

Banks that are further down the digital transformation route should consider the impact of human error on outage incidents and opt for network automation. This will enable systems to communicate seamlessly, giving banks operational agility and stability across the entire IT environment. They can start with a single network source of truth, which allows automation tools to gather all the data they need to optimise resource usage and puts banks in full control of their networks. In addition it will signal to regulators that the bank is taking its provisioning of infrastructure very seriously.

Dynamic steering 

Despite evidence to the contrary, downtime in banking should never be acceptable, and IT teams can make use of specialist tools that allow them to dynamically steer their online traffic more easily. It is not unusual for a DNS failure (domain name system) to be the root cause of an outage, given its importance in the tech stack, so putting in place a secondary DNS network, or multiple DNS systems with separate infrastructures will allow for rerouting of traffic. Teams will then have the power to establish steering policies and change capacity thresholds, so that an influx of activity, or a resource failure, will not affect the smooth-running of their online services. If they utilise monitoring and observability features, they will have the data they need to make decisions based on the real time experiences of end users and identify repeated issues that can be rectified.

Banks are some way into their transformation journeys, and building reputations based on the digital services that they offer. It is essential that they deploy resilient technology that allows them to scale and deliver, regardless of whether the cloud providers they use experience outages, or an internal human error is made, or the online demands of customers suddenly and simultaneously peak. Modern technology will not only speed up the services they provide, but it will also arm them with the resilience they need to compare favourably in the competition stakes.

Continue Reading

Business

Digital Banking – a hedge against uncertainty?

Source: Finance Derivative

Ankit Shah, Head of Digital Banking, Apex Group

The story of the 2020’s thus far is one of crisis. First the world was plunged into a global pandemic which saw the locking down of people and economies across the world. Now we deal with the inevitable economic consequences as currencies devalue and inflation bites. This has been compounded by Russia’s invasion of Ukraine and subsequent energy politics.

And the outlook remains uncertain. Tensions continue to build between China and Taiwan and inflationary conditions are forecast to continue well into 2023. This uncertainty is impacting everyone, and every sector. And finance is no exception with effects being felt everywhere from commodity and FX markets to global supply chains.

But it’s not all doom and gloom. Rollercoaster markets and an ever-evolving geopolitical situation have made 2022 a tricky year far, but, despite the challenges, digital banking has proven resilient. In fact, the adoption of digital banking services has continued to grow over the last few years, and is predicted to continue.

So, what are the forces driving this resilience?

In an increasingly digital world and economy, digital banking comes with some advantages baked in, which have seen the sector continue to succeed despite the tumult in the wider world. In fact, the crises which have shaped the decade so far may even have been to the advantage of digital banking. Just as during the pandemic, technologies which could facilitate remote working saw a huge uptick in users, so to digital banking is well suited to a world where both people, and institutions demand the convenience that online banking services offer.

And while uptake of digital banking services is widespread amongst retail consumers, a trend likely to continue as digital first generations like Gen Z become an ever-greater proportion of the consumer market, uptake amongst corporate and institutional customers has been slower. This is largely down to a lack of fintech businesses serving the more complex needs of the institutional market, but, in a post-Covid world of hybrid working business, corporate clients are looking for the same ease of use and geographic freedom in their banking that is enjoyed by retail consumers.

This is not just a pipe dream – with the recent roll out of Apex Group’s Digital Banking services, institutions can enjoy the kind of multi-currency, cloud-based banking solutions, with 24/7 account access that many of us take for granted when it comes to our personal banking.

Staying compliant

One significant difference between retail and business accounts however, for banking service providers, is the relative levels of compliance which are needed. While compliance is crucial in the delivery of all financial services, running compliance on multi-million pound transactions between international businesses brings with it a level of complexity that an individual buying goods and services online doesn’t.

For digital banking services providers, this situation is further compounded by guidance earlier this year from HM Treasury – against the backdrop of the Russia-Ukraine conflict- requiring enhanced levels of compliance and due diligence when it comes to doing business with “a high-risk third country or in relation to any relevant transaction where either of the parties to the transaction is established in a high-risk third country or with a sanctioned individual.”

So, can digital banks meet these standards while also providing institutions with the kind of easily accessible, mobile service which retail customers enjoy?

The answer is yes and again, once initial hurdles are overcome, digital banking brings with it features which give it the edge over traditional banking services. Paperless processes, for example, mean greater transparency and allow for better and more efficient use of data. This means AI can be employed to search documents, as well as provide verification. It also means compliance processes, often notoriously complicated, become easier to track. Indeed, digitising time intensive manual process means the risk of human error in the compliance process is reduced.

Digital banking can also better integrate transaction monitoring tools, helping businesses identify fraud and irregularity more quickly. This can be hugely important, especially in the times of heightened risk we find ourselves in, where falling foul of a sanctions regime could have significant legal, financial and reputational consequences.

Cross-border business

Our world is increasingly globalised, and so is business. For corporate and institutional banking customers, being able to operate seamlessly across borders is key to the operation of their business.

This brings with it challenges, which are again compounded by difficult geopolitical and economic circumstances. In recent weeks for example, we’ve seen significant flux on FX markets which can have real consequences for businesses or institutional investors who are buying and selling assets in multiple currencies and jurisdictions. The ability to move quickly then, and transact in a currency of choice, is vital. Advanced digital banking platforms can help – offering automated money market fund sweeps in multiple core currencies to help their clients optimise their investment returns and effectively manage liquidity.

Control admin uncertainty

In times of uncertainty, digital banking can provide additional comfort via customisable multi-level payment approvals to enhance control of what is being paid out of business accounts, with custom limits available for different users or members of a team. Transparency and accountability are also essential, with corporate clients requiring fully integrated digital reporting and statements and instant visibility with transaction cost and  balances updated in real-time.

Outlook

For some, the perception remains that digital banking is the upstart industry trying to offer the services that the traditional banking industry has built itself upon. Increasingly however, the reality is that the pressure is on traditional banks to try and stake a claim to some of the territory being taken by digital first financial services.

With a whole range of features built in which make them well suited to business in a digital world, digital banking is on a growth trajectory. Until now, much of the focus has been upon the roll-out of services to retail consumers, but with features such as automated compliance, effortless international transactions and powerful AI coming as standard for many digital banks, the digital offering to the corporate world looks increasingly attractive.

Continue Reading

Business

Anyone Can Become an R&D Tax Expert with the Right Foundations

Source: Finance Derivative

Ian Cashin is a Customer Success Manager at Fintech company and R&D tax software provider WhisperClaims

For accounting firms, R&D tax credits offer a substantial opportunity to boost revenue and strengthen client relationships. According to Ian Cashin, Customer Success Manager at WhisperClaims, perceived complexities can be overcome with the right approach and support. Indeed, by embracing a few simple practices, any company can become an expert in R&D tax.

Building Confidence

Growing revenue through new business is far more challenging than unlocking revenue from an existing client base. However, a significant number of accounting firms are losing out on value-added opportunities as a result of their lack of confidence or knowledge in R&D tax relief.

Yet, advisors who follow best practice are now in an ideal position to use their extensive client knowledge to mitigate their clients’ risk of and potential exposure to interrogation over fraudulent claims, ahead of HMRC’s introduction of more stringent R&D tax processes in April 2023.

So why are firms reluctant? There is no doubt that the R&D tax credit procedure is different. Compared to other areas of tax regulation, it leaves greater room for interpretation. But it is readily understandable by a qualified accountant – even an unqualified trainee. Understanding what HMRC considers to fall under the scope of research and development is key. Astrophysicists and Formula 1 manufacturers are not the only people who employ science and technology to overcome business challenges. Every day, UK firms of all sizes engage in R&D activities, from civil engineers to food manufacturers, yet far too many have not yet filed claims, losing out on critical cash.

The most important thing to keep in mind is that, as an accountant, you already have a far deeper relationship with your client compared to any other service provider. Once you have raised your level of understanding, you are in the perfect position to optimise this.

Leveraging  Insight

Accountants already have a unique understanding of their clients’ operations –  insight which,  as professional advisors, will help to highlight companies most likely to qualify for an R&D tax rebate. Furthermore, with access to tools like R&D tax claim preparation technology, developed by R&D tax professionals, they are able to significantly speed up the process. This technology enables accountants to easily determine the top targets within their client base, indicating where to focus the efforts of their emerging R&D tax service.

Using this priority list in conjunction with their understanding of the criteria HMRC stipulates, an accountant can leverage their client knowledge and relationship to engage in a conversation regarding daily R&D activities and unlock potential tax relief opportunities.

Moreover, facilitated by a specialist R&D tax claims preparation platform, accountants can be assured of a structured process that prompts the right questions to ask clients during these conversations, and highlights answers that are either in sync with, or fall outside of, the HMRC parameters. For instance, ca restaurant owner adding vegan alternatives to the menu is not on the same level as a food producer starting the development and manufacturing of a fully plant-based product line. The latter will undoubtedly be eligible for R&D tax assistance, but not the former. Accountants should use their position as “professional advisors” in this situation to push back against clients, especially those who may have previously been unwittingly misled.

Best Practices

For the last twenty years, since the introduction of R&D tax rebates in 2001, best practice has been the provision of a detailed report, complementary to the CT600 form, to mitigate the chance of HMRC asking supplementary questions. The technical purpose of the claim as well as the business context must be covered in this report, e.g. the challenges faced; how science and technology were used to overcome these; and the professionals employed who overcame them. Simply put, if the challenges weren’t difficult to solve, it wasn’t R&D.

It’s also critical to keep in mind that R&D claims cannot simply be copied and pasted from year to year. R&D is not necessarily a constant; demand for it changes in line with the evolution of the business’ activity or stage of development. as businesses change and go to the next stage of development.

The accountant’s already solid client relationship and interpersonal abilities come into their own in such situations. Particularly if the appropriate course of action is to suggest that the client should not submit an R&D claim, an accountant must feel comfortable advising the client accordingly. The claim belongs to the client; if it is contested, the client will be the one facing an HMRC investigation. An advisor must be self-assured enough to refuse to input erroneous claims without endangering the client relationship.

Conclusion

Recent years have seen accountancy firms strengthen their position as dependable, trusted business advisors. Discussions regarding a business owner’s long-term objectives, succession and exit plans, as well as pensions and investments, have become commonplace. It should be natural to include R&D tax into these conversations . Asking a customer about their investment in R&D should be a common practice – business as usual –  just as it is to inquire about investment in infrastructure or buildings.

The only thing preventing accountants from successfully adding R&D tax to their suite of services  is a lack of confidence. Yet, any reservations can be addressed with a straightforward ‘back to basics’ R&D training course, as well as using technology to gain access to a completely new revenue stream with their current clientele. Now that HMRC is openly calling for a much more rigorous, trusted, and evidence-based approach to R&D tax from 2023, accountants hold all the cards they need to gain confidence and give clients the trusted service they desire.

Continue Reading

Copyright © 2021 Futures Parity.