In our series “Expert Talks” we are discussing important cybersecurity issues with industry experts. Today, the focus is on the financial and payment industry, and we are sitting down with Todor Kunev to explore the topic of cybersecurity for all organisations that operate in those fields.
Todor is a cybersecurity leader with significant experience and an enviable reputation. During his years of professional career, he has developed cyber security control frameworks to serve the needs of heavily regulated leading Banking, Insurance, and Commercial entities.
What are the cybersecurity risks in the financial and payment industry?
The financial industry, in general, is very wide and it includes several large areas that are different from each other:
- payment industry;
- insurance industry;
- banking;
- finance.
In recent years fin-tech is another big field that can be added to the list above. The organisations that operate in those highly regulated sectors store valuable information for their clients like:
- personal data;
- financial data;
- health records (for insurance companies).
In recent years cyber attacks in the financial sector have gone through the roof. For example, securitymagazine.com cites a report from Trend Micro on ransomware. According to it, in the banking industry alone there is a 1,318% increase in ransomware attacks. However, this is not the only threat out there.
“Since the beginning of 2021, there have been some major cyber-attacks on financial institutions. Only in January, there were some attempts to target big names in the financial and payments industry like PayPal, American Express, and The Reserve Bank of New Zealand. From my experience, the 5 biggest cyber threats for the financial industry are:
- Malware;
- Ransomware;
- Cyber attacks through 3rd party vendors;
- DDoS attacks;
- In-house threats.
The financial industry is very attractive to hackers. And this will not change any time soon.”, said Todor Kunev.
Regulations and compliance in the financial and payment industry
In any terms, the financial sector has many regulations and compliance standards. Some are specialised in specific industries. In the USA, for example, insurance companies fall under different acts like:
- Health Insurance Portability and Accountability Act (HIPAA) – for healthcare data;
- Gramm–Leach–Bliley Act (GLBA) – for financial data;
- Sarbanes–Oxley Act (SOX) – for financial data.
“Some regulations are valid for specific places where financial organisations operate. Others are valid for all and are mandatory. Such are PCI DSS for all businesses that handle card transactions, and the SWIFT CSP – for financial institutions that are SWIFT members. On the other hand, there is the ISO 27001. It is not mandatory, but it is widely adopted.”, m-r Kunev added.
It is important to note that failure to maintain compliance and cover the needed cybersecurity measures can result in heavy fines and reputational damages.
What lies behind the abbreviations?
Every one of the widely-adopted standards helps financial institutions. Payment Card Industry Data Security Standard (PCI DSS), SWIFT CSP, and ISO/IEC 27001 can be considered the three pillars of cybersecurity compliance and certifications for financial institutions. They will help them in several areas including, but not limited to:
- Build and maintain a secure network;
- Protect cardholder data;
- Maintain vulnerability management program;
- Implement strong access control measures;
- Regularly monitor and test networks.
- Restrict internet access and protect critical systems;
- Manage vulnerabilities;
- Physically secure the environment;
- Prevent compromise of credentials;
- Manage identities and segregate privileges;
- Detect anomalous activity;
- Plan for Incident Response.
- Establish the context scope and objectives;
- Establish a management framework;
- Conduct risk assessment;
- Implement controls to mitigate risks;
- Conduct an internal audit;
- Measure, monitor, and review;
- Conduct training.
“Cybersecurity threats change and evolve. And so must change the approach that organisations in the financial and payment industry have in addressing those threats. Maintaining compliance is great and much needed. However, it is only the base for establishing their 360-degree cyber defense”, outlined Todor Kunev.
The financial and payment sector is getting more attractive to new players like the many startup companies with innovative solutions. Security comes before everything else. If you don’t invest in it, you are going to pay the price for that.