HOW THE FINANCIAL SECTOR CAN PREPARE FOR THE NEW AGE OF RESILIENCE

Richard Harmon, VP & Global Head of Financial Services at Red Hat.

 

The EU’s new DORA legislation is ushering in strict rules on technology use. Businesses should embrace it as a new way to unlock innovation.

Ever since the 2008 global financial crisis, governments and regulators have been on a mission to build integrity and resilience back into their banking and financial systems.

In the EU, DORA (Digital Operational Resilience Act) is the latest effort. Due to be passed in March 2022, it will mandate that financial organisations ensure the resilience of all the technologies in their stack. Liability is a key tenet—if you run it, then you have responsibility for it, goes the new rule. That brings third-party systems and applications into the arena of an organisation’s accountability. It’s not just big banks that will be under the spotlight. DORA will apply to all sorts of financial businesses, from credit and payment providers to investment and insurance firms; cryptocurrency exchanges to crowdfunding platforms.

Richard Harmon

Outside the EU regulators are ready to follow suit. In the UK, the Bank of England has requested policy powers to assess, and if necessary intervene, in banks’ migrations to cloud hyperscalers. The Federal Reserve, Congress and other policy leaders in the US have started to explore whether regulators there are properly set up to address cloud concentration risk exposures. In Singapore, Hong Kong and Australia, banks are now required (to varying degrees) to conduct due diligence checks on technology partners to demonstrate that they have satisfactory safeguards and response plans in place in the event of a disruption.

DORA (and whatever may follow) comes at a time when many institutions are adding complexity, and so risk, to their technology supply chain. The undeniable benefits of cloud are likely to prompt more mission-critical workloads to head there. These workloads attract more profound security considerations, and new vendors are sought that can protect these core systems. So too partners that can modernize legacy platforms and applications, and power the digital innovations that leave customers happy and the competition behind.

The result is a hyper-connected finance sector. Organisations now access a vast array of third party data and technology services from the same public cloud servers and data centers. If one organisation is vulnerable, it may impact everyone else. The Federal Reserve estimates that an attack on any one of the five most active banks in the US could spill over to impact 38% of the national financial network. The subsequent liquidity hoarding and forgone payment activity could reach more than 2.5 times daily GDP.

In 2020, the global finance sector reported 1,188 security incidents and data breaches, around 3.4% of the all-industry figure. Victims have included some of the biggest names in finance. The Equifax breach of 2017 saw hackers steal credit card numbers of over 209,000 customers. It cost Equifax up to $700 million in fines, and the jobs of its CEO, CIO, and CSO. A 2019 attack of Capital One resulted in 80,000 bank accounts being compromised in the U.S and one million Canadian social insurance numbers leaked. Most recently, $613 million in crypto tokens was stolen from the Poly Network platform by hackers. Security hacking has become professionalised and nation-states sponsor some of the most effective operations.

This all points to the need for a more community-minded approach. Make resilience and security a team effort rather than a lone pursuit, since financial systems no longer exist in isolation. If institutions pull down their walls of secrecy, there can be a holistic view of how everything is stitched together, benefiting the whole ecosystem. The ‘single pane of glass’ solution that has become the established practice in SecOps must now be the ambition for the sector as a whole. Accept that, and the logical next steps are a sector-wide strategy; collective selection, procurement and deployment of shared solutions; and coordinated attack prevention and remediation teams and processes.

At Red Hat, we are trying to kickstart this collaborative spirit. Working with some proxy data and partner organizations, we are mapping how the global financial sector is connected technologically and then running simulations to show how a system failure or attack in one place could play out. The aim is to understand what types of critical financial infrastructure and applications are most impacted by a bank’s cloud deployment strategy, predict contagion trigger points that might yield systemic risk events, and quantify impacts on the overall economy. Regulators, banks and cloud providers alike can benefit from these insights. These are the same modelling principles that have helped virologists predict the path of COVID-19.

Having spent almost two decades working with financial institutions, I know what a cultural shift this open collaboration can be. So, let’s also consider how organisations can build resilience by looking inwards.

Intuitively perhaps, going all-in with one cloud hyperscaler may seem like the best option. One vendor, one suite of systems, fewer points of vulnerability—right? Not quite. Dedication to one player can leave you exposed to their whims and errors. It should be worrying then that at present the market is highly concentrated, with a 2020 survey by the Bank of England finding that almost three-quarters of banks, and an even greater proportion of insurance firms, are served by the same two cloud infrastructure providers. That feels inconsistent with the 98% of financial firms that are following an open source strategy, as reported by Red Hat in The State of Enterprise Open Source. A driver of that is containerization; the same report found that 75% say they plan to increase their use of containers in the next 12 months. Doing so will help make them more secure and resilient. A container platform can provide the standards and oversight to secure multiple best-in-class cloud vendors, as well as the application portability to keep future options open.

Make resilience and innovation partners, rather than opposing forces. Take an approach that is genuinely holistic, with security baked-in to the DNA of the ecosystem, rather than added as an afterthought, and you have innovation with resilience.

 

spot_img

Explore more