Finance
Open source security will keep financial institutions seeing green
Published
3 weeks agoon
By
admin
By Brian Fox, CTO, Sonatype
Do you know what’s inside the software your company uses? More importantly, does the C-Suite at your company?
If the 2022 State of Open Source in Financial Services report from FINOS was any indication, financial institutions should care about that question, especially because of the rampant spread of open source software across the sector. Open source is everywhere, not just in banking and finance, which has made it an attractive target for bad actors to carry out targeted cyberattacks against software supply chains. And in a sector with data this sensitive, that’s particularly concerning.
We saw a big wake-up call at the end of 2021 with the discovery of a critical vulnerability in the Java logging component log4j, impacting a ridiculous number of applications across many sectors. In just 72 hours, nearly 800,000 attacks were launched.
Now, to its credit, the financial sector responded a lot faster than others in the race to patch any and all software using this component. But log4j was one piece of software. And the real wake-up call, unfortunately, as the FINOS report itself points out, is that we’re going to see more exploits and vulnerabilities – whether it’s open source or not. We’re even starting to see a daisy chain-like tactic of software supply chains being exploited to trigger attacks on yet more software supply chains.
The data paints a stark picture – a 742% average annual increase in software supply chain attacks over the past three years. So that’s the gravity of the situation out of the way and should tell financial institutions it’s high time to carefully monitor the make-up of their software.
What can be done
Unfortunately, a lot of organisations generally speaking are shockingly unaware of what that software composition looks like, which makes it tricky to track down vulnerabilities old and new.
If we return to log4j for a moment, despite that we’re a year and a half out from that critical vulnerability’s discovery, development teams are still downloading the compromised version 30-40% of the time (https://www.sonatype.com/resources/log4j-vulnerability-resource-center) . More broadly, 96% of the time someone downloads an open source component, there’s a safer and more up-to-date alternative they could have downloaded instead. On a granular level, there are some objectively bad decisions being made here: for example, the latest version of a software component isn’t always the best version. Software upgrades should happen consistently but also only when necessary.
This isn’t necessarily born of neglect – many developer teams at financial institutions I’ve worked with around the world – many of which are massive in size – are inundated with having to manually audit all their open source components in the software they’re developing. And these are often spread across very disparate environments. Time is money, and when you only have so much time to spend on security audits, you can see where the issues arise.
The rub is that without better visibility, the potential damage in monetary and reputational terms could be catastrophic. A DDoS or ransomware attack would cost dearly, with IBM estimating that data breaches cost UK enterprises $3.88 million per incident on average. This doesn’t even account for the ripple effects of further financial losses incurred from losing customers or getting sued.
How organisations can approach bolstering their open source security
Sounds like we’re stuck between a rock and a hard place, right? Not necessarily…
Breaking down the silos that commonly exist between teams in banking and finance will be essential to nurturing the collaboration needed to standardise and formalise policies across different departments for implementing and upgrading software. Some financial institutions have made encouraging pledges to the Open Source Security Foundation to expand knowledge sharing surrounding open source. But generally speaking, the sector still needs a more universal approach to open source adoption and security.
One solution everyone in the industry has to get behind as a starting point for software visibility is implementing Software Bill of Materials (SBOM). Similar to a bill of materials issued by a car manufacturer, an SBOM shows you all the parts – in this case, open source components – that make up the whole software. Using these could help IT professionals speed up their response times to finding vulnerabilities.
I say ‘in theory’ because an SBOM doesn’t tell you where an ingredient came from, and whether that place was poisoned in the first place. And there’s also the issue of human error. Some level of automation will inevitably become more and more important – whether it’s through AI, dependency firewalls, and other tools for software composition analysis that reduce the security workload pressures on IT teams so they can focus on innovation instead. There are lots of different options on the market, in addition lots of free guidance from the likes of the Linux Foundation and OpenSSF on how to make effective use of them.
Proactively, rather than reactively, maintaining software supply chains means the sector will ultimately become safer, saving people and institutions time and money. There will be road bumps as teams initially struggle to adopt SBOMs and other tools, but the sooner this happens, the more likely it is that organisations will evade a nasty security incident that costs them and their customers a lot of money.
Can the UK government help here? It can probably do more than it realises, though we’re seeing signs they’re waking up to this fact judging from its recent call for views on software resilience for businesses. Currently, there’s simply not enough comprehensive regulation and guidance. Any regulation or legislation that does get implemented should, if anything, be as prescriptive as GDPR.
To improve open source security posture, and software hygiene more generally, we need extremely clear, uniform guidance across their board. greatly boost software hygiene. One thing’s clear. Open source is here to stay, and as more industries enjoy its innumerable benefits, they will inevitably have to grapple with the explosive rise in increasingly complex and severe software supply chain attacks. Methodical proactiveness is the key here to staying on top of the pesky incidents that lie ahead.
Business
Enhancing cybersecurity in investment firms as new regulations come into force
Published
15 hours agoon
June 2, 2023By
editorial
Christian Scott, COO/CISO at Gotham Security, an Abacus Group Company
The alternative investment industry is a prime target for cyber breaches. February’s ransomware attack on global financial software firm ION Group was a warning to the wider sector. Russia-linked LockBit Ransomware-as-a-Service (RaaS) affiliate hackers disrupted trading activities in international markets, with firms forced to fall back on expensive, inefficient, and potentially non-compliant manual reporting methods. Not only do attacks like these put critical business operations under threat, but firms also risk falling foul of regulations if they lack a sufficient incident response plan.
To ensure that firms protect client assets and keep pace with evolving challenges, the Securities and Exchange Commission (SEC) has proposed new cybersecurity requirements for registered advisors and funds. Codifying previous guidance into non-negotiable rules, these requirements will cover every aspect of the security lifecycle and the specific processes a firm implements, encompassing written policies and procedures, transparent governance records, and the timely disclosure of all material cybersecurity incidents to regulators and investors. Failure to comply with the rules could carry significant financial, legal, and national security implications.
The proposed SEC rules are expected to come into force in the coming months, following a notice and comment period. However, businesses should not drag their feet in making the necessary adjustments – the SEC has also introduced an extensive lookback period preceding the implementation of the rules, meaning that organisations should already be proving they are meeting these heightened demands.
For investment firms, regulatory developments such as these will help boost cyber resilience and client confidence in the safety of investments. However, with a clear expectation that firms should be well aligned to the requirements already, many will need to proactively step up their security oversight and strengthen their technologies, policies, end-user education, and incident response procedures. So, how can organisations prepare for enforcement and maintain compliance in a shifting regulatory landscape?
Changing demands
In today’s complex, fast-changing, and interconnected business environment, the alternative investment sector must continually take account of its evolving risk profile. Additionally, as more and more organisations shift towards more distributed and flexible ways of working, traditional protection perimeters are dissolving, rendering firms more vulnerable to cyber-attack.
As such, the new SEC rules provide firms with additional instruction around very specific prescriptive requirements. Organisations need to implement and maintain robust written policies and procedures that closely align with ground-level security issues and industry best practices, such as the NIST Cybersecurity framework. Firms must also be ready to gather and present evidence that proves they are following these watertight policies and procedures on a day-to-day basis. With much less room for ambiguity or assumption, the SEC will scrutinise security policies for detail on how a firm is dealing with cyber risks. Documentation must therefore include comprehensive coverage for business continuity planning and incident response.
As cyber risk management comes increasingly under the spotlight, firms need to ensure it is fully incorporated as a ‘business as usual’ process. This involves the continual tracking and categorisation of evolving vulnerabilities – not just from a technology perspective, but also from an administrative and physical standpoint. Regular risk assessments must include real-time threat and vulnerability management to detect, mitigate, and remediate cybersecurity risks.
Another crucial aspect of the new rules is the need to report any ‘material’ cybersecurity incidents to investors and regulators within a 48-hour timeframe – a small window for busy investment firms. Meeting this tight deadline will require firms to quickly pull data from many different sources, as the SEC will demand to know what happened, how the incident was addressed, and its specific impacts. Teams will need to be assembled well in advance, working together seamlessly to record, process, summarise, and report key information in a squeezed timeframe.
Funds and advisors will also need to provide prospective and current investors with updated disclosures on previously disclosed cybersecurity incidents over the past two fiscal years. With security leaders increasingly being held to account over lack of disclosure, failure to report incidents at board level could even be considered an act of fraud.
Keeping pace
Organisations must now take proactive steps to prepare and respond effectively to these upcoming regulatory changes. Cybersecurity policies, incident response, and continuity plans need to be written up and closely aligned with business objectives. These policies and procedures should be backed up with robust evidence that shows organisations are actually following the documentation – firms need to prove it, not just say it. Carefully thought-out policies will also provide the foundation for organisations to evolve their posture as cyber threats escalate and regulatory demands change.
Robust cybersecurity risk assessments and continuous vulnerability management must also be in place. The first stage of mitigating a cyber risk is understanding the threat – and this requires in-depth real-time insights on how the attack surface is changing. Internal and external systems should be regularly scanned, and firms must integrate third-party and vendor risk assessments to identify any potential supply chain weaknesses.
Network and cloud penetration testing is another key tenet of compliance. By imitating how an attacker would exploit a vantage point, organisations can check for any weak spots in their strategy before malicious actors attempt to gain an advantage. Due to the rise of ransomware, phishing, and other sophisticated cyber threats, social engineering testing should be conducted alongside conventional penetration testing to cover every attack vector.
It must also be remembered that security and compliance is the responsibility of every person in the organisation. End-user education is a necessity as regulations evolve, as is multi-layered training exercises. This means bringing in immersive simulations, tabletop exercises and real-world examples of security incidents to inform employees of the potential risks and the role they play in protecting the company.
To successfully navigate the SEC cybersecurity rules – and prepare for future regulatory changes – alternative investment firms must ensure that security is woven into every part of the business. They can do this by establishing robust written policies and adhesion, conducting regular penetration testing and vulnerability scanning, and ensuring the ongoing education and training of employees.
Finance
Regulations, RegTech and CBDCs – Fintech’s Next Chapter
Published
22 hours agoon
June 2, 2023By
admin
Teresa Cameron, Finance Director at Clear Junction
Over the last decade, the UK has embraced the fintech revolution with open arms. The remarkable growth and innovation in recent years has transformed the way financial services are delivered and accessed. In the UK, fintech accounts for around half of venture capital in the UK, and as we race to meet consumer demand, we’re seeing the development of new services flood the market: from digital wallets to AI chatbots, biometrics and touch IDs.
London is recognised globally as a crucial hub for fintech innovation, yet with this great power comes great responsibility. Both the FTX and SVB collapses dented trust in fintech, and this has translated into a dip in venture capital investment in the industry, which declined globally by 30%.
2022 was called fintech’s year of reckoning, but 2023 stands as the year to rebuild and we need to recognise that regulation is not a scary word. Now is our chance to be part of the next evolution in fintech, that will solidify it as an accredited and stable industry. By leading the charge now, we can make sure we have a say on what the future of fintech will look like.
Sustainable practices = sustainable growth
The Financial Conduct Authority (FCA) is set to implement its Consumer Duty in the upcoming months. Whereas before, the FCA has broadly been reactive, this will be the first time that the FCA will be formally setting out regulation and will have a proactively structured programme.
One of the most important aspects is to make sure that financial services put the interests of their customers at the heart of their business operations. This means a higher standard of protection across the industry and providing consumers with transparent information, as well as making sure that staff are trained and held accountable.
This is a huge step to regain trust in the industry right now and help raise the bar in what we can offer consumers. Change begins from the inside and by closely working with regulators and adhering to their guidelines, fintechs in the UK can benefit from the increased trust and confidence in the digital currency ecosystem. This approach not only protects consumers and investors but also means that we can bolster the legitimacy and viability of digital currencies as an alternative to traditional financial systems.
Regtech Revolution
It’s estimated that globally $2trillion is laundered annually, and the threat of financial criminals continues to rise as they become more sophisticated and utilise new technology, either through payments, open banking, or crypto. This, twinned with new global regulations and increasing compliance costs, means the need for innovative solutions in the regtech industry has never been greater.
We’ve seen an explosion in AI and machine learning (ML) tech to help better protect customers, and they have completely transformed the regtech space. These technologies can be used to analyse vast amounts of data and identify patterns that may indicate fraudulent activities. The algorithms can detect anomalies, flag suspicious transactions, and continuously learn from new data to improve fraud detection capabilities over time. That’s not to say that its completely fool proof. Continuous monitoring, regular updates, and staying abreast of emerging fraud trends will also be crucial.
At the same time, as the regulatory landscape becomes more complex and we see new rules develop over time, this tech will help fintechs mitigate risk management practices and maintain compliance in an efficient and cost-effective manner.
CBDCs and decentralized finance
Central bank digital currencies (CBDC) have been a hot topic of conversation, with pilot initiatives underway globally. Most recently the European Central Bank is currently said to start with proposed legislation in the next several weeks and here in the UK the Bank of England is also blueprinting plans for the ‘Britcoin.’
Digital currency backed by a central bank has been heralded to be a safe and stable means of payment and less volatile than crypto. However, some are concerned over privacy and anonymity surrounding a state-owned currency.
Tom Mutton, who is leading the Britcoin charge, has stated that the BoE never sought to make the digital pound anonymous, and that privacy will be a top priority. Under the Bank’s proposals, consumers would engage with the digital pound through private sector providers. With the increasing integration of digital currencies into mainstream operations, in the UK and abroad, both the government and financial institutions are showing growing interest in making sure there is a stable foundation of regulation as it develops.
Following regulations can pave the way for digital currency companies to tap into traditional banking services, which is crucial for their growth and overall success. Banks tend to be cautious about partnering with digital currency companies due to perceived risks associated with the industry. However, when these companies demonstrate compliance with regulations, it helps alleviate those concerns and makes banks more willing to collaborate.
We are at the beginning of a new age in the fintech space, and it’s an exciting place to be. We, as financial intuitions, have an opportunity to help write the next chapter. It is a long road to map out ahead, but we need to look for sustainable, long-term practices because, ultimately, that equals sustainable long-term growth, and fundamentally means survival for the industry.
Magazine
Trending


Enhancing cybersecurity in investment firms as new regulations come into force
Christian Scott, COO/CISO at Gotham Security, an Abacus Group Company The alternative investment industry is a prime target for...


How to think like an attacker & why it might be critical to your security strategy
Kam Karaji, Global Head of Information Security for Bibby Financial Services, argues at DTX Manchester that the most successful way...


Building a sustainable future – what’s on your agenda for 2023?
The most successful and progressive leaders are embracing ESG or Environmental, Social and Governance principles throughout their businesses, but how...


Digital Acceleration – the next buzzword in banking tech? Or a new era for the industry?
Ove Kreison, CTO at Tuum McKinsey’s latest report on banking found that traditional banks are spending a whopping 85% of their...


One year until EMIR Refit: how can firms prepare?
Leo Labeis, CEO at REGnosys, discusses everything that financial institutions need to know about EMIR Refit and how they can...


In the Name of the Family! Firms with CEOs under clan culture influence are much more likely to be internationally focused
In an increasingly globalised world, it is incredibly rare that a firm can expect to grow in the long-term unless...


Regulations, RegTech and CBDCs – Fintech’s Next Chapter
Teresa Cameron, Finance Director at Clear Junction Over the last decade, the UK has embraced the fintech revolution with...


Gearing up for growth amid economic pressure: 10 top tips for maintaining control of IT costs
By Dirk Martin, CEO and Founder of Serviceware Three years on from the pandemic and economic pressure is...


Find Your Tribe With Content Marketing
Ian is the CMO at Spotler Group Seth Godin, a writer, speaker, marketing expert, and influencer, describes audiences as tribes,...


The formula for success: delivering total experience in financial services
Monica Hovsepian, Global Industry Strategist, OpenText The tumult of the last few years has thrown many challenges at...


How financial organisations can ensure their data is protected in a SaaS world
Mark Molyneux, EMEA CTO at Cohesity The rapid expansion of Software as a Service (SaaS) has changed how we...


How freelancers can support the flexible future of the workplace
By Charlotte Gregson, Country Head UK at Malt The concept of the workplace is changing and not just in...


Banking on legacy – The risks posed by ‘stone age’ banking infrastructure
By Andreas Wuchner, Angel Investor of Venari Security Introduction If you consider the most significant motivating factors behind cyber-attacks...


Beyond the Plastic Era: How Virtual Payments and Digital Wallets are Changing the Way We Pay
Nick Holt, Senior Director Solutions Engineering at Marqeta In 2017, debit cards overtook cash as the most frequently used...


Mambu and Mia-FinTech announce collaboration to accelerate introduction of digital finance solutions
Mia-FinTech, the fintech startup that enables banking and financial institutions to evolve towards open finance, and Mambu, a leading cloud...


GDPR – the benchmark for a global privacy framework
by Alasdair Anderson, VP EMEA, Protegrity On the 5th anniversary of GDPR, the regulation continues to be a game-changer, setting the...


Why real-time data remains a top priority for treasurers
Real-time data is vital for treasury teams, and this will continue as currency markets remain volatile and other crises threaten....


Cross border payments: fact or friction?
Tom Scampion, CEO of Global Screening Services (GSS) 10 years ago, the fastest way to transfer money from country...


Compliance and customer experience: It’s not a trade-off
Tage Borg, CTO, Scrive Consumers today are used to smooth, instant transactions made in real time and free from the...


Dubai Traders Summit 2023 concludes with great success
The Forex Traders Summit Dubai 2023 – Third Edition, a two-day event held on May 17-18, 2023, at The Ritz-Carlton,...

Enhancing cybersecurity in investment firms as new regulations come into force

How to think like an attacker & why it might be critical to your security strategy

Building a sustainable future – what’s on your agenda for 2023?

Digital Acceleration – the next buzzword in banking tech? Or a new era for the industry?

One year until EMIR Refit: how can firms prepare?

In the Name of the Family! Firms with CEOs under clan culture influence are much more likely to be internationally focused

PCI DSS v.4.0 Latest Updates That You Need to Know

RBI’s MASTER DIRECTION ON DIGITAL PAYMENTS SECURITY CONTROLS

EMV® 3-D SECURE: ENABLING STRONG CUSTOMER AUTHENTICATION

HOW TO SIMPLIFY IDENTIFICATION IN THE GLOBAL DIGITAL ECONOMY WITH THE LEI

EXEGER – CHANGING THE PERCEPTION OF POWER

FUTURE FX PROMO
Trending
-
News3 days ago
Mambu and Mia-FinTech announce collaboration to accelerate introduction of digital finance solutions
-
Business17 hours ago
Building a sustainable future – what’s on your agenda for 2023?
-
Business3 days ago
Beyond the Plastic Era: How Virtual Payments and Digital Wallets are Changing the Way We Pay
-
Finance4 days ago
Cross border payments: fact or friction?