Cybersecurity gaps pose risks and rewards

Regulatory scrutiny of banks' data protection systems has created opportunities for cybersecurity consultants and a potential market for cyber risk insurance.

Lawmakers and regulators in Asia have stepped up scrutiny of cybersecurity threats, boosting the hiring market for consultants.

“Banks are definitely increasing their expenditure,” Paul O’Rourke, cybersecurity leader for Asia Pacific Ernst & Young, said. “In some areas of cybersecurity, because it is in such demand, it is becoming increasingly hard to acquire and to retain resources. It is a very hot market for skilled practitioners.”

Some banks are looking to recruit younger, tech savvy staff. “Banks need to be constantly hiring young people who are better and sharper and more skilled in this area than prior generations because these are new technologies”, said Citi’s CEO for Asia Pacific Stephen Bird.

The cybersecurity threat is real. Standard Chartered found itself in the cross hairs of Singapore’s regulator last year when bank statements belonging to 647 private wealth clients were stolen from a server at its printing company Fuji Xerox. While there were no breaches in the bank’s infrastructure, all the same, the UK-headquartered bank was still held liable. Singapore’s regulator Monetary Authority of Singapore (MAS) last year said it took “supervisory actions” against Standard Chartered but did not disclose the details of its actions.

Shortly after Standard Chartered’s client data was stolen, MAS warned that the cybersecurity risks faced by banks were on the rise. “Globally, financial institutions (FIs) have been facing an increasing number and variety of cyber threats,” it said in a statement. “MAS takes a serious view of such threats and has stringent requirements in place for FIs to protect the security of their IT systems and confidentiality of their client data.”

Regulators are increasing their scrutiny not just of banks but also, increasingly, of third parties with access to confidential data. “It’s no longer just about the banks themselves, it’s also about suppliers, subcontractors, [and] third parties outside the bank who have access to that data,” said Jack Jia, a partner at Ernst & Young, now known as EY, who investigates fraud. “They would [also] look at how the third party would manage the data privacy aspect.”

Jack Jia EY

In September, MAS issued a consultation paper inviting views on outsourcing and proposed a minimum standard for outsourcing arrangements. “Under the new MAS requirements, a bank would need to do a lot more before entering into contractual outsourcing arrangements with a vendor,” said Kenneth Wong, a partner at PwC who advises clients on cybersecurity needs.

Lawmakers and regulators have also tightened data protection laws. In Hong Kong, the ordinance for data protection was amended in April 2013, introducing tighter restrictions on the use of personal data for direct marketing. Meanwhile, the Hong Kong Monetary Authority in October last year issued a circular to banks and other institutions with enhanced requirements for data protection.

“It’s a double risk for banks because they are going to suffer at the hands of the regulator and at the hands of the laws relating to personal data,” said Paul Haswell, a partner at law firm Pinsent Masons who advises banks on data protection.

Global effort

Given the global nature of cyber attacks, industry bodies such as the Asia Securities Industry & Financial Markets Association (Asifma), which promotes the development of capital markets in Asia, says that there is a need for more cross-border co-ordination.

“We view this as a global issue. Financial markets are global and many of our member firms are global,” Rebecca Terner Lentchner, head of policy and regulatory affairs at Asifma told FinanceAsia. “We need better cross-border co-ordination among regulators. In Asia, regulators are strengthening the regulatory frameworks to provide a robust system to best prosecute these new and constantly changing threats and provide financial system oversight locally, regionally and globally,” she said.

Consultants say that Asia could see growth in cyber risk insurance, which is more prevalent in the US. “People are more worried about how they mitigate the risk now. One of the areas of growth in the US, which I think will be here in Asia eventually, is cyber risk insurance,” said Pinsent Masons’ Haswell.

Despite the growing attention being paid to cybersecurity by Asian banks, consultants say more work could be done to ensure they are better protected compared with banks elsewhere in the world.

“A big proportion of the regional banks haven’t thought about putting sufficient investments into cybersecurity,” said PwC’s Wong. “From an Asia Pacific perspective, we are probably behind the US. There is still a gap between this part of the world and the US.”

However, given the risks, consultants say they are increasingly being brought into discussions with CEOs and board members to address cyber threats. “It becomes very personal when your job is on the line,” Bryce Boyland chief technology officer for Asia Pacific at cybersecurity firm FireEye told FinanceAsia. “Increasingly, what we used to see as a technology issue has become a board level risk issue for businesses.”

¬ Haymarket Media Limited. All rights reserved.
Share our publication on social media
Share our publication on social media