Cyber security challenges with emerging technologies in financial services

By: Mark Morrison, Senior Vice President and Chief Security Officer, The Options Clearing Corporation (OCC) Aug 2019

At the recent WFE Technology Conference in Umea, Sweden, there was a lively panel discussion covering the cyber security challenges with implementing new and emerging technologies in the financial sector. The cyber security panel, consisting of senior security representatives from OCC, the National Stock Exchange of India, and SIX Group Services, explored how the implementation of technologies such as blockchain, Distributed Ledger Technology (DLT), Artificial Intelligence (AI), machine learning, and public cloud requires financial institutions to enhance traditional approaches for protecting information system and data to address the operational, regulatory, and security risks introduced.

Although it is commonly acknowledged that the adoption of blockchain will improve overall financial transaction security through the ubiquitous deployment of advanced data encryption and multi-factor authentication, there remain significant cyber security risks that must be remediated. For example, blockchain is essentially a highly secure application to facilitate the exchange of financial transactions across multiple participants, but most institutions will execute the blockchain application on insecure hardware running insecure operating systems and hypervisors. It has been well documented that advanced cyber adversaries to include both cyber-criminal elements and nation states have initiated successful attacks targeting security vulnerabilities within the system hardware and firmware. These attacks could provide the cyber adversary with access to sensitive information and allow for the unauthorised manipulation of the financial transaction data while in an unencrypted state. The cyber adversary could also exploit these security vulnerabilities to execute a denial of service attack.

Many financial institutions are applying commercially available AI and machine learning techniques to assist with quickly identifying and responding to cyber attacks impacting critical business operations, breaching corporate information systems or resulting in an authorised disclosure of sensitive information. By adopting machine learning in cyber defense, a financial institution can collect, synthesise and analyse large amounts of systems data looking for patterns of anomalous behavior associated with more advanced cyber attacks. Several cyber security companies have developed AI-based product lines to automate the necessary remediation responses to detected cyber attacks through the development of comprehensive security incident response and business continuity playbooks. As the sophistication of the cyber adversaries increase, financial institutions must adopt new technologies and processes to detect and respond to a wide variety of cyber-based attacks.

Another emerging technology discussed in depth by the WFE Cyber Security panel at the conference was the security implications for financial institutions planning to migrate business operations and functionality to public and/or private cloud instances. The panel members identified several areas for the financial institutions to consider when adopting cloud technology, such as the importance of defining your cloud architecture (e.g., Infrastructure as a Service, Software as a Service) so you will implement the appropriate security controls. Other factors to consider include developing an understanding of where applications will execute and how data will be processed and stored; defining user identity and access management controls; logging and review of system activity; securing containers within virtual private cloud instances; and, establishing communications with the financial regulators so they can achieve understanding of the cloud security strategy.

The panel also identified several initiatives to include the development and coordination across the WFE membership of security standards consistent with the various regional regulatory obligations, published cyber security frameworks (e.g., NIST/CSF, COBIT, ISO 2700), and financial sector organisations such as FS-ISAC.  Another potential initiative that was identified during the panel's question and answer segment with the audience was how does the WFE membership achieve cyber resiliency – both as an individual institution and as an overall sector.