Recovery is key in cyber attack

THE financial services industry is more complex and globally interconnected than ever before. When coupled with the rise of new and innovative technologies, we are in an environment of heightened cyber risks.

The financial industry is increasingly bringing together diverse firms that range from traditional mutual funds to smaller, tech-savvy fintechs hailing from leading financial centres and innovation hubs all over the world. While this diversity can be helpful when it comes to driving innovation and creating healthy competition, the downside to such an environment is increased cybersecurity risks.

Because firms within the financial services ecosystem implement disparate cybersecurity standards, we must be mindful of gaps in cybersecurity approaches across market participants and vendors. Only then can we continue to safeguard critical systems and sensitive data.

The traditional approach to cyber defence has focused on reducing the likelihood of attack, but in today's financial ecosystem, cyber-attacks are not a question of "if" but "when". Therefore, we must expand the focus more toward resilience, to effectively and quickly detect problems and recover from them.

To build greater resilience across the industry, there is an urgent need for comprehensive, standardised guidance to enable financial organisations to make resumption decisions in a consistent manner and recover from a cyber-attack while minimising systemic consequences. With increased collaboration across the industry, we can ensure that all companies are prepared for an attack, and that they have the appropriate prevention and protection methods in place.

As Greg Medcraft, former chairman of the Australian Securities and Investments Commission, said in a speech in 2016: "There is simply no such thing as 100 per cent cyber security. As well as being focused on preventing cyber-attacks, organisations need also have strategies in how they respond to attacks when they occur, and how they recover from attacks."

Regulators in Asia take proactive stance

Australia is not alone in recognising the challenges to cybersecurity. Other regulators across the Asia Pacific region have acknowledged the need for coherent policies to manage cyber risk and are encouraging firms, large and small, to understand their own degree of vulnerability, upgrade their cyber defences, and highlight the importance of industry-wide cooperation. The CEO of the Hong Kong Securities and Futures Commission (SFC), Ashley Alder, commented, "Cyber risk management will... remain a major focus" for authorities.

The Monetary Authority of Singapore (MAS) is currently working with the Association of Banks in Singapore to develop guidelines that would define technology risks facing the financial sector, while the Hong Kong Monetary Authority launched its Cybersecurity Fortification Initiative (CFI) in 2016. The CFI is focused on a building a Cyber Resilience Assessment Framework, a professional development programme and a cyber-intelligence sharing programme.

Robust cyber resilience requires best practices & collaboration

While the industry and regulators are keenly focused on this issue, we must build upon these foundations and ensure we develop and follow best practices for cyber protection in Asia. The repercussions of a large-scale attack, without viable recovery programmes across industries and regions, could be severe. Following a meeting hosted by the World Economic Forum last year, DTCC joined Citigroup and Zurich Insurance to launch a consortium focused on improving collaboration across financial firms, to improve the level of cybersecurity across the financial industry.

The consortium is drawing up a set of cybersecurity standards that all companies can follow. By increasing coordination across the industry, we can take steps towards ensuring best practices are understood and implemented across the financial ecosystem.

In March, we released a white paper, "Large-Scale Cyber-Attacks on the Financial System", which formulates recommended new response and recovery initiatives that are urgently needed if we are to successfully limit systemic risk. Developed by consultancy Oliver Wyman, the paper advocates for building greater resilience, as even the most prepared companies cannot completely avoid cyber-attacks.

Response and recovery

So how can we best move forward and reduce this risk? The Response and Recovery initiative outlined in the recent white paper suggests collective actions that could be enacted when a large-scale cyber-attack is detected. The framework is based on a set of standardised criteria and is tailored to specific cyber-attack scenarios. The initiative includes: a definition of resumption and recovery; criteria for safe resumption of operations; agreement on appropriate timeframes for resumption and recovery; and plans for communicating with the public during a large-scale cyber-attack - all critical to the recovery process.

With the increased cybersecurity focus by major regulators in Asia and around the world, we have the potential to introduce a universal set of cybersecurity standards. By establishing a consistent and robust plan that details resumption of business decisions and clearly and concisely identifies communication methods with clients, investors and the public, firms will be able to better respond and recover from an attack.

We must all work together to achieve these initiatives not only to prevent widespread loss of confidence in the event of a cyber event but to also lower the threat of systemic risk and potential creation of a new economic crisis.

READ MORE: Editorial: Emphasis on data governance required in cyber defence