Article by Alejandro Fernández-Cernuda
The world of finance and insurance is by definition conservative, prone to slow-motion decisions and risk-averse. And let’s hope it stays this way, as such features are inherent in entities whose very existence is based on societal trust.
However, this conservative approach does not prevent them from undergoing deep and challenging changes when required. Financial institutions and insurance companies have proved their capacity to reinvent themselves many times in the past and they will keep on doing it in the future, in many cases setting trends for the communities they serve.
This is why external observers should always keep an eye on their moves, because their consequences are always far-reaching.
Digital finance and the development of cyber security
The massive bet by financial institutions and insurers on online channels was one such move, and the subsequent ability of criminals to keep up with innovation created an entirely new industry – cyber security. Such is the sophistication of criminals, cyber security is now integral to how modern society functions. The operational intricacy of banks and insurance companies means that cyber security has become an extremely complex, fast moving industry.
In the early 2000s, initial concerns, such as perimetral protection, access control, encryption and data integrity as well as secure channels and payment methods were one-dimensional issues. These were addressed with the creation of increasingly specialised products and solutions, which have recently started to explore concepts such as big data and artificial intelligence with promising results.
But before long, things started becoming complicated and cyber security issues stopped being one-dimensional. There was an evolution towards the creation of complex services aimed at meeting the growing demands of regulators, peer national and international associations and standardisation bodies. This compliance pressure – which is especially challenging when it comes to finance and insurance – is behind the creation of cyber consulting services. These services meet the demands of areas such as business continuity management, critical infrastructure protection, and data leakage prevention.
The sudden financial crisis in the late 2000s brought new challenges. Now financial institutions needed to be responsive not only to cyber threats and stringent regulations, but also to social demands. This is when cyber security started to work on hacktivism, online reputation and active crisis management. In insurance, the transformation of cyber crime into a globalised industrial activity (with its own cryptocurrencies and its own internet, the so-called Dark Web), together with the social impact of country-sponsored cyber attacks such as WannaCry, boosted the demands for an insurance market that could protect our citizens and businesses effectively. This market, furthermore, had to be backed by newer methodologies and approaches to obtain reliable actuarial data.
This evolution explains why Chief Information Security Officers (CISOs) have evolved from being highly-qualified IT specialists, to specialists that combine IT technical knowledge with new skills in regulation, communications, and even corporate cyber diplomacy and international relations.
And it is precisely in this context where a new, subtle revolution is taking place, where CISOs may also become social influencers.
From reaction to active influence
Financial institutions and insurance companies are gradually moving their cyber-risk focus from reaction (against specific threats and regulatory and social demands) to active influence. This is not only felt by employees and customers, but also by the societies and communities they serve.
This philosophy lies behind programmes such as CaixaBank’s InfoProtect, which is aimed at raising cyber awareness among the retail bank’s employees and their closest customers; or Barclay’s Digital Eagles, which was created in 2013 to improve the digital skills of the most vulnerable. In the world of insurance this has brought new concepts, such as the inclusion of supply chain risk in the understanding and assessment of cyber insurance policies. Or the focus of insurers like JLT Brazil (now MMC) on raising awareness about the impact of cyber security on a national economy, or the work of companies such as CFC Underwriting to make the language of cyber insurance easier to understand.
In the end, this small group of key actors have recognised the futility of simply making their cyber security castles look good if the foundations are rotten and lacking in depth and stability. Or, to take another metaphor, it is impossible to reduce the incidence of cyber infections and improve your preparedness against cyber attacks if you do not work on the cyber hygiene of your environment.
And these financial institutions and insurance companies are not alone. This move towards cyber hygiene, to finding solutions for the systemic risks of cyberspace, was one of the founding objectives of the Global Cyber Alliance (GCA), an international non-profit created by the City of London Police, the District Attorney’s Office of New York, and the Center for Internet Security in 2015. All three organisations have close ties with the world of finance and insurance, and this shows in GCA’s partnership structure and in the projects it is currently involved, such as its Cybersecurity Toolkit for Small Business (sponsored by Mastercard) or the Capacity-building Toolbox for Smaller Financial Institutions (coordinated by Carnegie Endowment for International Peace and supported by the WMF and Standard Chartered, among others).
GCA’s leverage in the financial and insurance sectors, its solid connections within the internet industry, and its close collaboration with governmental and cross-country agencies from the USA, the UK, France and the rest of the European Union are all signs of the security revolution that is taking place. A revolution where the public’s cyber security – limiting the spread of infection for everyone’s sake – will be the key driver. Ultimately, this subtle revolution is being led by banks and insurers.