Chief risk officers at financial services firms – who traditionally focused on credit, market and operational risk – are now most concerned about non-financial risks. EY surveyed senior risk executives from 86 banks across 37 countries for the 13th annual EY/IIF global bank risk management survey and found that cybersecurity is, by a large margin, the risk they will pay most attention to in the immediate term. It was cited as a top-five risk by 73 per cent of respondents, compared to 36 per cent for the two next-highest ranked risks: implementation of regulatory rules and operational resilience.
EY describes cybersecurity risk as “a portfolio of multiple risks, including different forms of ransomware attacks, expanding activity by state-sponsored bad actors and the risks associated with ecosystems, generative artificial intelligence and other third-party relationships”. This complexity in cyber risk management has also seen regulators increasing their scrutiny of cybersecurity.
“Regulators are increasingly focusing on non-financial threat scenarios such as failures of critical providers and major cybersecurity threats which can cause systemic impacts to the financial system,” says Tom Deprins, global compliance director for the financial services industry at Microsoft.
This has resulted in a new wave of regulatory attention, including the Digital Operational Resilience Act (DORA) in Europe, the Financial Stability Board (FSB) toolkit for enhancing third-party risk management and oversight, the Bank of England’s Consultation Paper 26/23: Operational resilience: Critical third parties to the UK financial sector and the US Department of Treasury’s report on The Financial Services Sector’s Adoption of Cloud Services.
“The new regulations highlight the increasing importance of cloud providers to the financial sector and propose measures to manage associated risks that can vary by region,” says Deprins. “Some of these new regulations are particularly impactful to Microsoft because they introduce direct oversight over Microsoft as a cloud provider by financial services regulators, which is new,” says Deprins. “Europe and the UK are prime examples.”
DORA, for example, also applies to critical third parties that provide IT-related services to the financial services sector such as through cloud platforms, professional services and data analytics. The regulation aims to set uniform requirements for business continuity of all financial entities in the European Union. It mandates that all participants in the financial system, including banking, insurance and capital market providers, have the necessary safeguards in place to mitigate cyberattacks and other risks such as supplier failure, service deterioration and concentration risk.
Third-party risk
“Traditionally, financial institutions primarily focused on financial risk management, treating third-party risk management as a component of operational risk management,” says Deprins. “Yet today, strengthening operational resilience has become a board-level discussion. Prominent outages of third-party suppliers and widespread cybersecurity incidents can have severe impacts on businesses.”
Deprins references the 2020 SolarWinds supply chain attack as a high-profile example of third-party risk. More than 18,000 of the technology firm’s customers were affected by the installation of malicious updates to their Orion systems.
“The SolarWinds supply chain attack was a clear illustration of how a single provider’s security shortcomings affected a multitude of firms, which further fuelled increasing regulatory concerns over concentration risk,” he says. “Concentration risk refers to the dependency upon a critical third-party provider to a financial institution where the failure of this provider could ultimately lead to failures that extend beyond a financial institution’s risk tolerances.”
This risk is not new. But the onset of cloud has brought the topic new attention.
“It is often difficult to remove concentration entirely, and fundamentally financial services organisations must try to either reduce or remove concentration itself, or they must assess each underlying risk if removing the concentration is either not possible or not desirable,” says Deprins. “At Microsoft, we support various deployment models to address this with products such as Microsoft Azure Arc and Microsoft Edge for hybrid or multi-cloud environments.”
The World Bank, for example, connected approximately 25 per cent of its SQL Server estate to Azure Arc to centralise its systems in 2023 and hopes to expand that to 75 per cent by the end of 2024. With employees across more than 170 countries and 130 locations, the bank’s IT team is now able to manage its complex backend of multiple cloud providers.
“We wanted to implement Azure Arc so we could utilise all the features and manage all our on-premises and cloud servers, including the AWS ones, from one location,” says Chandra Kala Macha, an information officer at World Bank. “With Azure Arc, we can manage everything at the operating level and on the SQL Server side as well – all from a single pane of glass. It’s made a huge difference in our efficiency.”
The World Bank is using Microsoft Azure Arc to centralise its systems across more than 170 countries
Fighting fire with fire
Being compliant with cybersecurity regulations isn’t necessarily enough, though.
“Financial services regulations such as DORA seem to focus on cyber efforts around incident reporting and threat-led penetration testing, which is a variation of more traditional penetration tests where an extra process step is introduced to identify real-life threat scenarios making these tests ultimately more effective,” says Deprins. “This all helps to become genuinely secure, but the reality is that attacks are becoming increasingly more sophisticated by using the latest available technologies like generative AI. To combat this, financial services organisations must step up their defences, which requires innovation and very strong, integrated architecture for threat monitoring across the entire environment and even across entire ecosystems.”
The Voice of Secops 2023 report by Microsoft partner Deep Instinct found that 85 per cent of security professionals attribute the rise in security attacks to bad actors using generative AI. But cloud-based solutions play a key role in identifying threat actors, according to Deprins.
“Microsoft is in a unique position managing millions of mailboxes and one of the largest infrastructure clouds allowing us to identify threat actors very early on by intelligently analysing trillions of signals on our cloud or suspicious events,” he says. “At the scale we operate, we have no choice other than to rely heavily upon AI capabilities to do this.”
It does this by leveraging its partnership with OpenAI, bringing to life an AI assistant that used generative AI to help identify new threat actors early on and making attackers and their techniques known to the world so they can be stopped everywhere.
Global insurance firm WTW is already using Microsoft Purview, Defender for Endpoint and for Cloud to protect its 55,000 workstations and more than 300 subscriptions across its workforce, having worked with Microsoft Intelligent Security Association member BlueVoyant. But it plans to use AI tools in Microsoft Copilot for Security across the whole organisation to increase security productivity.
“The threat hunting capabilities in Security Copilot will greatly accelerate the way that our internal threat hunting team develops and understands incidents as they unfold,” says Paul Haywood, group chief information security officer at WTW.
BlueVoyant helped WTW to implement Microsoft Purview and Defender to protect its 55,000 workstations
Over half (57 per cent) of financial services organisations rely on multiple cloud service providers, according to the Cloud Security Alliance, and this extends over to security vendors.
“With multiple vendors, it is harder for a firm to get an integrated view on its threat landscape or to identify and correlate different signals associated with an ongoing attack,” says Deprins. “Azure Sentinel, Defender for Cloud and Security Copilot are just a few of the products in our security stack that can offer best-in-class security for financial firms across their entire environment. Microsoft XDR for instance is a service that complements these by stopping attacks and coordinating responses across many assets with extended detection and response that is integrated into Microsoft 365 and Azure.”
Staying on track
“Managing compliance can indeed be very challenging, especially for global firms in a context where there are constant updates to regulations and new guidelines being introduced,” says Deprins.
To help its customers with this, Microsoft has created free Compliance Checklists in its Service Trust Portal that detail local regulations and suggest best practices for compliance in 50 different countries. For solutions, customers can use Microsoft Purview Compliance Manager to monitor regulatory compliance and reduce risk against hundreds of customisable frameworks, standards and templates. It does this by providing users with a score for their current level of data protection and then identifies key areas for improvement and prioritises recommended actions based on their impact on risk.
“Purview Compliance Manager allows for very detailed risk and compliance assessments across the entire stack,” says Deprins. “This is made visible through a Compliance Dashboard and Compliance Score and with this tool even multi-cloud compliance is supported which takes things to the next level.”
Organisations can also use Microsoft’s topic-based quick assessments, available through its free learning resources, to understand how to manage risk thematically and benefit from both first-party and third-party compliance services through the Compliance Program for Microsoft Cloud.
“Through a number of listening systems and direct engagement with compliance stakeholders both in the financial services industry and at the side of the regulators, Microsoft has been deeply engaged for over 10 years in our mission to specifically enable financial firms to be able to use our cloud services in the most secure and compliant way,” says Deprins. “Through these engagements we get to assess regulations and new requirements early on which allows us to work with engineering and legal teams to ensure these are also built into our products. A good example of this would be how the GDPR privacy regulation in Europe has led us to deliver on the EU Data Boundary project, meaning that we engaged on a multi-year journey to store and process data within the EU meeting the needs of our European customers.
“The solution for operational resilience is to take a comprehensive, risk-based and outcomes-focused approach that starts from the critical parts of the business and covers topics such as ensuring high reliability, testing business continuity, strengthening cybersecurity and managing concentration risk across the whole environment including third-party suppliers. Microsoft’s tools and solutions aim to do just that.”
Partner perspectives
We asked selected Microsoft partners how they are using Microsoft technology to help financial services organisations better manage risk and compliance.
“The financial services industry is recognised as the most breached sector, with threats outside the organisation and internally through employee devices,” says Mark Eastman, head of global cloud alliances at Check Point Software Technologies. “Check Point Infinity’s consolidated architecture enables adherence to strict standards of governance and compliance that customers demand to protect personal data and assets.”
“Financial institutions face critical challenges in data governance, security, compliance and identity management,” says Madhan Kartikeyan Anbalagan, delivery manager and head of AI for the Microsoft Practice department at Infosys. “Microsoft’s AI-powered solutions like Purview, Azure Cognitive Services, and Azure Machine Learning offer intelligent data discovery, cataloguing and anomaly detection for governance. AI enables advanced threat detection, fraud prevention and automated vulnerability scanning for security.”
Read more from these partners in the Summer 2024 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription.