The evolution of the technology environment and related security threats is so fast paced it often seems businesses and regulators are playing an endless game of catch-up.
This is particularly true of the financial services sector, where firms that are keen to provide the agile, flexible services customers demand are trying to do so in a sector which is the number one target for cybercrime worldwide. Customers’ money, their personal data, and the financial system itself must be protected, and regulators face the challenge of developing and enforcing a compliance framework that achieves this while still allowing financial services firms to innovate.
The past 18 months has ushered in a raft of new privacy legislation and financial sector regulation in the Asia Pacific region that aims to achieve these dual objectives and it is now down to firms to develop their response.
A paradigm perspective shift on cybersecurity and risk management
Serious data breaches and incidents of cyber-disruption have a powerful effect on driving regulatory focus and activity. The Asia Pacific region has not been immune from large-scale incidents resulting in the exposure of millions of personal records. In particular, third party data breaches have shone a spotlight on organisations’ safeguards and processes for managing their supply chain.
In January 2019, independent property valuation company Landmark White suffered a major breach when 137,500 customer records were compromised via a valuation platform. Customer data was later discovered for sale on the dark web. The waves of impact from this breach spread out through the financial sector, as the banks that had engaged Landmark White to conduct real estate valuations were forced to advise customers that their data has been compromised.
This and other major incidents in the region have provoked a raft of comprehensive new guidelines and regulations that are being implemented in a bid to address weaknesses in processes and accountability. The language and tone used in many of them indicate a definite perspective shift from the idea of cybersecurity as purely a technical issue towards recognising it as a risk management priority.
Regulatory activity in the region is widespread. New guidelines and recommendations have been implemented or are in the process of being developed in Australia, New Zealand, Singapore, Japan and Hong Kong. These have resulted from in-depth investigations into culture, conduct and risk management practices at key financial institutions.
Analysis of all these regulations reveals two primary themes that come through strongly. These must form the pillars of the compliance workflows that financial services firms develop in response.
Cybersecurity and breach risk management – a matter for the Board
The first theme is executive level accountability for managing cyber security and overseeing risk programmes. Across the board the new regulations and guidelines demand that cyber risk and cyber resilience is given appropriate prominence at Board level. Directors must be fully informed of evolving risks and show that they have implemented effective governance to monitor and mitigate them.
This means Boards need far more detailed understanding of the cyber risk environment than they had previously. The dynamic nature of cyber threats means Boards need accessible and measurable metrics to build a picture of the organisation’s security posture and performance over time. Directors need to understand how their company compares to peers in the sector to guarantee that they are meeting customer expectations and complying with regulations.
FS firms will need to prioritise achieving this more rigorous oversight and governance or face potential fines and regulatory action.
Honing in on third party risk
The second dominant theme across new regulations in the Asia Pacific region is third party risk management. Regulators have recognised that, although outsourcing business infrastructure and processes to cloud providers and other third parties offers significant customer and business benefits, it also introduces risk. They have unequivocally confirmed that responsibility for managing and mitigating that risk lies with the financial services firm.
The Monetary Authority of Singapore, in particular, is consulting on new proposals to expand its regulatory oversight of bank outsourcing arrangements. Under Section 3.0.2 of these guidelines it mandates: “the Board of directors and senior management have oversight of technology Risks.” Its new regime will require banks to conduct due diligence checks on technology partners and demonstrate that they have satisfactory safeguards and response plans in place in the event of disruption. Likewise the Hong Kong Monetary Authority is also enforcing third party vendor risk management guidelines for FS firms.
The challenge for FS firms will be continuously monitoring the high number of third party suppliers that they use. Historical third party risk management solutions, based on questionnaires and interviews during vendor onboarding, will not suffice for regulators looking for a risk management programme that is fit for the fast-changing environment in which today’s businesses operate. FS firms need to know what their cybersecurity risk is today, not what it was last week, because what was a secure ecosystem last week may not be secure today.
As firms in the Asia Pacific region adapt to the new regulatory landscape there will no doubt be challenges to overcome. In recognition of this, BitSight has developed a comprehensive white paper examining how emerging regulations will impact FS firms across Asia Pacific, identifying common themes and governance requirements.
For more information, download the white paper here.