Cybersecurity for Financial Services:
Readiness, Response and Remediation
July 22, 2021
Cyber incidents at large global companies are on the rise, as is the extent of the damage to the business. The rapid shift to digital in the pandemic has only increased the exposure and likelihood of an attack. Financial services companies are particularly attractive targets. Each financial institution needs to address its vulnerabilities now, before a cyber-attack occurs.
This virtual roundtable gathered executives from leading financial institutions to discuss their strategies for preventing and recovering from a cyber-attack. They discussed their data architecture, cyber resiliency plans, and organizational as well as technological preparedness.
Alissa Abdullah, Deputy Chief Security Officer & SVP, Emerging Corporate Security Solutions, Mastercard
Sri Dronamraju, SVP and Chief Information Security Officer, BMO Financial Group
Adam Evans, VP Cyber Operations & Chief Information Security Officer, RBC
Corey Hamilton, Partner, IBM Security Services – Global Financial Services Security
Assaf Keren, VP, Enterprise Cyber Security, PayPal
George Rettas, MD – Global Head of Cyber Security Operations, MUFG Union Bank
Daniele Tonella, Chief Digital and Information Officer ad interim, UniCredit
Matthieu Vaillant, Chief Information Security Officer, BNP Paribas
Moderator: Mandeep Singh, CFA, Senior Analyst – Technology, Bloomberg Intelligence
Click here to view the video of the full discussion.
Here’s what they had to say:
Corey Hamilton, Partner, IBM Security Services – Global Financial Services Security, began the event by highlighting the role of new technology in cybersecurity. “It’s no longer just the enterprise. It’s an ecosystem of customers, products, partners, and vendors,” he said. “How we protect them has changed. Hybrid and multi-cloud environments are becoming the norm, along with a data-rich environment that requires AI machine learning to rapidly analyze and produce insights to really inform our critical business risk decisions.”
Before companies can think about how to protect their data, however, Daniele Tonella, Chief Digital and Information Officer ad interim, UniCredit, said they have to understand who has access to it. “Identity becomes a very big part of who’s getting access to that data, tying policies to the data, and how will you allow it to move through the enterprise or leave the enterprise,” he said. “Then there’s an education piece I think that’s critical, whether it be, customer awareness or employee awareness, understanding that we are creating data exhaust as an organization or as an individual.”
Assaf Keren, VP, Enterprise Cyber Security, PayPal, said security isn’t enough, though. “It’s not just about the security controls that you have around data assets. It’s also about our partners that manage data assets across the organizations and teams that are nearing the end of the customers of that data and working together to create proper diversification, data inventory and data lineage, and then having that more holistic view across the environment,” he said.
Cyber professionals know “security is everybody’s responsibility,” said Matthieu Vaillant, Chief Information Security Officer, BNP Paribas. But he agreed with other panelists that it has to become central at every level of an organization — often including vendors and customers. “Given the ecosystem, which is becoming increasingly complex, we need everybody to be part of this activity,” he added. “Now we are at a point where even the business users have a role to play.”
Asked about managing high trading volumes across borders, Alissa Abdullah, Deputy Chief Security Officer & SVP, Emerging Corporate Security Solutions, Mastercard, said she favors a holistic approach that examines data from both ends. “We really have to look at it from an entire enterprise architecture approach,” she said. “Just to not boil the ocean, which is, I think sometimes a lot of what technologists tend to do because we have so much in our purview, we take the opportunity to really look at scorecards. We look at an outside-in and an inside-out approach.”
Sri Dronamraju, SVP and Chief Information Security Officer, BMO Financial Group, said professionals should also match security structures to the kind of data they’re aiming to protect. “I think the key aspect here is as a security professional, how do I provide the guardrails to technology in such a way that the guardrails are implemented correctly for the right classification of data moving into the cloud?” he said. “So different layers with different classifications will probably have different sets of guardrails for protecting the data.”
As corporations shifted to remote work during the pandemic, data security became more complex and more important than ever. George Rettas, MD – Global Head of Cyber Security Operations, MUFG Union Bank, said this has led to a trend of “innovation centers” where businesses can generate and test new security ideas. “Some of these new technologies might not work in some of these environments because they have traditional architectures that aren’t compatible with these new products,” he said. “I think in terms of implementing some of these products, it’s really these innovation centers that have become very instrumental in making sure that you’re picking the right product.”
Adam Evans, VP Cyber Operations & Chief Information Security Officer, RBC, said the heightened importance of data security has also increased the pace of new solutions. He said companies should respond to that faster clip by finding a consistent security workflow. “I think architecture plays a large role in defining patterns that you can then start to adopt. And that helps you with a rapid deployment of security capabilities,” he said. “Going from an enterprise architectural pattern to solution architecture, to engineering, and then deployment, that allows you to organize the conversation, set the priorities, figure out the use cases and then start to move.”
At the end of the event, the panelists revisited recent prominent data breaches like the SolarWinds hack. Tonella said that “everyone may at some point fall victim of being impacted by a breach or being a participant in a breach. And so what keeps me up at night is our people, whether it’s our staff, whether it’s our customers, whether it’s other businesses, my peers, it’s making sure we have a security minded culture.”
This Bloomberg Roundtable was Proudly Sponsored By