Cyber-attacks and breaches of sensitive customer data have escalated significantly in Australia in the last year.
The latest wide-scale data breach at Latitude Financial Services in March this year, which was Australia’s largest data breach in financial services (FS) with an estimated 14 million customer records exposed, raises two, rather far-reaching questions for the FS sector. Firstly, is Australia’s financial services ecosystem uniformly resilient against cybercrime and, secondly, is there an opportunity for modern banks to turn the intensifying cyber risks to their strategic advantage in emerging digital ecosystems?
Resiliency of Australia’s financial services ecosystem against cybercrime
Just over half (56%) of consumers in Australia today trust banks and financial institutions with their personal data, making it the most trustworthy of all the major sectors, followed by hospitals (47%) and government (43%). This is in line with Australian FS organisations being considered among the most cyber mature organisations in our region.
Despite this, the FS sector’s threat level remains high as these organisations are attractive targets for criminals and nation-states due to their economic importance and large sensitive data holdings. NAB has reported that it is getting cyber attacked more than 50 million times a month on its digital channels. In addition, all major banks have reported significant increases in malicious data breach attempts since the pandemic.
Vulnerabilities due to third-party risks
While major FS players seem to have the scale to invest into state-of-the-art cybersecurity technologies and monitoring capabilities, they are increasingly exposed to third-party (partner and vendor) security risks. CyberCX identified supply chain and third-party compromises as one of five key cyber risks for the Australian financial services sector in 2022.
With financial service provision shifting from all-in-one operators using monolithic, proprietary, and on-premise systems to an increasingly diverse and connected ecosystem of technology and commercial partners linked via API-gateways in the cloud using third-party vendor services, the ability to control cyber risks and data security has become exponentially harder for even the largest FS providers. The strength of cyber defences depends on the weakest link, as demonstrated in the case of Latitude where the data breach is believed to have been originated in the system of a major vendor used by Latitude.
As per the Reserve Bank of Australia’s (RBA) 2022 financial stability review, “although the Australian Prudential Regulation Authority directly supervises around 680 financial institutions, the financial system has around 17,000 interconnected entities, including third-party service providers. Further, many key IT services such as cloud computing and storage are provided by a small number of providers, and while their scale can help to bolster their IT security, it also contributes to a lack of substitutability and has the potential to connect financial institutions to a common vulnerability.”
Sub-scale FS providers as weakest links
The challenges of upholding proper data protection capabilities are even more onerous for smaller providers in Australia’s FS landscape. These include tier-2 and 3 players (120+ banks, 130+ insurance companies and funds, 500+ non-bank lenders and investment companies), 10,000+ mortgage broker businesses, 17,000+ financial planning businesses and 800+ fintechs.
Lack of economies of scale in procuring cybersecurity solutions, prevailing technology debt and constrained investment budgets, challenges with attracting hardly sought-after talent pool from the market, as well as weaker risk governance practices put these smaller organisations in a handicapped position when it comes to cybersecurity.
Yet, tier-1 incumbents increasingly rely on smaller FS providers and share with them sensitive customer information. Two thirds of home loans are originated via the broker channel, essential services like KYC, identity checks, and fraud detection are often run by fintechs for banks, accredited open banking data recipients store sensitive customer information shared by incumbents. As such, data breach vulnerabilities of smaller FS players can easily spread and damage the reputation and financial position of systematically important FS institutions and the trust in the broader sector.
Emerging digital ecosystems need to rethink data security
With the fall of sectoral borders, new digital ecosystems are emerging centered around holistic customer needs (like mobility, housing, commerce, health, travel) and served by closely collaborating ecosystem participants. A travel ecosystem, for example, will see travel aggregator platforms, hotel chains, loyalty schemes, travel agents, banks, paytech companies, insurance providers, leisure apparel brands work together to provide seamlessly integrated customer journeys and value propositions around travel to their collectively shared customer base.
These ecosystems are predestined to centre around rich, accurate, linked, properly governed, and well protected data assets shared by and mutually accessible to its participants, and characterised by cutting edge digital identity and consent management capabilities. Ecosystems will need trusted data custodians appointed from its participant group who can facilitate and seamlessly operate such a data infrastructure.
Ecosystem participants are not equally equipped to be the natural guardian of customer data, nor is it economically viable to elevate all ecosystem participants to the highest data management standards. Economies of scale, technology and organisational capabilities, prevailing regulatory requirements will incentivise ecosystems to assign ecosystem level data management, storage, security activities in an as-a-service model to participants who can do it the best at the lowest cost.
Modern banks can turn cyber risks to their strategic advantage
Banks have a strategic opportunity to ride this wave and position themselves as the most natural data custodians in emerging digital ecosystems.
With intensified disintermediation of the financial services sector and the proliferation of embedded finance and the platform economy, banks will more often find themselves as participants rather than orchestrators in those ecosystems. Hence, a strong and trusted data custodian position can advance banks to the party and unlock a range of new data services and revenue streams paid by the ecosystem participants or their customers.
The new era of elevated cyber-attacks forces FS incumbents to start looking beyond their own cyber capabilities. They need to work with regulators and industry bodies to strengthen the cyber resilience of the entire sector in order to protect their own short-term reputational and financial position while maintaining the industry’s perception as trusted data custodian. In parallel, banks specifically should start to build ecosystem propositions centered around data security and data management to enhance their future ecosystem footprint and value pools and build a robust security defence to withstand the onslaught of potential cybersecurity attacks.