Procurement Strategies to Enhance Cybersecurity in the BFSI Sector

The global scale of recent cyberattacks and their wide-reaching impact have elevated cybersecurity to a key focus area for many industries, and more so in the Banking, Financial Services and Insurance (BFSI) sector. For financial institutions, the greatest threat cyberattacks pose is to innovation. They threaten not only return on investments, but also have the potential to destabilize the social frameworks that foster innovation, that is, theft protection, privacy laws, etc.

The annual cost of cybercrime to the global economy is $575 billion, estimates a study conducted by McAfee and the American think tank, Center for Strategic and International Studies. This figure will continue to rise as more and more businesses move their functions online, and the world — individuals, businesses, governments — gets increasingly dependent on computing software and the cloud in their day-to-day lives.

WHAT MAKES BFSI INSTITUTIONS SO VULNERABLE?

Financial institutions are arguably the most vulnerable to cybercrime primarily because of the ease of monetization of financial assets. They are 300 times more likely to fall prey to cybersecurity attacks than any other industry, according to Forbes.

As financial institutions move more and more core areas of their businesses online, the most susceptible are young banks, fintech companies and crypto exchange groups that have not put in place advanced security infrastructure, making it easy for hackers to break in, gain access to millions of accounts, consumers’ personal information, as well as innovation and intellectual properties. Information is the easiest to convert into profit, which incentivizes hackers to take the considerable risks involved in cybercrime.

Financial institutions are at the nexus of global economic activity, and financial giants have worldwide presence. This exposes them to multimodal attacks — through ATMs, mobile banking software and point-of-sale terminals — in high-risk geographical territories. These attacks have the potential to cripple entire networks, businesses and economies.

MOBILE BANKING: THE PERIL OF CONVENIENCE

As the world opts for the convenience of smartphones to perform any imaginable task, banks and financial institutions have also entered cyberspace via mobile banking, providing access and functionalities through apps and web-based applications. By making such information available on the internet, however, they have also created new vulnerabilities that they must address to guard themselves and their customers against fraud and theft, both of assets and identities.

With laws such as the GDPR (the General Data Protection Regulation requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU states) guarding citizen and consumer privacy, damages from cyberattacks don’t end at immediate monetary loss and IP theft but extend to legal and regulatory violations that can rack up to 4% of a company’s global revenue¹.

Mobile banking platforms expose banks to three layers of attack: the physical device and the software/systems it hosts (phones, laptops, tablets, browsers, operating systems, apps); the network the device is connected to (Wi-Fi networks); and the server (servers and data centers) the device is using. According to mobile security firm NowSecure’s report on Secure Mobile Development Best Practices, the average mobile device connects to over 160 unique IP addresses daily and 35% of the communications it sends are unencrypted. The report also estimates that 43% of mobile users do not secure their devices with passcode, PIN or pattern lock, and that one in four mobile apps features at least one high-risk security flaw.

The vulnerabilities inherent in data storage, insecure authentication and code tampering increase pressure on the banking sector to invest as much in cybersecurity and data management solutions as it does in its mobile platforms.

THIRD-PARTY SOLUTIONS: A VULNERABLE SUPPLY CHAIN

Research conducted by the Harvard Business Review shows that in 2017, 60% of cyberattacks on publicly traded U.S. firms were launched through the IT systems of their suppliers or other third parties, such as contractors.

In the past, hackers have gained entry into large systems in banks as well as in other sectors by attacking their software providers. The Bangladesh Bank cyber heist, as it has come to be known, was conducted through a shared banking system, SWIFT network, and is a prime example of risks associated with third parties. As per BitSight’s Security Ratings report, hackers used stolen credentials that supposedly originated from Bangladesh’s central bank to send money transfer requests to New York’s Federal Reserve Bank. The requests were sent over SWIFT and instructed that funds be transferred from Bangladesh Bank’s accounts at the Fed to various recipients across several countries. The attackers are believed to have installed malware at Bangladesh Bank that prevented the SWIFT system from working properly and sending alerts regarding suspicious transactions and also blocked the Fed’s inquiries into the transactions from getting through. As a result, the Fed processed transactions worth around $81 million.

The SWIFT system connects numerous banks across the world and could have had disastrous ripple effects in the global banking sector. The attack exposes the immature security systems of third-party providers and the vulnerabilities of shared banking systems, and highlights the urgent need for banks and other financial institutions to seriously consider third-party risk management. Banking security programs should not only meet regulatory requirements but exceed them, taking into account the latest threat intelligence. Vendor security and operational assessments must be expanded to include third and fourth parties that have access to sensitive information.

CYBERSECURITY AND PROCUREMENT

As organizations race toward digital transformation and invest in cloud and connected devices, IT security concerns are rising. Procurement is uniquely positioned to play a proactive role in ensuring that new technologies — often deployed outside of IT — are secure and aligned with overarching IT security standards and practices. Cyberattacks do not always come knocking at the front door, and often occur because of security weaknesses in the lower levels of the supply chain, as a result of internal or external data security lapses. Procurement can play a role in both areas to help limit these attacks.

INTERNAL FACTORS

The BYOD (Bring Your Own Device) model has made the fight against cybercrimes more complex. IT and procurement teams need to work closely to ensure there’s a tight frontline of cybersecurity; both teams should meet frequently to monitor systems, review any instances of cyberthreat and discuss potential threats. It is ideal for organizations to establish a business- wide minimum standard on data security (such as ISO270001) and frequently update the organizational cybersecurity policy based on attacks to the firm or its competitors.

EXTERNAL ISSUES

While companies may retain critical functions in-house, there are some capabilities that are outsourced to firms that specialize in them, such as the development of core banking platform, advisory services, tax and audit services, among other areas. “Over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties,” states an article titled “Purchasing Managers Have a Lead Role to Play in Cyber Defense” in the Harvard Business Review, written by Zac Rogers and Thomas Y. Choi. This is a key reason why procurement and IT departments should work together and ensure that a vendor’s cybersecurity capabilities are considered before any contract is signed.

There are some preventive steps BFSI institutions can take to reduce cyberthreats that come from vendors’ IT systems:

Fight Cybersecurity as a Consortium: It is more than likely that the key suppliers for one BFSI enterprise are also primary suppliers to rival enterprises. This situation can be used to their advantage, and BFSI firms can work together to set industry-level security standards that must be met mandatorily by all suppliers. Procurement teams can play a key role here in driving discussions on cyberattacks and innovative ways to fight data leak. Another way to reduce risks would be to hire a Managed Security Services Provider (MSSP) that procurement can work with to ensure cybersecurity.

Improve Selection Criteria and Contracts: Conducting detailed risk management assessments before finalizing a supplier will help strengthen cybersecurity. Instead of conducting this vetting activity at the conclusion of a sourcing activity, procurement should do basic cybersecurity evaluations in the initial stage itself. For example, it can include a cybersecurity questionnaire as a part of the RFP sent out to select suppliers for a product or service. After conducting adequate assessments, once a supplier is finalized, the contract should include clauses about suppliers not sharing their client’s confidential data outside of a designated area and taking steps to prevent data leak in case of a cyberattack.

It’s important not to forget the clauses once they are laid down. A supplier’s cybersecurity capabilities should be reviewed consistently, along with performance assessment. Key suppliers should be mandated to provide regular audit reports that certify their security levels, and procurement should be empowered to end a supplier contract in case there are security breaches.

IT SECURITY IN PROCUREMENT

With technology permeating every area of operations, it has become imperative to understand the role and significance of IT security in every step of the procurement process.

MARKET INTELLIGENCE AND DUE DILIGENCE

The human element is as important as technology when it comes to enhancing cybersecurity, and here procurement needs to be more proactive. While news of the latest cyberthreats and attacks makes it to the front pages of newspapers and is hard to miss, there is a long tail of threats that procurement specialists need to be aware of.

Setting up Google Alerts and subscribing to specialized industry newsletters are good first steps in creating awareness, of cyberthreats, attacks and cybersecurity innovations. Multiple mentions and reports of a vendor partner or potential partner, for instance, would raise a red flag and may need additional attention by the organization’s IT department. As business processes become more agile, the goal for procurement should be to view cybersecurity as a function critical to business continuity rather than simply as a compliance checkbox.

THE SOURCE-TO-CONTRACT PHASE

Encrypted Solutions: Procurement must also augment its sourcing processes to increase security. It’s important that sensitive, critical business information is transmitted securely. Often, these activities are conducted over email, which increases risks for both the organization and the vendor. There is a plethora of solutions in the market for different areas of the sourcing process — reverse auction and RFP tools, supplier relationship management software, contracting tools, spend analytics, and more. Most competitive software solutions will have an appropriate level of encryption and security, but keep in mind that using multiple solutions that will need to be integrated or need manual reconciliation may pose a threat of its own. An encrypted end-to-end solution can be the right alternative in mitigating such a threat.

Security Assessments: The sourcing process provides an opportunity to learn more about the organization’s potential partners. Procurement can collaborate with the IT department and make an RFP more comprehensive by adding an IT security questionnaire to the package.

The best practices should include using an industry standard security questionnaire so that the organization has a comprehensive view of its partners’ IT security. Another benefit of this type of questionnaire is that most firms will have pre-determined answers, which will prevent delays in the screening process and maybe even expedite the sourcing process by eliminating certain vendors. These should be incorporated into contracts with all third parties, regardless of whether they have direct access to the organization’s IT system or not. This process can go beyond an individual firm’s approach to IT security and become the industry standard for suppliers that are shared by companies from a certain industry.

Legal Contracts: The contracting language must reflect the changes in the landscape. An organization’s IT, procurement and legal teams should determine collaboratively the ideal state of an organization’s requirements from its partners. While minimum security thresholds and compliance to regulations such as GDPR are mandatory, a contract can also touch upon matters such as audit rights and related issues. Liability coverage by the vendor should cover IT breaches and its resultant consequences.

THE PROCURE-TO-PAY PHASE

A cyberthreat does not end with the completion of the sourcing process. In the procure-to- pay stage, sensitive information is often shared between an enterprise and its partners. The organization owes its partners the same rigor in cybersecurity that it expects from them. For one, procurement should authenticate any changes in the payment process or information with its partners to ensure that they are legitimate. Phishing to harvest information from both the organization and its partners is on the rise, and procurement specialists must be mindful of such threats.

PROCESS IMPROVEMENT

Leverage Supplier Solutions: Cybersecurity is a global concern, and vendors are right at the forefront when it comes to dealing with threats. While vendors have to be viewed with a certain amount of caution, one must not overlook the knowledge and learning that can be leveraged from their solutions. One way to capitalize on this is to transform the relationship from just a standard hardware solution to a service model. Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) provide a more dynamic approach to cybersecurity, taking away the complacency associated with one-and-done measures, although these solutions come with their own security concerns. In such cases, it is important to make sure that your provider offers Identity and Access Management (IAM) tools so that only authorized team members can access the back end. This type of solution may be more expensive from a financial standpoint but could drive tremendous value from the point of view of Total Cost of Ownership (TCO).

Limit IT Access: Firms should be more vigilant in granting access to its IT systems. “Access” can range from integration to adding a supplier login to the company’s database. Procurement and IT should be accountable for classifying supplier access and priority as per their business criticality and their need to access IT systems. Additionally, companies can limit access to vendors’ partners — sub-contractors or third-party firms — unless they also go through an SOC audit.

Establish KPIs: As procurement takes on more initiatives within the organization, it is important to keep track of the progress. These metrics may be internal, such as monitoring the number and level of access that partners have into the business’ systems, or external, such as how many of a firm’s partners are compliant with a certain regulation. Establishing such KPIs can attest to the progress that procurement is making toward achieving the larger business goals.

Implement Cloud-Based Solutions: Financial organizations, as part of their long-term strategy, are moving away from legacy systems to cloud-based solutions. Cisco’s Global Cloud Index estimates that total global data center traffic will reach 15.3 ZB annually by 2020, with 92% of all workload being processed in the cloud by 2020. The report also projects that the public cloud will continue to grow by 35% CAGR through the forecast period. This rapid shift to public cloud systems, propelled by demands for cost efficiency and agility, warrants strengthening of the cloud infrastructure.

Banks are in a position to leverage the benefits of cloud-based solutions that can harness data through a single interface for security reasons, as well as to take a more proactive approach to security management, as they keep adding ATMs and new branches globally. Cloud-based solutions will also allow video surveillance and data management solutions to integrate fully with access control and intrusion, thereby creating a comprehensive approach to security threats, according to Security Magazine’s 5 Emerging Risk Management and Security Trends in Banking. That said, data sitting in the cloud is also vulnerable to security threats and is subject to outages as well.

THE PATH TO CYBERSECURITY RUNS THROUGH IT PROCUREMENT

Cyberattacks pose a steadily growing threat to BFSIs, owing to easy and high monetary rewards. The IT procurement process can play a pivotal role in mitigating this threat, safeguarding assets and intellectual and individual property. Enterprises must dedicate more effort to improving cybersecurity in the S2P phase by focusing on ensuring a minimum level of end-to-end encryption in business-critical software; building security assessments into supplier evaluations; and amending and enforcing contracts to include data privacy clauses.

Businesses can build stronger buffers against cyberthreats by granting selective access to suppliers; exploring IaaS and SaaS solutions to shift to a dynamic evaluation of suppliers; and moving to cloud-based solutions to enhance security management.

Finally, they can work alongside peers, leveraging commonalities and approaching the threat as an industry consortium, to create an industry standard in selection criteria and contract terms that will ensure consistency and optimal security provisioning both internally and with third parties.

References

1. “What Are the GDPR Fines?” 11 July 2018. Retrieved from gdpr.eu/fines