Protection, whether in the context of people or of tangible or intangible assets, refers at the same time to both the state of being protected and the act of protecting. The distinction is important, as the state of being protected is clearly transient - protection requires constant adaptation to the prevailing risks. Nothing endures but change. During the sub-prime crisis, many bankers and investors thought it was the end of the world. As it turned out, it was the end of the world as they had known it or as they could envisage at the time.
Regulation as a protection
The crisis was a catalyst for regulators, who felt compelled to make markets more transparent, intermediaries more responsible and investors better protected through increased regulation. There is no doubt that most of these regulations were necessary, even if it can be argued that some were inappropriate or ineffective, but one thing is clear - they will not be sufficient.
There is no way regulators can keep up with the speed of technology, but they can play a role in accountability
DG de Uber, Davos 2017
Defining and assessing protection
Therefore, investors and intermediaries should question their choices and re-assess the level of protection provided, or more accurately, the level of risk they knowingly accept to take. Assessing your risk appetite and position relative to others is not easy: leader, laggard, or just in the Golden Mean1 (or the Middle Way2)? This will clearly have implications on the level of protection afforded. Similarly you need to assess your clients and suppliers, the level of protection they offer and the level of trust you give them. For instance, when selecting a bank as a trusted partner, it is customary to scrutinize its services, its relative position in the market, its capital structure and its global solidity.
But how deep should such questioning go? Should some foundations, usually seen as immutable, be put in question? For example, should we go so far as to question the system of trust in society based on the State, its constitution and laws? The emergence of new social trends among the next generation of tech-savvy world citizens is being reinforced by Blockchain technology that allows trust to be created within a group, eliminating the need for a trusted third party. Could a technology fundamentally change our organizations and eradicate our national systems? And if this vision becomes reality, when will the turning point be reached?
Or on the other hand, could it be that some incremental changes in fact become game changers? Digitization is advancing and techniques in the digital space are evolving. The expansion of outsourcing and the reliance on external resources like cloud computing or Anything-As-A-Service3 create a strong dependency on third party suppliers who are entrusted with key processes and confidential data. With suppliers in turn depending on other suppliers, this interdependency can become either a strength or a weakness, unless it is properly managed.
Any failure in protection can result in direct costs to an organization. With media exposure, it can also turn into a major public reputation risk. This is the reason why communication managers will typically need to be involved in crisis management together with executive management, operations, IT, risk, legal, and compliance.
All regulators consider that corporate responsibility alone is not sufficient and more and more, they are introducing personal liability for management and operations, sometimes up to criminal responsibility. The message is consistent - there is no delegation of responsibility when using a third party.
Following on from system backups, Disaster Recovery and Business Continuity, the concept of resilience has emerged. Should a production facility and its staff become inoperative, the objective of resilience is to complete the activities of the day and resume at least 75% of activities by the next day. To reach such a level of continuity, at least three production centres are required with load balancing and extra manpower, or manpower that can be made available and operational overnight. When vital or essential activities are outsourced, they too must be operative within the same standards with different third party suppliers and the possibility to rapidly balance operations between them. Obviously third party suppliers need proper monitoring and supervision.
In August 2015, an operating system upgrade of Sungard Invest-One at BNY Mellon caused a corruption of data and back up generated errors in valuations of 1,200 funds for a week.
Financial institutions like BNY Mellon are expected to oversee their third-party vendors and have back up plans if the vendor’s system fails [...] This is particularly important when the third party vendor performs a critical business function that impacts mom and pop investors.
Massachusetts Secretary of the Commonwealth
The usual key words for the security of information are authentication4, integrity5, confidentiality6, scalability7, traceability8, availability9 and sometimes also comprehensiveness10. For each of these areas, there are potential weaknesses whenever information is stored or exchanged. The increase in the exchange of data over networks makes cybersecurity a constant preoccupation.
The most secured messaging system for the banking industry, SWIFT, has been used in 2015 and 2016 to steal hundreds of millions of dollars from the Bangladesh Central Bank11.
In the European Union, the Directive on the security of network and information systems (NIS)12, expected to be transposed into national law by 9 May 2018, aims to boost overall security. Similarly, the EU General Data Protection Regulation (GDPR)13 is designed to protect the data privacy of all EU citizens, empower individuals with regard to their personal data and reshape the way organizations across the region approach data protection.
Hacking is inevitable. Greed is the primary motivation of the hacker, but often such attacks are simply motivated by the thrill, by fame-seeking or in pursuit of a particular ‘cause’. This is why it is essential to envisage hacking scenarios, establish responses to these scenarios and play them in order to be prepared.
Conduct as prevention
It is estimated that in almost two cases out of three (63%)14, hacks are linked to a company’s own employees, including consultants.
So the first formula against cybercrime is company culture.
Social engineering has become about 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more
Founder of McAfee Associates