Regulations are sapping resources and distracting financial institutions away from their cyber defences, according to panellists at the Global RegTech Summit 2018.
The recently revised Markets in Financial Instruments Directive (MiFID II), the General Data Protection Regulation (GDPR), the Revised Payment Service Directive (PSD2) and the proposed Insurance Distribution Directive (IDD), are just some of the regulations putting pressure on the industry this year.
However, despite regulations proposing to hand great protection to customers data and privacy, they are having a negative impact on FI’s cybersecurity practices.
The panel at the Global RegTech Summit which included, senior staff from Futurae Technologies, Oliver Wynman, Tempo Cap, and TS Lombard, discussed how the financial services industry can address cybersecurity challenges.
One of the biggest drivers that boards will have to look at, in regards to their cybersecurity operations, is regulation according to Sandra Tobler, co-founder and CEO of Futurae. She brought up the argument of ‘cyber debt’ and whether legislations are dangerous for cyber defenses.
Pierre F. Suhrcke, a venture partner at TempoCap, told the audience that the industry is currently at a stage of ‘overregulation’.
“I personally believe that regulators have to take a step back and change their post completely because just putting another 400 pages of words doesn’t make any sense, it doesn’t help, and it just defocusses,” he said. “Regulators need to think about disrupting their own approach and come up with a complete new model.”
Mark James, partner at Oliver Wyman, agreed that regulations, like GDPR, are taking people’s eye off of the ball. He told the audience that whatever regulation is added it is significantly increasing the cybersecurity risk for each company because legislation is sapping resources.
“There’s so much (regulation), if you talk to banks and corporates, they’re all dealing with GDPR and PSD2 etc. A lot of these things are really not useful. It doesn’t add any value and takes resources away from something which is much more important, defending your own company against external and internal threats. I think the problem we’ve got guidelines which haven’t been thought through.”
The regulatory challenge for cybersecurity is slightly different than what regulators are trying to do with capital regulation or liquidity regulation, according to Mark James, partner at Oliver Wyman.
However, he applauded the notion of more sharing and creating a lot more collaboration, arguing to the need to from a ‘need to know’ to a ‘need to share’ type environment.
“The difference is, in order to create an effective and safe financial services environment, and in order to guard the country against the systemic risks that these impose, we need to go from a situation where banks are sitting on their intelligence and on their knowhow, with respect to how to respond to cyber-attacks.”
Taking a slightly different view to his fellow panellists, Rafael Narezzi, CIO/CSO at TS Lombard, suggested that GDPR will be used as a tool for cybercrime as companies have to fulfil certain obligations to make sure data is protected.
“I think compliance, in one way, will make companies safer because they’re going to have to invest more resources in order to comply.” However, he also believes it could act as a way to extort money from companies who are not compliant.
Despite seeing compliance as a good thing, Narezzi suggests that regulations could do more to assist with cybercrime. He also echoed James’ thoughts on a more collaborative intelligence environment.
“We don’t share intelligence enough. If we could share, then it would be great because then we’re going to be better to protect ourselves. But this is going to the barrier of sharing commercial values instead of sharing knowledge of how to defend your organisation in a collaborative way”
While regulations are having a potential negative impact on the cybersecurity of financial organisations, the boards on the company could be more proactive towards their cyber defence according to the panel.
“Boards of corporates or financial institutions don’t put cybersecurity as one of their top priorities on their agenda,” Suhrcke added. “It’s probably a little bit too provocative saying this, but they don’t take it seriously enough. It still seems there is not enough investment going into cybersecurity and that means also that cybersecurity awareness is a cultural thing.”
The notion of it being an ‘IT problem’ also has to be addressed according to James. The changes have also got to come from the top down. If the board doesn’t believe it’s important, why should the rest of the company think about it and make an effort, he added.
In order to solve the problem, James said there needs to be a little bit of sort of self-recognition. “If you want to correct your golf swing, you’ve got to understand there’s a problem with the golf swing, as a first step,” he told the audience. “I see a lot of dissembling amongst boards and C suite executives around the cybersecurity issue.”
Narezzi suggests the maturity on the board has to be up to the level that imply cybersecurity is profit driven. “They only look in profit and loss. Cybersecurity should be added as a profit. You’re going to win contracts, if you are more on there and apply more cybersecurity into your organisation.”
Copyright © 2018 RegTech Analyst
Copyright © 2018 RegTech Analyst