Financial and economic heavy hitters have formed a cybersecurity consortium

BII

This story was delivered to BI Intelligence “Fintech Briefing” subscribers. To learn more and subscribe, please click here.

The World Economic Forum (WEF), incumbents Citigroup, the Depository Trust and Clearing Corporation (DTCC), and Zurich Insurance Group, along with alt lender and tech supplier Kabbage, have formed a consortium dedicated to improving cybersecurity standards across the fintech startup space.

The consortium was formed in response to a recommendation in a new WEF report on how to address the risks of increasing technology use in financial services, especially as incumbents and fintechs enter into ever-more partnerships. The group’s first step will be to create a set of criteria to assess the robustness of fintechs’ cybersecurity protocols, and a set of cybersecurity standards for startups to pledge to adhere to, both of which are expected to be drawn up in the next six to 12 months. The group will be managed by the WEF.

The goal is to help incumbents leverage fintechs’ innovations without incurring excessive risk. Incumbents stand to gain by being able to more accurately assess the risk they expose their organization and clients to when entering into a partnership with a fintech to leverage its technology and intellectual property (IP).

Supply partnerships are becoming the predominant interaction model between the two camps, but incumbents express concern about exposing themselves to third-party risk by working with startups that don’t face the same tough standards and fines as incumbent players, such as unregulated technology suppliers. This concern will only grow under GDPR, which will impose steep fines for lax cybersecurity.

This consortium will help prepare incumbents and fintechs for survival in a digital economy. Studies and data sets are increasingly demonstrating that fintechs are engaging with incumbents as technology suppliers, so implementing measures that make such third parties adhere to a robust security standard more will help ensure that there are fewer weak links in the supply chain that open collaborators up to breaches, especially as financial services remains one of the most-targeted industries by cybercriminals.

As neither cybercrime nor incumbent-fintech partnerships are likely to go away, establishing such a group is commendable. However, it’s worth noting that this initiative can only go so far under new data sharing regulations, as outside of partnerships with tech suppliers, incumbents won’t have a say about who they interact with.

Over the past five years, the world has seen a seemingly unending series of high-profile data breaches, defined as incidents in which unauthorized parties access and retrieve sensitive, secure, or private data.

Major incidents, like the 2013 Yahoo breach, which impacted all 3 million of the tech giant’s customers, and the more recent Equifax breach, which exposed the information of at least 143 million US adults, has kept this risk, and these threats, at the forefront for both businesses and consumers. And businesses have good reason to be concerned — of organizations breached, 22% lost customers, 29% lost revenue, and 23% lost business opportunities.

This threat isn’t going anywhere. Each of the past five years has seen, on average, 1,704 security incidents, impacting nearly 2 billion records. And hackers could be getting more efficient, using new technological tools to extract more data in fewer breach attempts. That’s making the security threat an industry-agnostic for any business holding sensitive data — at this point, virtually all companies — and therefore a necessity for firms to address proactively and prepare to react to.

The majority of breaches come from the outside, when a malicious actor is usually seeking access to records for financial gain, and tend to leverage malware or other software and hardware-related tools to access records. But they can come internally, as well as from accidents perpetrated by employees, like lost or stolen records or devices.

That means that firms need to have a broad-ranging plan in place, focusing on preventing breaches, detecting them quickly, and resolving and responding to them in the best possible way. That involves understanding protectable assets, ensuring compliance, and training employees, but also protecting data, investing in software to understand what normal and abnormal performance looks like, training employees, and building a response plan to mitigate as much damage as possible when the inevitable does occur.

Business Insider Intelligence, Business Insider’s premium research service, has put together a detailed report on the data breach threat, who and what companies need to protect themselves from, and how they can most effectively do so from a technological and organizational perspective.

Here are some key takeaways from the report:

• The breach threat isn’t going anywhere. The number of overall breaches isn’t consistent — it soared from 2013 to 2016, but ticked down slightly last year — but hackers might be becoming better at obtaining more records with less work, which magnifies risk.
• The majority of breaches come from the outside, and leverage software and hardware attacks, like malware, web app attacks, point-of-service (POS) intrusion, and card skimmers.
• Firms need to build a strong front door to prevent as many breaches as possible, but they also need to develop institutional knowledge to detect a breach quickly, and plan for how to resolve and respond to it in order to limit damage — both financial and subjective — as effectively as possible.

In full, the report:

• Explains the scope of the breach threat, by industry and year, and identifies the top attacks.
• Identifies leading perpetrators and causes of breaches.
• Addresses strategies to cope with the threat in three key areas: prevention, detection, and resolution and response.
• Issues recommendations from both a technological and organizational perspective in each of these categories so that companies can avoid the fallout that a data breach can bring.