The global economy entered 2024 with momentum amid duelling tailwinds – easing supply chain pressures, moderating inflation – and headwinds – geopolitical tensions, increased regulatory scrutiny. These factors are testing the resilience of financial services business models and pushing sector leaders with financial services to explore innovative avenues for value creation while managing emerging cyber security risks and privacy concerns.
This relatively unsettled macroeconomic backdrop will challenge the financial services sector in new ways over the coming year.
Security teams within financial services need to focus on what’s coming next. An evolving wave of disruptive technology – particularly generative AI, the imperative to automate, shoring up firms’ data foundation, and the trend toward embedded finance – is exposing financial services sector executives to vulnerabilities with which they have never had to contend.
Digital proliferation is blurring global borders, making it daunting to harmonise growth initiatives with shifting regulatory requirements. As the demand for seamless and personalised experiences grows, so do the challenges of providing comprehensive security and data privacy, making digital identity management more complex than ever.
Simultaneously, the exponential growth of data and increasing adoption of cloud-based systems have expanded the cyber attack surface, underscoring gaps in vulnerability management and the ability to address incidents in a timely manner.
Today, the focus is an intensified risk dialogue between cyber and business executives to enable future readiness and orchestrate strategies rooted in resilience, innovation, security, and trust.
In this article, KPMG explores cyber security considerations in the financial services sector and provides a roadmap for navigating cyber challenges successfully and responsibly in an evolving threat and regulatory landscape.
Cyber focus for Financial Services in Australia
In Australia, cyber continues to be a critical focus for Australian Financial Services firms. Matt O'Keefe, Partner, and KPMG's Cyber Security ASPAC Lead, states that, "heightened customer and media focus, increasing regulator expectations and a threat landscape that is accelerating in terms of volume, speed to exploit and sophistication – all conspire to increase the pressure on firms to align cyber preparedness to the risk, and to be advancing this preparedness at the same or greater pace.”
KPMG Australia's Natasha Passley, Partner, Cyber Security – Financial Services, adds, “Our interconnected digital world means cyber crime can too often result in identify theft, fraud and data breaches, making security inevitably intertwined with fraud and scams. Organisations in financial services are best prepared for this with a robust strategy that embraces emerging tech, keeps apace with evolving regulation to reflect the critical nature of their operations; all while making the most of capability that provides holistic visibility of their environment and helps identify their greatest risk.”
Key cyber security considerations
1. Global cyber boundaries & changing regulatory environments
As the financial sevices sector continues to scale technology innovations, regulators are responding with new cyber security standards to balance growth with governance. The daunting task for today’s security professionals is to calibrate their regulatory reporting for an increasingly borderless world while maintaining security controls that can be tailored to local requirements.
A central consideration for the financial services sector is how to most effectively navigate the current business landscape to ensure resilience and business continuity. While multinational companies often lead the way in adopting emerging trends, smaller firms may often be less prepared to tackle these complexities. Through partnerships, firms can benefit from shared knowledge and enhance their security posture in response to evolving global regulatory demands without having to reinvent the wheel.
Navigating diverse regulatory landscapes – Balancing compliance in a constantly evolving cyber and privacy regulatory space is a significant objective for multinational FS companies, especially when these rules may vary significantly across jurisdictions.
Adapting to national interests and information sovereignty – National interests have inspired diverse regulatory requirements over data sovereignty, complicating global service delivery. Maintaining global accessibility and local compliance calls for substantial investments in local infrastructure and extensive operational modifications.
Supply chain security compliance – With supply chains stretching across continents, vulnerabilities have multiplied due to differing cyber controls and transparency requirements. Ensuring security and compliance for every entity involved necessitates rigorous vetting and oversight, which can escalating complexity and costs.
Incident reporting in a global context – The disparate incident reporting requirements across jurisdictions require flexible and efficient reporting mechanisms that can incorporate evolving cyber security mandates while ensuring prompt, accurate disclosures.
Regulatory compliance – In addition to navigating the SEC’s new cyber security disclosure rules or the Digital Operational Resilience Act (DORA) in the EU, the financial services sector is grappling to implement privacy controls that are both globally consistent and locally adaptable to comply with global laws such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US. In Australia, Financial Services organisations are similarly considering changing regulation such as CPS230, which is designed to drive an uplift in operational resilience across the industry, addressing amongst other things the impact of cyber attacks the financial services sector. Striking a balance between customer data protection and operational flexibility remains a key challenge.
Building a resilient regulatory compliance framework – Navigating cross-border intricacies demands a sophisticated and agile approach to regulatory compliance, one that can swiftly adapt to new regulations while enhancing operational resilience on a global scale.
Enhancing data sovereignty measures – Investing in local data centres and cloud technologies with regional data storage options can help financial services companies adapt to local regulations and efficiently meet data sovereignty requirements across different jurisdictions.
Strengthening supply chain security – FS companies can bolster their operational backbone against cyber threats and regulatory shifts by implementing robust security vetting and continuous monitoring processes within their supply chains.
Leveraging technology for compliance automation – Breakthrough technologies such as AI and blockchain can enable the sector to automate tedious compliance tasks, lower human error risks, and boost efficiency in incident reporting and privacy management.
Establishing global privacy standards – Financial services institutions can gain their advantage by spearheading the development and implementation of high global data privacy standards. This should not only foster a culture of security and customer trust, but also establish a benchmark for the entire ecosystem.
2. Supercharge cyber security with automation
Digital agendas are proliferating at a massive rate. With the increasing shift to cloud-based systems and remote work, the volume of data that needs protection is skyrocketing. As a result, the cyber attack surface is expanding, creating more alerts and triage events for financial services cyber security leaders to manage. So, how can security teams keep detecting threat after threat and identify what to prioritise? One of the most efficient ways to do that is through automation.
As operating models digitise, SOCs should automate and upgrade their processes to keep pace. With security automation, financial services institutions can secure the third-party ecosystem, assess vulnerabilities, and expose weak links within vendor and supplier ecosystems. Using AI and machine learning, the sector can centralise critical security processes for high-risk areas, enabling security teams to pursue more agile and efficient response times.
Resource limitation and data overload – The financial services industry faces the dual challenge of rapidly escalating cyber threats and a critical shortage of skilled cyber security professionals. This scarcity compounds the difficulty of managing, detecting and responding to threats while handling vast amounts of data. As a result, security operation centres (SOCs) are strained by the sheer volume of alerts to be analysed and monitored.
Volume of vulnerabilities – The rapid evolution of technologies and discovery of software flaws leave financial services firms with vulnerabilities, making prioritisation and patching a daunting task. As mature organisations work on establishing robust response programs, capacity constraints impede effective, timely remediation.
Asset inventory maintenance – A mature asset management inventory has become a prerequisite for many cyber security processes, ensuring coverage of capabilities, asset ownership, and resource criticality. Financial services institutions often grapple with outdated or incomplete asset data that hinders effectiveness of risk and security processes.
Timely incident mitigation – The rising number of alerts and complex cross-platform interdependencies is contributing to delays in mitigating cyber incidents. SOCs grapple with this workload, causing delays in assessing and addressing each incident, potentially aggravating the impact of breaches.
Machine-learning-enabled vulnerability management – FS organisations are encouraged to revamp their vulnerability management programs to eliminate bottlenecks comprehensively. Automation can help prioritise, assign, and remediate high- and lower-criticality vulnerabilities using policy-as-code solutions.
Automated asset management workflows – Enhanced automated discovery processes can more effectively validate asset metadata and ownership, providing continuous, real-time asset inventory updates and ensuring accurate application of security protocols.
Proactive incident response controls – Organisations should emphasise proactive controls to automatically block and respond to potential network threats. Implementing advanced automated containment and blocking measures can curtail the spread of malicious activity, thereby minimising the impact of security incidents.
Automated traditional Level 1 analyst triage – Leverage machine learning (ML) to correlate events across multiple sources of telemetry to reduce false positives and escalate important matters more quickly to Level 2 analysts.
3. Make digital identity individual not institutional
Today, the line between business-to-consumer (B2C) and business-to-business (B2B) security has blurred considerably. Driven by intersecting business models, it’s vital that financial services organisations now view identity not in isolation but from a holistic perspective.
That's an important driver toward an identity and access management (IAM) model that encompasses a new level of resilience suitable for federated, private, public, or multi-cloud computing environments.
While the financial services sector actively embraces advanced cyber security and IAM (Identity Access Management) measures, there is a pressing need to accelerate the adoption and preparedness level to keep pace with change. Evolving to a model where a digital identity with a high level of assurance is a reality will enable businesses to collect, store, and process less personally identifiable information, which would be a decidedly positive outcome for consumers.
Customer identity and access management (CIAM) strategies – As digital banking and financial services grow, so does the need for robust CIAM solutions that not only support seamless customer experiences but also protect customer identities and bolster trust.
Fraud detection and prevention – The FS sector is continuously challenged by sophisticated fraud schemes. This increasingly accelerates the need for identity analytics and behaviour analysis to identify anomalous access patterns and transactions.
Regulatory compliance and identity management (IAM) – Subject to rigorous regulatory requirements, including know your customer (KYC), anti-money laundering (AML), and privacy (e.g., GDPR, CCPA), many financial institutions are struggling to manage digital identities while ensuring compliance.
Entitlement sprawl and management – FS consumers and employees interact with various digital platforms, leading to entitlement sprawl and increased security vulnerabilities. Managing access rights becomes complex and error-prone, making the sector a prime target for identity theft and fraud.
Identity-focused attack surface management – The lack of a standardised authentication approach across FS institutions complicates the user experience and security protocols. Diverse methods lead to confusion, weaker security measures, and increased cyber risks.
The rise of deepfakes – The ease with which bad actors can alter content threatens businesses in virtually every industry and sector. Public and private organisations worldwide must maintain the appropriate computing power, forensic algorithms, audit processes, and talent to combat this threat.
Improving security and experience – Balancing convenience with security using tools like biometric authentication, single sign-on (SSO), and multi-factor authentication (MFA) can enhance the customer experience, leading to increased engagement and loyalty.
Security monitoring – Financial institutions can leverage identity analytics to detect fraud and protect customers and assets. This proactive approach can serve as a key differentiator in the market, attracting customers who prioritise data privacy. Beyond fraud, it is critical to tie privileged access, insider threat and non-human identities to the traditional security incident response processes through extended detection and response (XDR).
Regulatory-fueled transformation – Implementing effective IAM tech solutions that automate compliance processes and reduce regulatory risks can build customer trust, leading to increased customer retention and attraction.
Automated entitlement management – Streamlining and automating entitlement management can help to enhances operational efficiency, reduces human error, and can mitigate insider threats. FS institutions can leverage advanced identity governance and administration (IGA) tech solutions to provide a secure, compliant, and user-friendly access management experience.
Unified identity – Adopting broad-ranging IAM tech solutions and collaborating on industry-wide standards for authentication can strengthen how the sector defends against cyber threats and drives innovation.
Real-world cyber security in the financial services sector
In a recent cyber event, attackers exploited vulnerabilities in a key financial network to create fraudulent money transfer requests, resulting in significant financial loses. These breaches had a significant impact on a number of financial services firms, which rely heavily on secure file transfers to protect sensitive data.
The potential exposure of confidential financial information, as well as service outages and delays in the functioning of critical processes, posed a serious threat to the affected organisations. This not only jeopardised the privacy and security of clients, but also exposed the organisations to legal and regulatory consequences.
Affected companies were forced to allocate significant resources to investigating the extent of the breaches, identifying compromised data, and assessing the potential operational impact. They also had to implement additional security measures to prevent further breaches and regain client trust.
This episode was a wake-up call for the entire financial services industry, highlighting the need for robust cyber security measures and proactive risk management strategies. It emphasised the importance of regular software updates, thorough security assessments, and comprehensive ongoing employee training.
Top priorities for security professionals in financial services
- Develop and implement a sophisticated framework for regulatory compliance that can adapt to different, constantly evolving laws across jurisdictions.
- Align investments with local infrastructure and cloud technologies that meet data sovereignty requirements.
- Establish rigorous vetting and monitoring processes for supply chain security.
- Leverage innovative technologies like AI and blockchain to automate tedious compliance tasks.
- Implement automation for effective vulnerability management and proactive incident response.
- Strengthen CIAM strategies to elevate security and customer experience.
- Incorporate identity analytics for advanced fraud detection and prevention.
- Advocate for standardised authentication practices across the industry.
How KPMG can help
In addition to assessing your cyber security program and helping you to ensure it aligns with your business priorities, KPMG professionals can assist financial services organisations develop advanced digital solutions, advise on the implementation and monitoring of ongoing risks and advise on the design of appropriate response to cyber incidents.
KPMG professionals are adept at applying leading thinking to financial services firms’ most pressing cyber security needs and developing custom strategies that are fit for purpose. KPMG professionals offer a broad array of technology solutions including cyber cloud assessments, privacy automation, third-party security optimisation, AI security, managed detection and response.
KPMG's Financial Services cyber specialists
To learn how KPMG can assist with any cyber security issues impacting your business, contact KPMG's Financial Services cyber security specialists or complete the form.