Poornima Bushpala and Syed Hussaini: How would you define cybersecurity?
Sridhar Sidhu: Cybersecurity is a new term and represents a subset of the information security function. Unfortunately, there is so much hype that anything related to information security is called cybersecurity. That is not right.
In my view, any external vulnerability-related risk management constitutes cybersecurity. The rest of the information security functions are by and large, internal to the organisation though some of them may correlate with external events. Cyber-threat vulnerability management, cyber-threat intelligence and security operations are some of the functions that are part of cybersecurity.
To shift gears, there is so much buzz around fintech in the banking and financial services industry. How does it impact large financial institutions?
Fintech is a necessary component of the financial ecosystem. If you zoom out and look at financial industries as a whole, large and global financial institutions are not necessarily nimble, partly because of the complexity of their operations.
Thanks to the recent technology advances, the customer experience requirements are tremendously different from what they were ten years back. From that standpoint, the agility of fintech in bringing new services to the forefront to serve the underserved or unserved populations in the global economy is phenomenal.
The fundamental reason fintech players are nimble is because in the early stages of their journey, they were not as regulated as global financial banks are today. In addition to that, the use of the latest technology makes them faster in addressing some of the business problems that a global financial institution cannot address. However, that brings its own challenges, both from risk management and security perspectives.
Fintech is a necessary component of the financial ecosystem.
What kind of governance and regulation might be required to govern fintech companies and minimise risk while also nurturing new ideas?
One of the factors that make fintech agile is not having many regulations. Also, the fact that going through procedure and structure to make innovation happen within a global financial institution is different from starting your own company.
That said, many financial institutions have their own internal fintech units that spin out ideas; form separate small groups and get them funded, without necessarily going through the regulated route. Of course, to get into the implementation stage, an idea has to pass through regulatory checks.
Going through procedure and structure to make innovation happen within a global financial institution is different from starting your own company.
In spite of technological advances and a booming Fintech market, we still hear about cyber-attack incidents. Why do you think these incidents are occurring?
Fintech broadly helps people who are not served effectively by the global or national financial ecosystem. That is why the majority of fintech is in the financial products or services side of the house.
On the technology enablement side, cloud service providers again support process management-centric work. For example, a fintech company could help an organisation manage fraud better by using deep learning and machine learning capabilities and taking the dataset from financial institutions to enhance their fraud management capabilities. In this way, the significance of fintech initiatives is more on the business side of things than on the security side.
Second, the ability of financial institutions to share critical vulnerability information with a third party is very limited. This is why financial companies and fintech need to work together to see how to reduce cyber-exposure for a company.
In the last six to seven years, cybersecurity fintech startups have contributed in the areas of threat intelligence, threat response support and threat hunting. However, these are not necessarily at the peak of maturity yet.
The significance of fintech initiatives is more on the business side of things than on the security side.
What benefits and challenges do you see in having cybersecurity in this fintech era?
The fundamental role of banks is to take deposits or lend money to those who need money for personal or business purposes. If the financial institutions have a good credit risk management programme, they are able to manage the credit portfolio well. That is not the case with cyber-risks. Vulnerability exists for both large global or small local financial institutions.
Global financial institutions may be able to build strong cybersecurity in-house, but some of the small or medium financial institutions cannot. They are exposed to the same vulnerabilities but their ability to build and retain cybersecurity talent within the organisation is limited because that is not their core purpose. So the only options are third-party service providers and combination fintech who can provide similar cybersecurity capabilities at a fraction of the cost, subject of course to the underlying regulations of a given country. That is the reason why the majority of fintech in cybersecurity space provides services to mid-size to small size organisations. If small corporate banks are exposed to vulnerability and those companies transact internationally, for example, financial transactions through SWIFT with other banks, then they will all be at risk.
Unlike credit or market risk, cyber-risk is the most common, the weakest link in the financial system. That’s the reason fintech needs to be strong in this area, otherwise, organisations cannot survive on their own.
If small corporate banks are exposed to vulnerability and those companies transact internationally, for example, financial transactions through SWIFT with other banks, then they will all be at risk.
What role do you see fintech companies playing in India and globally? Do you see them disrupting the banking and financial services industry itself?
My take is that financial institutions and fintech should co-exist. I personally do not believe that fintech will walk over financial institutions. They will only make the financial ecosystem a lot more agile. For example, in the Indian context, there are a few startups which serve the financial needs of the unserved, say, for example, customers who need Rs 10,000 as a loan; which a bank with existing processes cannot serve profitably.
Startups can be revolutionary in peer-to-peer lending. You need money. I have the money. There is a platform where we can exchange money and earn interest. Today, with the enablement of technology and to some extent, with fewer regulations on that front, there are some startups that are doing phenomenally well in this area.
My read is that the Indian regulator the Reserve Bank of India (RBI) is more thoughtful in its approach. That is the reason why we have a strong financial system.
Startups can be revolutionary in peer-to-peer lending. You need money. I have the money.
Coming back to the global bank internal ecosystem, it is critical to evaluate internal pain points and then look around and see which of the fintech startups across the world can meet those needs partially. See if both of them can be married together. If the fintech firm does not scale up to global banks’ requirements, it can still be seen as an opportunity for investment. Consider funding that idea, see if it could serve mid or small size companies and earn money. That is what banks do today.
What are the fundamental challenges you see for regulators from various geographies,specifically for cybersecurity?
Every regulator wants to be the best in the world and sometimes they want to outsmart each other. The fundamental problem which is not addressed is that perpetrators penetrate into the organisation, exfiltrate the data. Even when local investigative authorities find out who the perpetrator is, they may still not be able to bring the perpetrators to justice as there is no common understanding between countries. If the Global G20 or G8 potentially could look at some harmonisation of cyber-regulations and collaboration between nations, we could get to a more cyber-secured system.
Even when local investigative authorities find out who the perpetrator is, they may still not be able to bring the perpetrators to justice as there is no common understanding between countries.
What would be your advice to new aspirants getting into risk or specifically, a cybersecurity role?
There are multiple domains within cybersecurity. There is technology, infrastructure, change management process, management and governance, information security risk management, identity and access management, you name it. People need to identify within which function they might want to spend five to seven years to become specialists. Unless you become specialists and grow vertically with technical capabilities, it becomes difficult to lead large teams in this field.
Unless you become specialists and grow vertically with technical capabilities, it becomes difficult to lead large teams in this field.
All said and done, passion is the only thing which will make a professional stick in an information security role. Otherwise, it will become too stressful.
Sridhar Sidhu leads the Enterprise Information Security (EIS) Services Organisation at Wells Fargo. He is responsible for the global delivery of Information Security Services from multiple locations across countries. His work around the themes of Risk, Governance and Oversight Practices at the Board level at S&P 200 organisations has resulted in publications in international journals.
Edited by Yogini Joglekar