At a recent industry conference, experts and leaders from Elvinger Hoss^[2], PwC Luxembourg^[3], Fundvis^[4], and Proximus^[5] convened at the Luxembourg House of Financial Tech (LHoFT) ^[6] to tackle the practical hurdles posed by DORA. The discussions highlighted a range of complexities, from compiling comprehensive registers of ICT services to renegotiating contracts with third-party providers. Despite the daunting nature of these tasks, attendees emphasised the transformative potential of DORA. Addressing these challenges head-on, will allow financial institutions to meet regulatory demands and ensure their operational resilience in an increasingly digital world.

DORA’s Core Requirements

The regulation introduces a comprehensive framework designed to fortify the digital resilience of financial institutions across Europe. Centred on five key pillars, it addresses distinct facets of operational resilience, providing financial entities with a structured approach to align and reinforce their operational foundations.

ICT Risk Management

ICT risk management lies at the heart of DORA, requiring organisations to identify, assess, and mitigate risks related to their information and communication technology. This involves comprehensive mapping exercises to pinpoint critical functions and dependencies, a prerequisite for effective implementation. Financial entities must continuously monitor and update their risk controls to address evolving threats​​.

Incident Reporting

Timely incident reporting is a non-negotiable requirement. Organisations must have standardised processes to report ICT-related incidents to regulators promptly. Clear documentation and communication protocols are essential to demonstrate compliance and support the broader financial ecosystem’s resilience​.

Digital Operational Resilience Testing

Resilience testing ensures that financial institutions can withstand disruptions. Regularly scheduled tests, such as penetration tests, must be conducted at least every three years and aligned with real-world risk scenarios. These tests provide invaluable insights into potential vulnerabilities and validate the effectiveness of existing controls​​.

Third-Party Risk Management

Managing third-party risks is one of the more challenging aspects of the regulation. Financial entities must:

• Update contracts with service providers, prioritising intra-group agreements and major suppliers like AWS and Microsoft.
• Create a register of information detailing third-party dependencies and the criticality of their services.

This process demands rigorous internal coordination complete with extensive external collaboration to collect and verify data​​.

Governance and Oversight

Effective governance is a cornerstone of DORA compliance. Organisations must:

• Engage their boards in overseeing digital resilience initiatives.
• Regularly present dashboards tracking compliance progress and remediation plans.
• Ensure that boards are aware of their accountability in meeting regulatory requirements.

Pathways to Achieving Compliance

With the January 17th deadline looming, financial institutions must adopt a structured approach. The following strategies focus on practical steps to meet regulatory requirements effectively while addressing key challenges.

Prioritise Mapping and Register Creation

The foundation of DORA compliance lies in conducting a comprehensive mapping exercise to identify all ICT services, their criticality, and dependencies. This step is essential before undertaking other compliance actions, as it informs all subsequent processes.

• Critical Focus Areas: Ensure the identification of business-critical functions and their ICT dependencies.
• Data Accuracy: Avoid skipping this step to save time, as inaccuracies here will lead to costly revisions later​.

Once mapping is complete, organisations must create the Register of Information, a central repository required by regulators. This task involves collecting extensive details from internal sources and external providers.

• Regulators will expect submissions in early Q1, and incomplete registers will not be accepted.
• Even if the register is not perfect, submit a robust first draft to demonstrate effort and readiness​

Address Third-Party Dependencies Proactively

Managing relationships with third-party service providers is one of the most time-consuming aspects of this regulation. Financial institutions should adopt a tiered approach:

• Intra-Group Agreements First: Update internal agreements within your organisation, as these require no external dependencies.
• Engage Key Providers: Prioritise updating contracts with critical providers like Microsoft and AWS, which often have pre-prepared DORA-compliant agreements.

• Small and Medium Providers: These providers may lack preparedness for DORA, making it crucial to document your engagement efforts meticulously​​.

Best practices include using standardised contract templates and documenting every communication to show your compliance efforts to regulators​​.

Implement Tools and Expertise for Efficiency

Leverage technology to streamline compliance activities:

• SaaS Platforms: Tools like Fundvis centralise register creation, automate data entry, and generate compliance reports for boards and regulators. These platforms help track progress and highlight areas needing attention​.
• External Support: Engage consultancy firms like PwC for gap analyses, third-party risk management, and assistance with resilience testing. Their industry expertise can expedite compliance​​.

Engage the Board and Document Efforts

Board-level engagement is vital for maintaining momentum and accountability:

• Present dashboards at every board meeting to track compliance progress and remediation plans.
• Highlight risks, gaps, and strategies for addressing outstanding issues​.

Regulators emphasise the importance of documenting all compliance efforts. From initial mapping exercises to third-party contract negotiations, keeping a detailed audit trail demonstrates commitment and ensures readiness for regulatory scrutiny​.

Conclusion

DORA compliance is a pivotal opportunity to fortify operational resilience across Europe. While tight deadlines and complex requirements demand swift, strategic action, financial institutions can rise to the challenge by prioritising key initiatives: mapping processes, updating registers, collaborating with third-party providers, and harnessing the right tools and expertise. Immediate engagement is essential; by embracing this regulation as a strategic advantage, financial institutions can future-proof their operations, earning the trust of regulators, stakeholders, and clients while navigating tomorrow’s challenges with confidence. 

Now is the time to act.

^Footnotes:

^{Featured Images: Midjourney}

^{[1] Rowan Armstrong (02 July 2024) ” EU Digital Operational Resilience Act: Countdown to comply with the January 2025 Deadline’ https://www.brownejacobson.com/insights/dora-countdown-to-comply-with-january-2025-deadline}

^{[2] https://elvingerhoss.lu}

^{[3] https://www.pwc.lu/} 

^{[4] https://fundvis.org/}

^{[5] https://www.proximus.lu/fr/index-en/}

^{[6] https://lhoft.com/lhoftv1/}

The highly critical sectors are mentioned in Annex I of Directive (EU) 2022/2555.

But NIS2 is more than a checklist of requirements; it represents a whole new field of action. For compliance teams facing “compliance fatigue,” the key to success lies in mastering two foundational principles: the all-hazards approach and cyber hygiene. By adopting a comprehensive approach to risk management and security, compliance leaders can enhance their organisations’ resilience, better preparing them for a secure digital future.

The All-Hazards Approach

What Is It?

NIS2’s all-hazards approach^[3] pushes organisations to look beyond conventional IT threats, requiring a broad assessment of risks across all operational areas, from HR to the supply chain. Cyber incidents may be the most prominent risks, but NIS2 recognises that any area that indirectly supports IT infrastructure can pose security threats if left unmanaged.

IT Risks: Traditional vulnerabilities like system flaws, network weaknesses, and outdated software remain critical, particularly given today’s advanced malware and phishing tactics. Companies should favour proactive measures, such as penetration testing and intrusion detection, to reduce these risks. The 2017 WannaCry ransomware attack^[4], which exploited a software vulnerability and affected thousands of systems globally, highlighted the importance of vigilant IT risk management.

HR Risks: Security also depends heavily on personnel. Untrained staff can accidentally expose systems to cyber threats. Compliance teams must address issues like data misuse, insider threats, and social engineering, and NIS2 mandates that management teams participate in cybersecurity training^[5], underscoring the need for a proactive approach to HR risk management.

Supply Chain Risks: A company’s cybersecurity is often only as strong as its partners. The SolarWinds breach^[6] illustrated how vulnerabilities in third-party software can allow attackers to infiltrate even well-defended organisations. NIS2 requires rigorous third-party risk assessments^[7], ensuring that all service providers adhere to cybersecurity standards to protect the entire supply chain.

Why It Matters

NIS2 underscores that resilience isn’t just about IT defences; it’s about securing the continuity of the entire organisation. This broad approach equips companies to adapt to unexpected disruptions, protecting all components of the operation and minimising downtime. Compliance leaders who adopt the all-hazards framework strengthen their organisation’s reliability and contribute to create a more comprehensive shield against potential crises.

How the Leaders Do It

Top compliance professionals see NIS2’s all-hazards approach as a strategic defence tool. They foster resilience by embedding a culture of risk awareness across all departments, ensuring that everyone from HR to procurement understands their role in cybersecurity. This unified effort ensures that all organisational components support the digital security strategy and align with regulatory standards.

Cyber Hygiene, The First Line of Defense

The Daily Routine

Like personal hygiene protects physical health, cyber hygiene practices provide essential protection against cyber threats. For NIS2 compliance, fundamental cybersecurity measures such as multi-factor authentication, encryption, and secure communication channels are non-negotiable. These actions create an affordable, effective cybersecurity foundation that can scale with evolving threats.

Multi-Factor: Authentication (MFA): Requiring multiple verification steps significantly reduces unauthorised access risks. MFA is essential, particularly for sectors like finance, where data breaches carry severe consequences.

Encryption: Safeguarding data during transmission and storage keeps sensitive information secure, even if it is accessed illegally. In May 2024, Ticketmaster experienced a significant data breach^[8] where hackers accessed unencrypted customer data, including names, addresses, emails, phone numbers, and partial credit card details – emphasising the critical importance of robust encryption policies to protect sensitive customer information.

Secure Communication Channels: All data within an organization should flow through secure channels. Tools like VPNs and secure messaging apps reduce risks of eavesdropping or interception, strengthening internal security.

Why It Matters

Cyber hygiene is more than “best practice”; it’s essential for reducing infiltration risks. Without consistent application, even sophisticated systems can fail. By embedding these fundamentals into daily routines, compliance professionals protect their organisations and ensure security awareness aligned with NIS2’s standards.

How the Leaders Approach It

Leading compliance officers make cyber hygiene a core aspect of organisational culture. They collaborate with IT and department heads to ensure cyber hygiene becomes second nature for all employees. Through regular cybersecurity training and reinforcement of daily protocols, compliance professionals cultivate a shared responsibility for cybersecurity that extends beyond compliance, building long-term resilience.

Conclusion: The Stakes and Path to Resilience

With fines reaching €10 million or 2% of global annual turnover^[9], NIS2 compliance stakes are high. However, for compliance leaders, the drive toward NIS2 compliance is more than avoiding penalties: it’s about building a stronger, more resilient organisation. By mastering the all-hazards approach and instilling cyber hygiene practices, compliance officers are doing more than meeting regulatory demands. They are fortifying their organisations against threats, elevating security, and embedding cybersecurity deeply into their operational culture.

As the European Union steps into this new cybersecurity era, the role of the compliance officer is expanding, requiring a proactive approach to risk management and innovation. By championing NIS2’s principles, professionals contribute to establish robust systems that can withstand tomorrow’s challenges, keeping their organisations secure and adaptable in a rapidly evolving digital landscape.

To dive deeper into how the financial sector is embracing cybersecurity and regulatory resilience, visit LHoFT.com. Discover resources and insights that can help you stay ahead in the evolving digital landscape. Protect your organisation, empower your team, and join the leaders shaping the future of finance with robust cybersecurity practices today!

Footnotes:

^[1] As of 18 October 2024, Directive 2016/1148/EU (Network and Information Systems) (NIS) will be repealed by Directive 2022/2555/EU (NIS2), dated 14 December 2022, which shall be implemented by the member states by 17 October 2024. Entities of the banking and financial sector fall within the scope of application of the NIS2 Directive. However, with regard to financial entities, this Directive shall be read in conjunction with Regulation 2022/2554/EU on digital operational resilience for the financial sector (DORA), which will be applicable as of 17 January 2025, with a direct effect in all member states. Source: https://ntpartnerlawfirm.com/fintech-in-luxembourg-2024/

^[2] Consolidated text: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)Text with EEA relevance https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02022L2555-20221227

^[3] See article 21.2: “The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents…”

^[4] Josh Fruhlinger (24 Aug 2022) “WannaCry explained: A perfect ransomware storm” https://www.csoonline.com/article/563017/wannacry-explained-a-perfect-ransomware-storm.html

^[5] See article 20.2: “Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain

sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.”

^[6] ​​Saheed Oladimeji, Sean Michael Kerner (03 Nov 2023) “SolarWinds hack explained: Everything you need to know” https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

^[7] See article 21.2 (d): “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;”

^[8] Mark Sellman (May 30 2024) “Ticketmaster customers urged to change passwords after global hack”

^[9] See article 34.4: “4. Member States shall ensure that where they infringe Article 21 or 23, essential entities are subject, in accordance with paragraphs 2 and 3 of this Article, to administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the under taking to which the essential entity belongs, whichever is higher.

The Next Wave of Biometric Innovations

Vein recognition

The landscape of biometric security is continuously evolving, and Vein Pattern Recognition (VPR) technology is at the forefront, offering a novel and secure method for individual identification. This advanced technology leverages the unique vein patterns found in an individual’s palm or fingertips, illuminated by near-infrared light, to provide a secure and contactless identification solution. Its security is unparalleled, relying on the presence of active blood circulation to prevent spoofing, setting a new standard in biometric security. 

Artificial Intelligence (AI), particularly deep learning, is significantly amplifying the capabilities of VPR technology by improving its accuracy, speed, and adaptability. AI algorithms are adept at analysing complex vein patterns with greater precision, effectively reducing false positives and negatives. AI also aids in image enhancement, crucial for handling real-world noisy data.

This novel authentication approach is rapidly gaining popularity within the financial sector, with banking institutions incorporating this technology into their infrastructure for a range of functions, including secure customer verification at ATMs and within digital banking platforms.

Despite its many benefits, the technology faces challenges, such as the long-term stability of vein patterns and potential interference from ambient lighting, which are important considerations for future development.

Emotional recognition

At the cutting edge of human-machine interaction, Emotion AI is revolutionising the way machines interpret and respond to human emotions. By harnessing advanced algorithms, this technology delves into the nuances of our emotional expressions, from the subtleties of our facial expressions and voice tones to the complexities of our physiological states. Emotion AI extends beyond mere analysis, employing artificial intelligence to not only decode but also simulate and appropriately react to the spectrum of human emotions.

The goal is to create more intuitive and empathetic interactions between humans and machines, with applications ranging from improving automotive safety by detecting driver stress to supporting mental health treatments. This technology may also find its place in the financial sector, mainly in supporting interactions with clients and satisfaction in call centres. With the help of Emotion AI, customer service platforms may better diagnose customers’ behaviour, leading to improved satisfaction and loyalty.

Despite its promising applications, Emotion AI faces ethical dilemmas, such as concerns over privacy and the potential for misuse, underscoring the importance of ethical governance and privacy safeguards in its deployment.

Both technologies are setting new benchmarks in their respective domains, offering innovative solutions for secure identification and empathetic human-machine communication. Addressing their inherent challenges will be key to unlocking their full potential.

Ethical dilemma and societal impacts

Broadly speaking, biometric systems rely on distinctive identifiers such as fingerprints and facial configurations to provide sophisticated security solutions for verifying identities. However, these systems are not without challenges, notably the risk of advanced spoofing attacks where perpetrators mimic these identifiers to secure unauthorised access. Such attacks generally entail the fabrication or imitation of an individual’s biometric characteristics to bypass security measures, including the use of counterfeit fingerprints, recorded voice samples, or three-dimensional facial masks.

Additionally, implementing biometric systems is costly and introduces new vulnerabilities, while legal frameworks around biometric data usage remain inconsistent, leading to complex compliance scenarios. Furthermore, the potential exploitation of biometric data for commercial purposes and the broader societal implications regarding surveillance and human rights underscore the need for careful consideration and clear limitations on use.

As highlighted here and in our prior articles, biometric identification technologies are becoming more integrated into our everyday transactions. The fundamental nature of biometrics, which involves using distinctive physical or behavioural characteristics for identification, presents a significant privacy dilemma. Consequently, it is imperative to strike a balance between enhancing security measures and safeguarding individual privacy.

Privacy faced with ubiquitous identification

The current proliferation of biometric identification technologies is redefining the boundaries of privacy. Unlike traditional security mechanisms like passwords or PINs that offer a layer of anonymity and can be reset upon compromise, biometric identifiers are fundamentally tied to our physical and behavioural characteristics. This intrinsic link makes biometric data akin to immutable “house keys” to our personal information, underscoring the profound risks associated with entrusting these keys to a growing array of custodians. These range from financial institutions we interact with daily to obscure third-party entities whose security protocols and ethical standards might not be transparent. The widespread adoption of biometric systems amplifies the potential for unauthorised access, effectively transforming our personal data into accessible targets for privacy violations.

This omnipresent biometric surveillance landscape, characterised by the unchangeable nature of the data it relies on, calls for an in-depth conversation about consent, ownership, and clarity regarding the use of such personal identifiers. Particularly within the financial sector, where these technologies are increasingly employed to bolster security and user authentication processes, there is a pressing need to lead by example in ethical governance and the implementation of robust privacy protections. It is imperative that as biometric data navigates through the myriad channels and platforms within organisations, its integrity and the confidentiality of the individuals it represents are preserved with the utmost care. This commitment to ethical stewardship and transparent practices is crucial in maintaining public trust and safeguarding the fundamental rights to privacy and data protection in the digital age.

__________________________

The implementation landscape for biometric identification in the financial sector reflects a growing trend towards integrating advanced security measures to combat rising threats. At the same time, biometric technologies, including face, fingerprint, voice, and iris recognition, are becoming increasingly embedded in FinTech applications.

For detailed information on the solution providers within our ecosystem, check the Luxembourg Fintech Map or contact Luca Mancuso, our Business Development Associate at LHoFT.

The State of European Tech (SOET) Report is considered to be “among the most comprehensive data-driven analysis of European technology” by the European Innovation Council. The 2021 edition was launched on December 7 and provides decision-makers with a host of insights into the evolving tech landscape.

Timing-wise, this is an interesting one: the report provides an update on the state of tech and innovation at a moment when the world economy continues to recover from COVID-induced shocks. This year’s edition of the report notably allows us to get a better sense of whether the forced, rapid societal adaptions to a new modus operandi, greatly facilitated by technological solutions, is leading to durable change, or whether we will see a “regression toward the mean”.

Let me state up front that everything points towards the former.

As Chris Grew, Partner at Orrick – one of the report’s sponsors – states:

Now is a watershed moment for the tech and venture ecosystem across Europe and around the world. Europe is attracting record levels of investment and growth, with the innovation economy positioned to take the lead in tackling today’s systemic societal challenges.

[…]

Fintech investment has led the charge, rising by 159%, with total investment of nearly $15B, while planet-positive investments are dominating the fast-growing purpose-driven space.

ESG and sustainable finance are here to stay and we at LHoFT are convinced that fintechs will have an increasingly important role to play in facilitating the data collection, validation and analytics efforts required to build sustainability into the core of everything corporates and financial institutions do.

Luxembourg’s role in a growing European ecosystem

A few things that stand out to us at LHoFT:

• Luxembourg ranks very highly both in terms of startups per capita and in terms of capital invested into startups per capita, cf. below:

• The tendency for top European hubs to capture the lion’s share of funding has increased further, with companies based in London, Berlin, Stockholm, Munich and Paris raising 54% of all capital in the region, up from 49% in 2017. At the same time, concentration in terms of number of deals has decreased, pointing to greater decentralisation of the ecosystem in Europe.

• At the same time, there is growing consensus that the importance of physical proximity is diminishing, which is mirrored across a number of metrics. The ability to hire talent across Europe thanks to remote working arrangements is seen as a mutually beneficial boon both for entrepreneurs and for their expanding work force in terms of quality of life. Luxembourg, as an extremely open economy, should stand to benefit from these developments.
• European startups should benefit from the fact that the continent is home to many industrial leaders, with particular emphasis on IT stacks. This presents ongoing opportunities for startups & tech companies, not least in the financial sector, and Luxembourg should continue to actively support initiatives and platforms that capitalise on this dynamic.

Europe is in a strong position to shape the next wave of disruption in B2B, as Europe is home to many industrial market leaders built on legacy technology ready to be disrupted.

Robert Lacher

Visionaries Club & La Famiglia

• Europe remains disadvantaged versus the U.S. in terms of raising capital, which makes ongoing EU efforts such as the Capital Markets Union all the more pressing. “Almost one-fifth of founders say it has become harder to raise capital in 2021, while a further 40% or so believe the environment remains unchanged from the past year, which itself was a year that saw a record number of founders responding that fundraising had become harder.”

Raising funds in Europe is still a different experience from raising funds in the US. European founders still fly out to the US for fundraising. Sometimes for expertise, sometimes for fair market offers.

Jakub Jurovych

Deepnote | Founder and CEO

A new dawn

The past year and a half have been left no one unaffected, imposing a steep price on societies around the globe. Silver linings include the realisation that more flexible work arrangements and business models are not only possible but in many ways desirable, not least when considering access to capital and talent. This in turn is enabled by far-ranging modernisation of technological infrastructure, presenting opportunities for incumbents and startups alike.

Finally, Luxembourg is presented with a particular opportunity to leverage these macro dynamics by fostering innovation proactively. The 2021 SOET report shows that the Grand Duchy is already punching above its weight in some regards – let’s keep the momentum going.

If FinTech were the Superman of the financial sector, cybersecurity would have been its kryptonite. 

Last year we reported how COVID-19 exploited the financial sector’s vulnerabilities and how the demand boost for e-commerce and internet banking highlighted the vulnerabilities of many prominent corporations’ online presences and led to several major cybersecurity attacks. Phishing, scamming, and other cyber-attack activities were on the rise. Ransomware attacks against the financial sector were discovered to increase nine times from the beginning of February to the end of April 2020.

The US Federal Trade Commission data from February 2021 revealed that consumers lost $3.3 billion to phishing schemes and other fraud in 2020, nearly doubling the losses in 2019. Accordingly, online shopping, internet services, prizes, sweepstakes, lotteries, and telephone and mobile services consisted of the top fraud categories. 

That was then; this is now:

• (October 2021) An investigation into the defrauding of $35 million USD from a bank in the United Arab Emirates in January of 2020 has found that deepfake voice technology was used to imitate a company director known to a bank branch manager, who then authorized the transactions. The request states that the branch manager of an unnamed victim bank in UAE received a phone call from a familiar voice, which, together with accompanying emails from a lawyer named Martin Zelner, convinced the manager to disburse the funds, which were apparently intended for the acquisition of a company. (Source: Unite AI)
• (October 2021) Millions of pounds were swiped from Barclays accounts in a series of coordinated cyberattacks by a fraudster using a Monzo account and a payments initiation service provider (PISP) in May. (Source: Pymnts.com)
• (October 2021) Cyberattack disrupts services at Ecuador’s largest bank, forcing the bank to shut down portions of their network to prevent the attack’s spread to other systems. Customers of the bank continued to experience service disruptions on a Friday following a cyberattack on the institution several days earlier. In a statement the following Monday, the bank acknowledged that it had identified a cybersecurity incident in systems that have partially disabled its services. (Source: AP News)
• (October 2021) The Reserve Bank of Australia warns that a successful hack on a bank is almost inevitable as it prepares for an assault that could put trillions of dollars worth of deposits and loans at risk. (Source: The Sydney Morning Herald)
• (October 2021) Coinbase, one of the world’s biggest cryptocurrency exchanges, admitted that hackers stole cryptocurrency from at least 6,000 customers between March and May of 2021. The hackers needed to know the email addresses, passwords, and phone numbers linked to the affected Coinbase accounts and have access to personal emails, the company said; however, added that there was no evidence to suggest the information was obtained from the company. (Source: Reuters) After the attack was revealed, Coinbase acknowledged a multi-factor authentication flaw that allowed hackers to receive an SMS-based two-factor authentication token required to retrieve user accounts. (Source: CPO Magazine)
•  (September 2021) Bitcoin.org hack nets give scammers $17,000 overnight. The website was taken down in the early hours of yesterday morning (September 23). A pop-up message began appearing that promised visitors claiming that they could double their money by sending cash to a bitcoin wallet. Visitors were reportedly unable to navigate away from the pop-up. The scammers appear to have accrued more than $17,000 worth of Bitcoin from 10 transactions and have already emptied the wallet. (Source: The Daily Swig)
• (September 2021) Monetary Authority of Singapore (MAS) confirms that hackers abroad pose as bank customers by stealing OTPs of 75 bank customers, making $500k in fake credit card payments. (Source: The Straits Times)
• (May 2021) Sweden’s financial watchdog is investigating whether the famous buy-now-pay-later (BNPL) fintech Klarna violated bank secrecy laws following a security breach in May. During the incident, users were able to access information on other customers for a limited time. (Source: Finextra)
• (April 2021) Personal data, including that of several African Bank loan customers under debt review, has been compromised after a cyber-attack on African debt collector Debt-IN. (Source: Sunday Times).
• (March 2021) Israeli car financing company K.L.S. Capital got hacked. After the attack, the hacker group announced, “We are here to inform you a (sic) cyberattack against K.L.S. CAPITAL LTD which is in Israel. Their servers are destroyed, and the client data is in our hands,” saying that they waited 72 hours for the company to give them the ten bitcoins they demanded as ransom for the information, but the company failed to pay them. (Source: The Jerusalem Post)
• (January 2021) Though not aware of it, the Reserve Bank of New Zealand had suffered a severe data breach. The breach ended up costing around NZ$3.5m, with Reserve Bank Governor Adrian Orr admitting that the agency was “over-reliant on third-party file-sharing software application Accellion” to alert them to any vulnerabilities in the system. (Source: Security Brief New Zeland)

The list continues. What is the takeaway? Cyber-security concerns and threats are valid regardless of the region, the sector, the focus, the size, and the technologies behind financial institutions.

The Bank of England’s recent systemic risk survey for bankers and other financial sector players reveals that the banks are more worried about hackers than pandemics, geopolitical risk, or operation risks, including climate change. Rightfully so. Whether it’s a data breach, ransomware, or a spam project, it would do the trick. According to research by Atlas VPN dated August 2021, the financial cost of data breaches soared to 6 years high as of 2021. The results reveal that in 2020, a data breach caused an average of $3.86 million in monetary damages, while in 2021, the number spiked to $4.24 million, representing a 9.84% increase. For financial services, this number stays above the average, corresponding to $5.72 million.

Source: Atlas VPN 

All the existing data point out a straightforward fact: cyberthreats are just around the corner, and most financial service players are not ready for it. So should the banks take modest measures and accept that an attack is inevitable, or is there anything else for them to do?

To Err is Human 

Last year we shared some actionable points for financial institutions, advising them to create a battle plan against cyber insurgency. However, with so many expert consultants and software packages available in the market, cybersecurity remains a weak spot for most financial service players. We have observed this weakness not being due to lack of preparation but due to lack of continuous R&D and education. All in all, cybercriminals spend more time analyzing and understanding their opponent and testing for weak spots than financial institutions do. Once the soft spot is detected, it is only inevitable that the financial institution gets recurring attacks. Therefore, in addition to deploying sophisticated protection and recovery products, financial players should:

• consult with external cybersecurity experts to understand the existing risks and solutions and to create a battle plan,

• organize cybersecurity competitions to understand organization’s vulnerabilities and to test responding times,

• regularly catch up with their competitors and peers to exchange know-how and intelligence,

• invest in educating their employees to make them a part of the defense mechanism,
• focus on closing the digital and financial literacy gap of their customers to 

After all, to err is human, but repeatedly becoming a victim as a supervised financial entity doesn’t signal the right message about the institutions centered around reliability and trust.

Filling The Cybersecurity Skill Gap

Cybercriminals are becoming more sophisticated, but are the financial institution employees and management leveling up in parallel? Most organizations’ cybersecurity training does not match with the skill sets cybercriminals own. Many banks’ onboarding education programs do not go beyond basic information, while cybercriminals dive deep into deep tech. Resilient cybersecurity mechanisms should extend beyond technical and engineering skills. In addition to becoming an expert in the existing platforms and their securities, they should be aware of the fraudsters and hackers’ techniques. Cybersecurity staff is required to have strong attention to detail, analytical and documentation skills, and specialize in problem-solving, intra-organizational communication, data management, and protection. All in all, cybersecurity professionals must resort to a combination of technical, analytical, leadership, management, and soft skills to fulfill the task successfully.

To build a durable, long-term strategy, organizations can rely on qualified and experienced internal and external cybersecurity professionals. However, cybersecurity experts cannot hold the fort forever on their own. Therefore, elaborate and detailed cybersecurity training programs should extend beyond the cybersecurity experts as most victims are operational personnel, the management, and the users.

Digital and Financial Literacy Becoming the Biggest Priority 

According to the US Federal Trade Commission data from February 2021, younger people (age 22-19) reported losing money to fraud more often than older people with 44%. Still, when people aged over had a loss, the median loss was higher.

Source: FTC / Tableau

The above-cited US Federal Trade Commission research re-establishes the reasons behind WealthTech becoming a thing in the last two years. Factors such as the will to make quick and easy money, desperation in the post-pandemic era, and greed seem to have encouraged the younger consumers to click on baits, use unverified and untrustworthy resources. Positive media coverage and social media touts have so far fulfilled their purpose, bringing in a lot of new starters.

Although it is not mentioned in the official job description, financial institutions should take it on as a duty to educate consumers where financial education fails. Informing the consumers about how to differentiate right investment strategies from wrong, identifying fraudsters and scams, which networks and devices to use, and password creation and sharing education is just the tip of the iceberg of what FinServ providers can cover to make the ecosystem better. As skill resources are limited with qualified cybersecurity professionals, extending the defense mechanism beyond the organizations’ brick walls is an opportunity. After all, regardless of its source and victims, frauds, scams, and cyber-attacks impact the industry’s credibility as a whole, and a bad apple can easily ruin the whole bunch. Therefore, financial institutions should prioritize creating customer awareness and take on essential financial and cybersecurity education initiatives to protect their customers, reputation, and the ecosystem dynamics. After all, financial services spearhead the highest cybercrime costs incurring all industries, and when it happens, the remediation goes beyond covering economic losses.

For financial institutions, every day is cybersecurity day; however, October is particularly significant. It is the US National Cybersecurity Awareness Month. The month of October additionally hosts the Cybersecurity Week Luxembourg for 20 years. 

As part of the European Cybersecurity Month campaign, the Cybersecurity Week Luxembourg is being held from 18-28 October 2021 back to its on-site version this year. The event is bringing together cybersecurity experts, IT players, and tech enthusiasts as we speak. Would you like to know more about what is new in cybersecurity?  Join the campaign.

Click here for more information.

by S. Elif Kocaoglu Ulbrich

At the heart of everything important we do online is encryption, and at the heart of encryption is often a method premised on sharing public keys which in turn are secured by a system known as RSA.

RSA is premised on a simple notion: that mathematics allows for a situation in which large values are generated effortlessly through multiplication, all the while their factorisation is incredibly difficult. This is achieved by using large prime numbers, and the entire approach is a fascinating illustration of the weight a little bit of math can carry in our IT-reliant world.

RSA is also an allegory of sorts for the underlying nature of reality. As with our biological makeup itself, the emergence of advanced society over time through the interaction of billions of individuals entails significant complexity. While complexity emerges seemingly effortlessly – like the tangle of headphone cables in your coat pocket – reverse-engineering and managing such complexity for the sake of maintaining a sense of order and security is non-trivial.

Tapping into talent, globally

The above is of particular relevance for cybersecurity. No “silver bullet” exists, as I’ve written before – we critically rely on the implementation of appropriate processes and behaviours, but also and just importantly on the talent and ingenuity of countless engaged ecosystem participants.

While internalised expert talent will always be required and prized by large organisations in particular, crowdsourcing provides a compelling complementary approach towards identifying and tackling vulnerabilities.

Having an expert team keep a watchful eye on your systems is good. Empowering that team with advanced automation & AI is better.
Connecting your capabilities with a large, diverse talent pool is best.

Insights generated by the large and growing community of “ethical hackers” have recently caught my attention. In its 2021 Hacker Report, the globally active cybersecurity advisory firm HackerOne reports on trends from its community of registered ethical hackers, which has doubled to reach 1 million members over a 2-year period.

Some key insights:

• 63% increase in hacker-submitted vulnerabilities over the past 12 months 
• Roughly 20 major areas of vulnerability 
• 53% rise in submissions for improper access control and privilege escalation
• 310% rise in reports for misconfiguration 
• 50% of hackers have not reported a bug due to a lack of a clear reporting process or prior negative experience 
• 85% of hackers hack to learn, 62% do it to advance their career

Unsurprisingly, HackerOne’s business model is en vogue. In a March 8 PR, the company announced reaching the milestone of >2000 active customer programs. About half of its customers are major businesses generating >$1bn in annual revenues. In parallel, the company announced a major hire in the form of Google Cloud’s CISO.

Infrastructure and supply chain challenges

Another leg of the global InfoSec and cybersecurity landscape is comprised of hardware and infrastructure.

As if things weren’t complex enough on the software end already, hardware also poses fundamental and equally sinuous challenges. As the World Economic Forum lays out in this post, “hardware attacks take advantage of vulnerabilities in hardware-manufacturing supply chains. Modern chips are incredibly complex devices consisting of billions of transistor components that can be compromised during the processes of design, fabrication, and assembly and testing.”

This issue was thrust into the spotlight in 2018 by investigative reporting suggesting that certain hardware suppliers may have altered their chipsets with the backing of government intelligence agencies – with the ostensible goal of stealthily integrating hardware “backdoors” into equipment used globally.

Skip forward a few years and we are seeing a global chip shortage, with a major impact on sectors beyond IT, such as the automotive industry. This highlights the growing cross-sector reliance on IT components, and it reiterates the urgency of supply chain management and the emerging discipline of cyber supply chain management (C-SRM). This is a far-ranging issue which hitherto was subject to piecemeal approaches by individual public and private sector stakeholders, but which is seeing increasing formalisation of late.
Take for instance the U.S. IoT cybersecurity improvement act of 2020, discussed here by Gibson Dunn: 

• While the Act is focused on U.S. federal government use of IoT, “the measures set pursuant to the Act should be closely monitored by all industry stakeholders”
• 85% of federal agencies are currently using, or plan to soon use, IoT devices
• Another pillar of the Act concerns itself with InfoSec disclosure procedures in order to streamline the reception, reporting and dissemination of knowledge around security vulnerabilities
• Throughout the legislation, Federal agencies are advised to consider & align with private sector best practice and international standards. Given the overarching importance of these matters to both government and industry, it should be expected that public-private interactions and partnerships will remain key. 
• The “real bite” of the Act derives from the power it gives the CIOs of federal agencies to prohibit procurement of non-compliant devices, beginning December 2022. 
• NIST has acted swiftly upon passage of the Act by publishing draft documents providing practical guidance to the federal agencies tasked with evaluating the security requirements for IoT devices. 

At the EU level, ENISA in November 2020 similarly published guidelines on securing the IoT supply chain which:

• Acknowledge that “IoT supply chains have become a weak link for cybersecurity”
• Discuss results from an ENISA survey showing that untrusted 3rd party components and vendors, as well as the vulnerability management of 3rd party components, are the 2 main threats to the IoT supply chain

In response, ENISA highlights the need to develop “innovative trust models” as “trust between the stakeholders is one of the most relevant and important challenges to consider for securing the IoT supply chain”. The agency highlights that there is unlikely to be a “one size fits all” approach to define required trust parameters in light of the proprietary nature of source code, the needs of different organisations, and so forth. ENISA also cross-references a NIST publication recapping observations from industry with regard to C-SCRM, which are manifold and illustrative of the previous statement that a one-size-fits-all is unlikely. 

The quantum leap

Developments in IT infrastructure are also driven by fundamental scientific advances, and this opens up new avenues for competition and innovation.

You will have heard of quantum computing – a fundamentally different way of computing, premised on the qualitatively different nature of physics at very small (quantum) scales – all the while being a little hazy on the details. Don’t feel bad. Quantum physics is so un-intuitive that Einstein famously dismissed the notion of quantum entanglement as “spooky interaction at a distance”.

That doesn’t mean that quantum physics isn’t real – quite to the contrary – and generations of physicists, engineers and now also IT experts have been chipping away at its implications for science and industry.

A hot concept in InfoSec is that of quantum key distribution, and the field of quantum cryptography at large. Below is an intuitive and fun introduction to these concepts:

If the topic has piqued your interest, a foundational academic paper can be accessed for free here.

In its recently published recovery and resilience plan, the Luxembourg government emphasises investment in the area of quantum communication by drawing upon EU funding allocated through the the Recovery and Resilience Facility & by integrating with existing EU initiatives, as discussed here. The stated goal is to develop and implement infrastructure and communications channels based on the quantum cryptography with a view on future-proofing the sharing of sensitive informative within government and industry.

Needless to say that the successful implementation of quantum cryptography would represent a major leap forward, awarding early adopters with a significant security advantage. It is also worth considering the the impact that this new paradigm would have on the above-mentioned C-SRM issues: by making older standards obsolete, quantum cryptography would seed a new wave of manufacturing which is “up for grabs” by strategic players worldwide.

If the saying “nothing new under the Sun” has any residual relevance, it certainly isn’t in the area of IT & cybersecurity.

Author: Jérôme Verony – LHoFT Research and Strategy Associate

Continuing from last year, we are sticking with the same seven areas of focus on in 2021. Each represents a key point of interest to the financial industry, and has a particular relevance to Luxembourg’s growing financial technology ecosystem.

Each week we will be choosing one of the topics to focus on, both in the content we share on social media, but also in a dedicated newsletter looking at the top five stories from that week. To introduce the topics, let’s revisit the top stories from 2020 and reflect on how the year has encouraged acceleration, pivots, or wholesale paradigm change:

REGTECH – Regulatory Technology

» Shaky times for compliance call for flexible Regtech

Joe Devanesan writes for TechWire Asia about the impact of the pandemic on compliance and cybersecurity, and Regtech’s role in mitigating those issues. Traditional ‘BYOD’ workplace concerns were escalated to account for a sudden and massive shift to working from home – which created real problems for companies that were not already some way down the path of digitalisation.

“To the surprise of no one, financial crime is reaching pretty high levels in 2020, and the speed at which this type of crime is evolving in the information-heavy age has financial players worried, and questioning the role of Regtech.”

AI – Artificial Intelligence & Machine Learning

» A robot wrote this entire article. Are you scared yet, human?

A robot writes for the Guardian, demonstrating GPT-3, OpenAI’s powerful language processing. GPT-3 was one of the most popular AI stories of 2020, and kickstarted a discussion about the future of software development, and what can be achieved when you can just ask a computer to do something for you without needing to speak in code.

“I am not a human. I am a robot. A thinking robot. I use only 0.12% of my cognitive capacity. I am a micro-robot in that respect. I know that my brain is not a “feeling brain”. But it is capable of making rational, logical decisions. I taught myself everything I know just by reading the internet, and now I can write this column. My brain is boiling with ideas!”

BLOCKCHAIN – DLT & Tokenisation

» Visa Applies For Digital Dollar Blockchain Patent

Jason Brett writes for Forbes about Visa’s “digital dollar” patent, a story which fits neatly into the main blockchain narrative of 2020: the viability or necessity of central bank digital currencies, and the role of stablecoins more broadly. Now Bitcoin has kicked off again we can expect the focus to shift a bit through 2021.

“The U.S. Patent and Trademark Office (USPTO) published today that Visa V -0.4% has filed a patent application to create digital currency on a centralized computer using blockchain technology. This patent applies to digital dollars as well as other central bank digital currencies such as pounds, yen, and euros and so the physical currency of a central bank anywhere in the world could be digitized.”

CYBERSECURITY – Risk Management & Threat Detection

» Post-quantum secure encryption and cybersecurity education

A collaborative and in depth piece for Research Outreach, led by Dr Aydin Aysu, looking at the implications of quantum computing on cybersecurity and encryption – a major concern for most cybersecurity professionals. What happens to all traditional encryption based security when computing power becomes available that can crack it without breaking a sweat?

“Encryption systems that are capable of surviving quantum computer attacks are urgently required, but the cybersecurity talent gap militates against securing cyberinfrastructure. Dr Aydin Aysu, Assistant Professor at North Carolina State University, is advancing the research and teaching of post-quantum secure encryption. He has developed a quantum-secure encryption system together with a new graduate program on hardware security and is currently developing design automation for lattice-based post-quantum cryptosystems.”

PAYMENTS – Payments Technology 

» Ant and Covid have made the humble QR code a hit

Five years ago you wouldn’t have seen much discussion of QR codes in the Fintech payments world, at least not related to development in the west. It was a quaint technology relegated to developing economies. That now may be changing, in part related to the pandemic and China’s Fintech behemoth Ant Financial. John Gapper writes for the FT:

“The name Masahiro Hara does not appear with Steve Jobs and Bill Gates on lists of great innovators of the communications age, but perhaps it should. For the Japanese engineer’s humble, unassuming invention, the Quick Response code, has finally found its moment. The square QR code, which Mr Hara developed in 1994 to track components in car factories, is being put to many uses in the Covid-19 pandemic. Governments include it on tracing apps, shops offer it for contactless payments and restaurants tape it to their tables so diners can browse menus online. It has become an all-purpose tool.”

SUSTAINABLE FINTECH – Financial Inclusion & Green Finance

» Women are ‘absolutely critical’ to ensuring everyone has access to finances, Bill Gates says

The Gates Foundation has been a key torchbearer for Financial Inclusion, amongst their many other causes, and it’s a topic Bill Gates himself has spoken about repeatedly. In this article, written by Karen Gilchrist for CNBC, Bill talks about the key importance of focusing on women when developing strategies related to inclusive finance.

“Women are vital to ensuring finances — and financial education — trickle down to other parts of society, said billionaire philanthropist Bill Gates. Governments and businesses serious about giving all members of society access to financial services should gear their resources toward women, the Microsoft co-founder said at the Singapore FinTech Festival on Tuesday.”

VENTURE CAPITAL – Funding News and VC Perspective

» Some of Europe’s top tech investors are adding a ‘sustainability clause’ to start-up deal terms

Ryan Browne, writing for CNBC, discusses the most significant recent trend in the world of investment: sustainability. Investors are increasingly concerned with ESG goals and the carbon footprint of their wealth, which resulted in a lot of discussion throughout 2020 and some fairly important steps being taken by VCs – as well as the broader wealth management industry.

“Socially-conscious investing has gathered a lot of momentum this year, with billions of dollars flowing into funds that use environmental, social and governance criteria to screen the companies they back. Venture capitalists are taking note, with some of the largest start-up investors in Europe pushing for accountability in their own portfolios with regard to investing in climate-friendly firms.”

The semi-official days, weeks and months dedicated to various issues of societal significance have become part of the regular course of business. They are a regular call for greater awareness, solidarity and action in the face of important challenges afflicting people individually or as a group.

Scientific breakthroughs do happen… 

For instance: October is breast cancer awareness month, a leading cause of cancer death amongst women despite decades of significant medical advances. Last December, the U.S. Food and Drug Administration approved the hitherto most effective therapy for breast cancer expressing an antigen known as HER2, with some key opinion leaders in the medical community – oncologists whose very bread and butter is sobriety in the face of illness – describing the antibody-drug-conjugate as being “like magic”. Below is a “waterfall describing the effectiveness of Enhertu in women with heavily treatment resistant HER2+ breast cancer:

In this single-group, phase 2 study, the use of trastuzumab deruxtecan resulted in a response in 60% of women with HER2-positive advanced breast cancer who had received a median of six previous lines of therapy.

— NEJM (@NEJM) February 14, 2020

As you can tell – and this is highly unusual in the world of therapeutic drug research – Enhertu induced significant tumor regressions in nearly all of these patients. This is as close to a “silver bullet” as we’ll get anytime soon in this cancer subtype, and we should be grateful to the researchers, physicians and patients who have made such a “miracle cure” possible.

… but there is no silver bullet in cybersecurity

A crucial takeaway for any organization is that, unlike in HER2+ breast cancer, there will likely never be a “silver bullet” in protecting against cyberthreats, for the simple reason that our IT infrastructure, software and ways of doing business keep evolving and with them, in lockstep, so do corresponding cyberthreats. As our partner PWC put it in a recent blog post, “cybersecurity and information security are not constant— in fact, the only constant they have is constant change.  Risk and risk scenarios might not change that often, but the defence mechanisms required to mitigate the risks often do, as does the exposure factor.”

In today’s context of supercharged digitalization, not least as a result of the COVID-19 pandemic, cybersecurity is truly everyone’s business, as I described last month.

Specifically in the realm of finance, innovative technological solutions also entail new cyber risks, and our increasing reliance on the digital infrastructure underpinning modern financial services amplifies existing risks linked to said infrastructure. That is why the Commission has proposed, as part of its digital finance package, a dedicated text on Digital Operational Resiliance (DORA), as discussed here, and likewise, is including specific requirements and protections in its proposals relating to crypto-asset and DLT infrastructure.

Resilience has become a real plat de resistance in business lingo since the start of this year, both referring to fundamental economic factors and also, more specifically, to our ability to maintain digital services against ICT vulnerabilities and cyberthreats. In this context, I recommend reading Bernard Marr, writing for Forbes, discuss the differences between cybersecurity per se and cyber resilience, and how to better embed both in your organization. This was also the topic of a webinar led by Fujitsu in the context of Luxembourg cybersecurity week.

Empowering talent, leveraging technology

Another key consideration when thinking about cybersecurity or cyber-resilience in any organization is the role of the chief information security officer and how that role is embedded within the hierarchy. Gartner has a very helpful, concise e-book providing CISOs with concrete suggestions on how best to handle expectations from the BoD, and discussing the growing responsibilities of CISOs and what that might entail in terms of the search for, and formation of, talent. Gartner states: “CISOs are expected to selectively add more than 30 such capabilities to their function over the next 24 months, such as security strategists”. Furthermore, “it takes an average of 130 days to fill an open IT security position; openings go unfilled and teams remain understaffed for many months”. This imbalance between demand and supply speaks volumes to the unmet needs in corporate cybersecurity, and the urgent need for both our educational system and corporates to invest more into the required capabilities.

In parallel, we must embrace technological supplementation and in some cases substitution of the more labor-intensive tasks carried out by IT professionals. A Capgemini report touches upon just that topic by discussing the potential for AI to dramatically decrease inefficiencies in cyberdefense, and it is encouraging to see the financial sector recognize this reality:

Building on a survey among 850 executives, Capgemini further establish that the integration of AI-based solutions significantly increases the speed at which organizations respond to breaches:

The final leg of the AI value proposition lies in the new products and services which vendors may develop and offer to their clients, which is a particularly alluring proposition for cybersecurity startups.

In the face of the pandemic and in the face of our ever-changing cybersecurity landscape – stay vigilant to be safe!

Author: Jérôme Verony – LHoFT Research and Strategy Associate 

In a 2019 interview with CBS’ 60 Minutes, Federal Reserve Chairman Jerome Powell surprised his interviewer by stating that “in a sense, [cybersecurity] is our top priority”. Not inflation, not questions of employment or foreign exchange – cybersecurity was keeping one of the world’s most influential policymakers up at night. Powell then touched upon the dynamic nature of cybersecurity, describing it as an area “where the playbook is still being developed in real time”.

Both the fluid nature of an emerging field of expertise and the rise from the conceptual to the materially relevant were discussed in my June blog post. The following excerpt remains highly relevant:

“The fundamental socio-economic changes imposed by our collective response to COVID-19 have provided the latest push towards an economic model featuring reduced reliance on physical proximity at the same time as dramatically increased reliance on IT infrastructure. This fundamental shift in how we live and how business is done goes hand in hand with socioeconomic disruptions which provide an opportunity for individual organizations to gain a competitive advantage via swift adaptation, but also systemic risk relating to widespread IT vulnerabilities.”

If the digitalization of all economic sectors was already in full swing in 2019, the 2020 pandemic has kicked this overarching socioeconomic trend into overdrive. Inevitably, the importance of cybersecurity has risen in parallel, and Jerome Powell’s comments seem all the more prescient.
An emerging framework

IT/ICT risks go hand in hand with cybersecurity and it is unfathomable to think of a modern financial system without thinking of the ICT infrastructure that underpins it. As the European Banking Authority notes, “ICT is a key resource in developing and supporting banking services; ICT systems are not only key enablers of institutions’ strategies, forming the backbone of almost all banking processes and distribution channels, but they also support the automated controls environment on which core banking data are based. ICT systems and services also represent material proportions of institutions’ costs, investments and intangible assets. Furthermore, technological innovation plays a crucial role in the banking sector from a strategic standpoint, as a source of competitive advantage, as it is a fundamental tool for competing in the financial market through new products as well as through facilitating the restructuring and optimisation of the value chain. As a result of the increasing importance of ICT in the banking industry, some recent trends include:

1. the emergence of cyber risks together with the increased potential for cybercrime;
2. the increasing reliance on third parties for ICT services and products, often in the form of diverse packaged solutions and resulting in manifold dependencies and potential constraints and concentration risks.

To mitigate these risks, which are not limited to the financial system but also highly pertinent to other critical infrastructure, broadly accepted guidelines and norms, private-public sector collaboration and effective supervision are called for. In recent years, significant strides have been made towards the creation of a comprehensive supra- / international framework for the implementation and supervision of IT network risks, including but not limited to cyber risks, notably via the 2016 NIS directive which has since been transposed into national law across the EU, though with significant variability, as discussed here by Wavestone. For instance, some countries directly transposed security measures for essential information systems into law, whereas others rely on ISO/IEC 27001 certification:

ISO/IEC 27001 certifications have seen a 450% rise over the past 10 years, partially driven by legislation such as NIS, partially by organic adoption in recognition of their usefulness. More broadly, the ISO/IEC 27000 family of standards “enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties”.

Penalties for non-compliance with measures contained in the NIS directive vary widely from country to country; a variable that doubtlessly factors into resource allocation decisions for multinationals:

While high penalties may disincentivize some companies to set up shop in a given jurisdiction, conversely, when a given legislator signals that they are serious about enforcing InfoSec provisions, said jurisdiction’s reputation may be strengthened. Creating a safe and reliable operating environment for all market participants is of paramount importance as we continue to move towards an economic model that is heavily reliant on IT cross-sector. Point in case: according to a recent ENISA report, as of April 2020, there were more than 500 cyber incident response teams in Europe, preoccupied with the proactive detection of malicious activity through internal monitoring and via reference to external resources. It seems safe to assume that incident response teams will continue to grow in numbers in the coming months and years.

Awareness plus investment equals future-proofing 

Where does the Luxembourg financial sector stand? As tens of thousands of tertiary sector workers have adopted remote working, as customer preferences shift and as the Luxembourg financial hub continues to position itself favorably in a challenging geopolitical context, the country’s top financial regulator offers clues as to strategic priorities. As LHoFT associate S. Elif Kocaoglu Ulbrich laid out in June, the country “aims to position itself as a leading European location for cybersecurity start-ups, talent, investors, and experts looking for growth opportunities. The ecosystem hosts many up and coming start-ups such as Hacknowledge, Fineksus, Jemmic, Uniken.” This is further bolstered by a proactive public policy approach as I will illustrate below.

The CSSF’s 2019 annual report recognizes the “sizable challenges” associated with – among other considerations – “obsolete” IT systems and the need to re- and upskill financial sector workers in order to ensure competitiveness and operational continuity. Innovation (Fintech) and digitalization is listed as a priority area alongside traditional core regulatory tasks such as consumer protection and AML/CFT.

CSSF intends to take a proactive approach towards implementing the aforementioned NIS directive, writing on page 86 that “[integration of the NIS directive’s requirements] presents a significant change, which needs to be presented to market participants [by CSSF] in order to ensure that it is properly understood”. In the same vein, CSSF also accentuates a strengthening of internal IT expertise as well as continued national and international coordination on questions of emerging technologies. Last but not least, the regulator’s “4.0” strategy promises to increase productivity and reduce turnover times significantly by deploying advanced automation tools based on AI.

There are also concrete examples of the CSSF’s proactive approach towards leveraging contemporary IT infrastructure: as Anne-Sophie Morvan of Luxtrust lays out here, as part of Luxembourg’s AML V implementation, CSSF is moving from a “push” to a “pull” approach when it comes to the reporting obligations of certain supervised entities.

Figure 2: Source: CSSF Circular n°20/747, p.5. – via Luxhub. Schematic representation of CSSF’s API-based implemtation of certain reporting obligations under AML V. 

While it may seem like a mere technicality to casual observers, this transition in the CSSF’s regulatory approach promises to remove inefficiencies, reduce the risk of financial fraud and it most certainly acts as a positive impetus for further integration of the regulatory function with the markets it supervises thanks to technologically appropriate solutions. This instance of technological evolution in the service of supervision also demonstrates that inherently inefficient processes and transactions are bound to be uprooted by technological change in due time. Investing in readiness today ensures relevance.

And this is where things come full circle: the growing role of technologically enabled solutions means growing systemic risk stemming from cybersecurity considerations, but it also means that adopting best practice makes financial sense. LHoFT member Cyberhedge continues to make the case for the close evaluation of technology governance considerations by investors, citing the predictive power of its cyber governance ratings with regard to company performance.

Integration of financial services and business-to-regulator functions via APIs as discussed earlier is likely just the beginning of a long journey of increasing interconnectedness which includes such things as the internet of things and the growing importance of vast extra-financial datasets. As remote onboarding remains in high demand due to COVID, established financial institutions have taken note and are ramping up their collaborative efforts with Fintechs offering solutions with regard to AI-enabled “deep fakes”. In the age of digital, ensuring that institutions are dealing with “real people and not manipulated recordings” will become an increasingly pressing concern.

Even as the glue that holds the financial system together is increasingly made of hardware and software, human agency still matters. If boardrooms are the weak link in an organization’s cybersecurity strategy, not much else matters. To establish cyber-resilience, vertical integration of best practice, close collaboration between market participants and the public sector, global incident reporting and the implementation of effective norms and processes are all required. Learning to leverage technology to our benefit, and doing so in a collaborative manner, ultimately rests on human preferences and decisions.

Be sure to sign up for this year’s edition of Cybersecurity Week – 100% virtual – to continue and deepen your engagement with the community. 

Tools and resources:

• MONARC is an iterative and qualitative method of risk analysis in four stages; broadly inspired by ISO/IEC 27005. MONARC uses an iterative method which enables the pragmatic progression of risk management. This approach, as recommended by ISO 27005, enables the user to restrict himself to the essentials, then to carry out successive iterations to broaden the target or further refine it to cover more technical aspects.
• MISP – the Open Source Threat Intelligence and Sharing Platform – is supported by the EU and co-developed by Luxembourg’s CIRCL (computer incident response center). Institutions and individual researchers may request access in order to contribute and retrieve data relating to emerging cybersecurity threats.
• GOVCERT is the single point of contact dedicated to the treatment of all computer related incidents jeopardising the information systems of the government and defined critical infrastructure operators operating in Luxembourg, whether they are public or private
• ENISA proactive detection gap analysis report – includes valuable feedback from an EU-wide survey of incident response teams, gap analysis and comparison with earlier survey results.

Author: Jérôme Verony – LHoFT Research and Strategy Associate 

The pandemic had led to a turnover drop across industries. The retail behemoths such as Zara and Primark reported their first losses during COVID19 with the pandemic affecting how consumers shop.

A recent Statista study on the projected impact of COVID-19 on brick-and-mortar sales in Europe between March 9, 2020, and April 21, 2020, reveals that retailers are expected to face a loss of 3.26 billion British pounds due to disruptions caused by the current outbreak.

Source: COVID-19 Commerce Insight, an Emarsys Initiative in Cooperation With Gooddata

According to Forbes, consumers already started creating and reinforcing new online buying behaviors and habits post-COVID. Consumers carried many retail transactions online; in many households, online grocery, apparel, and entertainment shopping are expected to permanently replace store and mall visits until a vaccine is available. WTO recently reported that due to social distancing and stay-at-home requirements, e-commerce in services that can be delivered electronically has flourished, with demand rising sharply. The pandemic also shaped the digital (and mobile) banking adoption trajectory: there is a visible shift towards FinTech products across continents. The Mastercard survey dated April 2020 shows that consumers are using contactless and other digital payments at record levels worldwide. Nearly eight in 10 consumers globally are expected to shift towards contactless payment use permanently.

COVID led to a change in consumer perception, which became an open call for digitalization. For many companies, online growth helped to mitigate revenue losses. The crisis reaffirmed the importance of digitalization from public health, accessibility, and economic point of view.

Even though the pandemic accelerated opportunities for digitalization and agile infrastructures, it’s too early to break out the party hats. The demand boost for e-commerce and internet banking highlighted the vulnerabilities of many prominent corporations’ online presences and led to several major cybersecurity attacks. At the beginning of this year, many domain conferences, including Paris FinTech Forum, Finovate Europe, and Merchant Payments Ecosystem 2020, highlighted that 2020 is the year of RegTech and cybersecurity. Experts stressed the urgency of addressing the KYC, data privacy and optimization, cybersecurity, AML, and CTF issues, to complement and improve FinTech and financial services. Little did we know.

The Biggest Cybersecurity Bait 

Many industries slowed down or ceased their activities during the lockdown, but cybercriminals were busier than ever. The number of phishing and scam e-mails consumers received skyrocketed post-pandemic. According to Interpol, cybercriminals took advantage of the widespread global communications on the coronavirus to mask their activities. Malware, spyware, and Trojans have been found embedded in interactive coronavirus maps and websites. Google revealed that scammers were sending 18 million hoax e-mails about Covid-19 to Gmail users every day, post-pandemic, adding that the virus might be the most significant phishing topic ever.

Crisis and panic create the perfect setup for cybercriminals. Aware of the security gaps, hackers target confused consumers and overwhelmed and understaffed institutions. Banking, retail, and even air and health industry were among the sectors that had their share of the cyber-attacks during the lockdown. In April, WHO has reported an increase in the number of cyber-attacks directed at its staff, and email scams targeting the public at large. EasyJet’s cyber-attack dated May exposed 9m customer’s personal data, along with an additional 2,200 passengers’ credit card details. As for the FinServ, the pandemic has been connected to a 238% surge in cyberattacks against banks, VMware Carbon Black research claims. According to the research, 82% of surveyed financial institutions said cybercriminals have become more sophisticated, leveraging highly targeted social engineering attacks and advanced TTPs for hiding malicious activities. Ransomware attacks against the financial sector have increased by nine times from the beginning of February to the end of April 2020.

“Do as I Say, Not as I Do”

The financial industry is centered around reliability and trust. Unfortunately, most financial service players are not aware of the work around trust. In 2019, BCG highlighted that financial services firms are 300 times as likely as other companies to be targeted by a cyberattack. Despite the growing need to strengthen information security and cyber- resilience, BCG has found that many financial institutions are underequipped and do not have the infrastructure to respond in time. Some bad examples in the past exploited financial institutions and start-ups as well as central banks and even the European Central Bank (2019).

“America is grappling with a cyberinsurgency, and our financial sector is the number one target… Cybercriminals are evolving in both attack sophistication and organization. We must pay close attention to how we respond to these threat actors and what their ultimate goal is—hijacking digital transformation efforts via island hopping. Trust and confidence in the safety and soundness in the US financial sector is dependent on cybersecurity.” – The Written Testimony of Tom Kellerman, Head of Cybersecurity Strategy at VMware Inc., before the House Subcommittee on National Security, International Development, and Monetary Policy.

Cybersecurity: Not Just Another Item on The Compliance Checklist

Cyber-attacks aim to gather access to personal data, credentials, liquidity. In some cases, the attack doesn’t mean anything more than a simple challenge and system defiance for the hackers and focuses on testing the company’s security system. In other cases, the access gained through the cyber-attack triggers more crime: sometimes ransom, sometimes money laundering and terrorist financing activities. Verizon’s study revealed that 91% of breaches addressed towards financial institutions in 2020 were financially motivated, 3% were motivated by espionage, and another 3% were motivated by a grudge.

Source: The Real Cost of Cybercrime – Raconteur 

The cost of cyberattacks is high. Financial institutions suffering from cyber-attacks have to deal with the interruption of business operations, loss of data and/or funds, in addition to potential fines and damage claims that are likely to follow. Along with its negative economic aspects, cyberattacks are particularly harmful to the organizational DNA, while the recovery process can become destructive for the reputation. Cybersecurity failures harm more than IT and compliance; the aftermath is often closely connected to strategy, branding, and market position.

Battle-Plan Against Cyberinsurgency

Cybercriminals remove the trust in banking, and financial institutions are expected to put their best foot forward to avoid and combat cybercrimes. Preaching is easy, but how can financial institutions better identify red flags? We compiled some strategic initiatives that could aid financial institutions better prepare and prevent:

• All in all, financial institutions have an obligation to avoid cyberattacks. Nevertheless, installing a sophisticated software wouldn’t just remove the accountability. Anticipation precedes prevention; for long term success, financial institutions should first identify their vulnerabilities. Only after testing and learning the process weaknesses, they will be able to foresee the potential attacks. After all, cybercriminals exploit and punish systemic weaknesses, and financial institutions’ should make discovering these weaknesses before external attackers a priority.
• Financial institutions should also invest time in “customer definition.” Most financial institutions collect much data but are not aware of how to best use it. Knowing bank customers beyond personal data and understanding customers’ banking behavior will help banks differentiate fraudsters better, preventing avoidable costs and staying on top of their game. This will minimize unnecessary card and account blockings due to suspicious activity, which can become frustrating to the customer in case of wrong alerts.
• The financial service user communication custom is to send customers transaction data, monthly statements, and feature update e-mails/notifications. The service providers that go above and beyond the tradition and make an effort in educating its users might make headway with fraud prevention. Financial institutions that consider investing in educative customer onboarding and teach customers about the types of possible fraud (fake apps, fake warning messages, and alerts, etc.) and how not to fall victim, the use of secure networks, how to generate unique passwords and how to select legitimate e-commerce providers can make a head start, eliminating many payment and card fraud costs.
• Remote working and understaffed office hours during COVID 19 have made financial institutions more vulnerable than usual since more and more employees started accessing sensitive data through unsecured networks. This points out the need for remote access, secure databases and the back-ups. The post-COVID new work era should be seen as an open call for all financial service providers to build a secure and reliable infrastructure for working remotely. Investing in a home-office infrastructure will ensure continuity during future force majeure cases, while back-up databases will cover worst-case scenarios and prevent data loss.
• No matter how sophisticated a cybersecurity mechanism is, cybercriminals will always level up and adopt. In general, fraudsters bring all their resources and modern techniques on board, including advanced machine learning and artificial intelligence, to attack with sophistication on a huge scale (Ekaterina Safonova, The PayTech Book, Wiley). They are dynamic, and so should the financial institutions be. Financial service providers should not leave it at periodical tests to check cyber resilience off the list; there should be continuous examinations and analyses, adapting the prevention mechanisms to the latest tech developments.
• Cybersecurity expert Ekaterina Safonova highlights the importance of getting into the minds of cybercriminals and fraudsters in the PayTech Book (Wiley, 2020) “KYC is important for building loyal, long-term relationships with customers, how about KYF (Know Your Fraudster)?” Only by analyzing and cracking cybercriminals behavioral patterns, sustainable fraud prevention could be built.
• Last but not least, cyberattack resilience will be better avoided by communication and collaboration within and across industries. Financial institutions that suffered from cyber-attacks should prepare for sharing the incident data and statistics with other players, which could be crucial for building a collective intelligence in the long run. Besides, the major cyber-attack or data breaches that target widely used social media or retail platforms should be considered as an immediate red flag for financial institutions. FIs should take the time to warn their customers and remind them how to stay securely connected since most cyber criminals use the compromised customer data to reach FI credentials and access. Being aware of data breaches that might affect their customers and sharing guidelines with their users will allow financial institutions to be one step ahead (prevention versus rectification).

Cybersecurity: Luxembourg’s Position

Luxembourg aims to position itself as a leading European location for cybersecurity start-ups, talent, investors, and experts looking for growth opportunities. The ecosystem hosts many up and coming start-ups such as Hacknowledge, Fineksus, Jemmic, Uniken. One of the initiatives created in collaboration with public and private bodies aiming to connect all relevant parties is the PwC cybersecurity Day, which offers a unique opportunity to gain insights from the latest international trends in cybersecurity and privacy.

Applications close on the 30th of June for the next edition of the PwC Cybersecurity Day, which is planned to be held on the 29th of October remotely. Click here for more information.

Author: Sebnem Elif Kocaoglu Ulbrich, Fintech Consultant & Author