Strength in regulation
Mark Van Leewarden, Managing Director and Founder of Warden Consulting, discusses the necessities of strong regulations in managing cybersecurity risks.
Describe the cybersecurity landscape in the Middle East.
Cybercrime is somewhat of a vexed issue in that it defies a precise definition. Most financial crime committed currently involves computer technology or use of the internet in some way so you could argue all such offending is cybercrime.
If you focus on hacking, which facilitates traditional crimes such as theft, sabotage and blackmail, this appears to be more of an issue in the Middle East than globally.
Are there particular trends that are identifiable/typical of cyber-crimes in this region?
In addition to hacking and ransomware, cyberware and business email compromise are specific problems that are trending. A good example is business email compromise which targets businesses. The offenders spoof company emails and assume the identity of senior management to request a transfer of funds.
The US response has been to have dedicated teams within the FBI investigating the problem. The scam can be combatted by having voice verification regarding transfers over a certain amount, for new vendors or where there are bank account changes. No online payments should ever be made without at least an implemented tier of authorisation.
What challenges should financial institutions expect to face in the foreseeable future?
With development in the region many companies have experienced strong growth and have applied less emphasis to cyber security issues. The challenge into the future is not only having the right processes and technology in place but ensuring there is an appropriate culture in the business which must be driven from the top down. This is true of all corporate security including fraud management, ethics and loss prevention measures.
How would you suggest financial institutions protect themselves from cybersecurity risks?
The banking fraternity are well aware of the risks being faced as they are dealing with not only cybercrime attacks but ensuring vulnerabilities to money laundering and terrorist financing are also being contained. The problem is not just IT-based—they require response teams who are appropriately experienced and have clearly defined roles and responsibilities both in terms of prevention and incident response.
The banking and finance sector is currently going through tough times, part of it due to more stringent regulations. What is your opinion on financial regulation in these markets and its efficiency in combating cybersecurity breaches?
The banking sector focus on regulatory control as an overarching management of the issue is a good sign. It is an acknowledgment which is critical in dealing with risk generally. Aligned with this however there needs to be regulatory certainty under which financial institutions can operate. In this sense further clarification around the UAE Central Bank moves on virtual currency is probably necessary. Banks are facing a difficult and challenging environment. Any increase in banking activity drags with it an increase in criminality.
What are your suggestions to improve cybersecurity standards in the region?
Improvement in cybersecurity standards is directly linked to awareness, board support and business culture alignment. Also included in this must be customer education coupled with constant system and procedure improvement. Acknowledged and effective robust enforced processes can then be run effectively under this umbrella. This is a challenge as it could be argued Middle East businesses are not structured as stringently as those globally. A backdrop of regional political uncertainty adds to the problem.
Going forward, what is your outlook on the development of cybersecurity across the financial sector?
The difficult times recently have resulted in a Central Bank focus on risk management regulations generally. Alignment with international standards is important to ensure global continuity of response.
Any perceived regional weakness will draw focus from criminal elements who can sniff an opportunity for exploitation. Forcing accountability onto boards and management will necessarily result in some resistance but it must be seen as positive long term.