Cybersecurity in Finance
Market Review #3
Hi, this is Clément from HUB612 👋🏻. Parram is a weekly newsletter about (underrated?) trends, topics, and perspectives on the Fintech Market.
The lockdown was for many, an amazing opportunity to discover and dig topics we always wanted to look at, but couldn’t because of limited bandwidth.
On my side, I gain interest in cybersecurity. I’m still very new to this field, but I can assure you it’s worth looking into it!
Here’s an introduction to cybersecurity for Finance.
Three months ago, I had little to no understanding of what was Cybersecurity and online threat. Honestly, the field is intriguing for an obvious reason, it looks magical.
I just finished Mr.Robot (great show!) and I didn’t have a clue of what F Society was doing on a technological point of view. But it sometimes looked incredibly real, echoing reality. I had to get my hands dirty on this topic.
In short, what you must know is: Cybersecurity is about protecting computer systems and networks from the damage or theft of their hardware, software, and data. As well as protecting from the disruption and / or misdirection of the services they provide.
Nick Espinosa, a keynote speaker and cybersecurity expert, briefly enumerates 4 laws that characterize Cybersecurity:
“If there is a vulnerability, it will be exploited”
Finding ways around situations with good and bad intentions is so ubiquitous that we commonly refer to it as lifehacking. Ingenious people bypass expectations with tricks, shortcuts, skills, or new methods. This isn’t a new concept for us, we just have to cast it on our internet usage to get a better understanding of why it isn’t surprising to see regularly vulnerabilities being exploited.
“Everything is vulnerable in some way”
Even if companies are investing massively to protect themselves, we keep hearing about new attacks, new breaches, .. Companies are hacked and they don’t even know!
Wait, a free Avast anti-virus is enough to protect me right?
“Human trust even when they should not”
Trust is fundamental in our society. But, we must question people’s intentions online.
There are many ways a system can be vulnerable. Humans are a critical piece of the equation. Companies acknowledge that and have started to monitor anomalous activity and train their employees to enhance cybersecurity and fraud controls.
“With innovation comes the opportunity for exploitation”
The more connected you are, the larger is your surface of vulnerabilities. Indeed, due to our increasing reliance on computer systems, the internet, wireless network (Bluetooth, WiFi), the smart-devices (smartphones, TV, Refrigerator, ..), .. We have created more potential entry points that could be exploited for bad purposes.
#1 : The cybersecurity market is unfortunately growing
The surge in the global cybersecurity market can’t be unseen. In 2004 the market was worth $3.5 Bn, and it is forecasted to grow to $248.26 billion by 2023.
According to Cybersecurity Ventures, while all other tech sectors are driven by reducing inefficiencies and increasing productivity, cybersecurity spending is driven by cybercrime. We are witnessing an unprecedented cybercriminal activity which is actually almost impossible for analysts to accurately track them. Meaning, the market maybe even bigger.
Another way of estimating the market is by considering global annual cybercrime costs which will grow from $3 trillion in 2015 to $6 trillion annually by 2021 (how much zeros is that?).
Cybercrimes can be: damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, reputational harm, ..
#2 : Cybersecurity is a priority for financial institutions
Financial institutions have always been attractive targets. Back in 1995, Citybank was already at the center of malicious cyber and fraudulent activity.
Since then, technologies have developed at an unstoppable pace to the point that we are currently in the decade of hyperconnectivity. In a study, PWC explains that businesses moving over to digital channels increase the risk of fraud, hacking, data compromise, and other cyber-vulnerabilities.
The challenge now is how to balance safety with customer convenience. Indeed, customers are highly demanding which is why corporates are implementing features, launching new services/products. But this should not be at the cost of data privacy, fraud, etc ..
“ You can’t pay enough attention to cyber-security “
From time to time, we receive a notification warning that a company’s data was lost, stolen, or simply left online for everyone to see. Techcrunch spent some time analyzing statements following a breach. It’s quite amusing/frightening to see corporations overwhelmed by cybersecurity (the statements decoded by Techcrunch).
Furthermore, in regard to the threat landscape involving financial institutions, Carnegie’s Cyber Policy Initiative developed this timeline of cyber incidents targeting financial institutions in association with the Cyber Threat Intelligence unit of BAE Systems.
This timeline of Cyber Incidents tracked 130+ incidents since 2007. More will be added to it as companies discover years later that they’ve hacked. Those exploitative hackers (also called black hat) can have multiple motives to attack a corporation:
Monetary gain
Increase their reputation (eg: leaving their signatures on the system or network after a breach)
Corporate spies (eg: obtain information on services/products that may be hijacked to defuse an open growth strategy on a market)
Patriotic reasons (eg: state-sponsored cyberattacks during wartime)
For financial institutions, the motive is mostly about money. In Verizon’s 2018 Breach Investigations Report, I found out that 76% of cyber-attacks are motivated by money. Thus, hackers go where the money is, and it can be sometimes (unfortunately) very lucrative. The incidents tracked go from Data Breach (customer details were compromised), Theft (ATM skimming, jackpotting, ..), Espionage, Disruption (DDOS, RansomWare, .. ), ..
According to the NYTimes, Financial systems are among the most targeted systems. And the cyber-attacks are growing rapidly and pose a substantial risk to the stability of the overall financial sector.
Is my piggy bank more secure then?
#3 : Cyber insurance isn’t widely adopted
As threats keep growing, companies have started to think about purchasing cyber insurance (also referred to as cyber liability) to protect themselves.
The cyber insurance market was valued at $4.8 billion in 2018 and is projected to reach $28.6 billion by 2026, growing at a CAGR of 24.9% from 2018 to 2026. It is largely an untapped market in develoing economies, and still very new in European Countries for instance.
Here are a few numbers which I worry about:
In January 2020 alone, exactly 1,769,185,063 user records were leaked (user info and plain text passwords for about 772 million people, government data leak, ..)
The Hiscox Cyber Readiness 2018 Report, which is compiled from a survey of more than 4,100 executives (departmental heads, IT managers, and other key professionals) from the UK, US, Germany, Spain and The Netherlands, raised the question of corporation cyber readiness (which is really low!)
Based on the same report, I’ve learned that more than half (57%) of organizations with 250 employees or more say they have cyber insurance – and for the very biggest organizations with 20,000-plus people, the figure is higher still, at 64%. Among organizations with fewer than 250 employees, the proportion drops to under a quarter (23%).
NB: Insurance is just a dressing, it won’t prevent companies from being attacked though. More and more companies ask the help of outsourcing firms to be up to speed with the current threat they may face/have been facing. It adds an extra layer of expertise for companies which are overtaken by events.
What companies don’t get is the impact an incident can have directly and indirectly on their business:
Damage to reputation
Crisis communication expenses
Costs of repairing damages
Loss of clients and business partners
Time to restore original operation
..
What’s more difficult to calculate is the extent to which this drains people and resources that could more profitably be deployed elsewhere. Cyber insurance could cover those topics.
Usually, the cost of cyber insurance depends upon several factors, including business’ annual revenue, the industry, the type of data held, and the level of network security. Some sectors are more vulnerable to cybercrime and will, therefore, require a higher level of coverage (typically banks)
#4 : The targets are equally big corporations or SMEs
Not only large organizations are susceptible to being hacked or getting a virus. 55% of small businesses have experienced a data breach and that 53% have had multiple breaches.
Cybersecurity is a complicated task for SMEs as they lack resources. It’s often perceived as a substantial part of budget allocation, but the inability to operate, for example after a ransomware attack, was fatal for the business.
Also, a majority of micro SMEs employees have no cyber awareness training. As 27% of data breaches come from a human error, it’s fundamental to keep everyone up to date with the current threats.
Finally, and as mention earlier, 23% of SMEs have cyber insurance. It seems incredibly low when you know the deadly impact an attack can have on a business.
“That is symptomatic of the larger problem in cybersecurity that offense still has the edge over defense. The defender has to worry about millions of lines of code, thousands of devices, thousands of networks. The attacker only has to be right once.” - Adam Segal
#5 : It’s a cradle of unicorn
You now know that the cybersecurity market is booming. According to Techcrunch, cybersecurity investing could reach $250 billion by 2023, and spending rose in 2019 more than any other industry.
This year we’ve seen two of the biggest exits in cybersecurity history with CrowdStrike (a seller of subscription-based software that protects companies from breaches) and CloudFlare (provide content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services).
This place is 🔥
#6 : There is a shortage of talents
There is a severe cybersecurity workforce shortage, with one million cybersecurity jobs open in 2016 — which is expected to reach 4.07 million by 2020.
This report from (ISC)² which stands for International Information Systems Security Certification Consortium, make some hypothesis to get this number. Even if it may be considered not a perfect estimation, the number describes the growing gap between companies’ hirings and the workforce available. The fight for talents is important, that’s why those jobs are very well paid and why it is even more complicated for SMEs to recruit.
Also, considering the technical background you need to be operational in this field, I understand it will take some time before closing this gap.
As I made research, I came across numerous mappings. Hereunder I selected one of them so that you can have a global overview of the typology of startups that are working in this field
There a lot of content out there. For you to be up to speed with this topic, I’ve listed a list of content/classes/ .. you may find interesting.
🔗 Spotify
To discuss the opportunities in the sector and the specificities of the different businesses, this podcast welcomes a Cybersecurity Researcher at McAfee, a Security Change Team Leader at Sopra Steria and a Cybersecurity Director with more than 15 years of experience in companies such as Sopra Steria, Altran, Sogeti and the French Army.
Brett Johnson used to be a cyber-criminal. He did his time (seven years and a half), kept up to speed, and got hired when he came out of prison by The FBI, Microsoft, Lexis-Nexis, ThreatMetrix, VISA, and many more! Interesting interview of a former black hat now operating as white hat.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. The first challenge is creating its own account, good luck :)
If you enjoyed this, maybe I can tempt you with my Fintech newsletter. I write a weekly email full of market review, investment memorandum and news of the week :)
If you’ve enjoyed it please show some love to the thread on Twitter ❤️
Previous issues
📧 I’m clement.parramon@hub612.com and @cparraam is my Twitter
Ps. If you like what I’m doing with Parram please feel free to share it on your social network of choice. Also, I’d appreciate it if you forwarded this newsletter to a friend you think might enjoy it ✌🏻