In an exclusive interview with Banker Middle East, Wayne Loveless, Principal, Cybersecurity and Lutfi Zakhour, Senior Vice President, Financial Services, both at Booz Allen Hamilton MENA extensively discuss major issues surrounding blockchain technology and cybersecurity
What are the major cybersecurity issues and concerns in this region?
Wayne Loveless: Cybersecurity is a growing concern across organisations around the world. In fact, this was discussed at the World Economic Forum’s annual summit in Davos this year where cybersecurity was highlighted in the list of business risks across different sectors. Average annual losses to companies worldwide from cyberattacks now exceed $7.7 million per organisation, according to the Ponemon Institute.
For example, one of the most notable cases to hit GCC shores was the Shamoon virus attack, which shut down more than 30,000 workstations at Saudi Aramco in 2012. Despite the exceptional efforts to remediate and protect systems after the 2012 attack, the Shamoon virus resurfaced in January this year, impacting several government agencies and private sector companies.
Given these growing cyberrisks and threats, more organisations in the region are waking up to the potential hazards that a weak cybersecurity readiness presents. Currently, one of the major concerns around cybersecurity in the region is preparedness. As technology and digitisation becomes more prevalent across industries, the risk of attackers successfully penetrating and compromising systems, and the vital data they store and process, is only increasing. In addition to the government, other sectors that have been identified as being particularly vulnerable to cyberdisruption include finance, energy, manufacturing, utilities and transportation.
More than 50 per cent of recorded incidents in the Middle East region were conducted against oil and gas corporations, according to the Repository of Industrial Security Incidents (RISI) data. This is but a precursor to the potential disruption of the energy and oil and gas sectors’ industrial systems. A more targeted and concerted effort from governments and private companies in the region is warranted. Therefore, investing in a robust resilience strategy that could prevent or reduce the impact of potential threats and protect national interest is key.
How is financial regulation developing in these markets and in what ways will it help combat cybersecurity breaches?
Lutfi Zakhour: Recent brazen attacks have brought regulatory requirements and standards in the financial services sector to the limelight. For instance, last year a Bangladesh hack leveraged the SWIFT payment system, allowing attackers to successfully steal $81 million of their targeted $951 million from Bangladesh Bank before a spelling error compromised the attack. With regional financial institutions also not being immune to such attacks GCC governments have been eyeing changes to the regulatory role within their respective countries.
While SWIFT is taking actions to improve security requirements and preclude a repeat of the Bangladesh Bank heist, GCC governments are also increasingly viewing financial services as a critical national infrastructure. A prime example can be found in the UAE where the federal government is seeking across the board improvements to the cybersecurity of critical infrastructure. In fact, the National Electronic Security Agency (NESA) is rolling out its latest cybersecurity framework with an initial focus on the financial services industry. Further actions taken in other GCC countries include new updates to e-transactions laws and cybercrime laws to place further emphasis and controls on ensuring the protection of both banks and consumers.
With the MENA region waking up to the importance of digital technologies, today’s financial landscape has seen key players re-evaluate their strategies and regulations to guarantee maximum efficiency and security. What is your view on this?
LZ: The financial services sector in the UAE, specifically, has picked up on blockchain technology, with one leading bank pursuing proof of concept of a blockchain network for international remittances and open account trade finance and another launching a pilot of blockchain, using the technology through Ripple. Additionally, Dubai has announced plans to use blockchain for all government documents by 2020 and several departments have announced that they would explore the technology in areas including healthcare, wills and diamond transactions.
Other initiatives include The Global Blockchain Council, established by the Dubai Museum of the Future Foundation, which has spearheaded several blockchain-related initiatives and launched pilot projects across several sectors such as healthcare, diamond trade, title transfer and business registration in order to test the cost-saving and time reducing effects of the technology.
Blockchain has now been recognised as a potentially game-changing approach to cybersecurity. Described as a generational disruptive force in the financial services industry, these distributed ledgers maintain tamper-proof lists of ever-growing data records and enable secure value exchanges—money, stocks, or data access rights—between different parties. Blockchain also creates a more secure, efficient, and collaborative ecosystem for sharing and accumulating critical data and information. It is particularly beneficial in the financial services sector, where it could enable safe and secure applications across payments services, trade finance and KYC registries benefitting both firms and consumers.
We foresee a lot of growth potential for blockchain in the GCC, across different industries, with several entities wanting to continuously advance the technology in order to complete their digital transformation and truly realise the potential of a smart city.
What are your suggestions to improve the cybersecurity standards in the region?
WL: Cybersecurity standards represent a baseline for tackling cybersecurity threats and improving overall readiness in prevention and mitigation of cyberincidents. While progress towards minimum standards for security is underway across the GCC and many institutions continue to follow industry standards and best practises, further efforts will be needed to improve security.
As demonstrated in the SWIFT attacks on the Bangladesh Bank, attackers can take any number of routes when compromising the security of systems and data, both stored and in transit, to meet their motives. With cybercriminals, nation states, and hacktivists all seeking to meet their objectives across the region, a more robust, and beyond baseline perspective on security is certainly warranted.
One of the biggest impediments to improving cybersecurity is not necessarily improving compliance to the minimum standards but understanding more fully how organisations can improve beyond the basics. This means foregoing basic compliance in favour of a maturity-based approach
to cybersecurity.
Building cybermature organisations requires maturation across all three perspectives of cybersecurity. It does not mean having the latest and greatest technology. While technology certainly plays a role in automating much of the security domain, it is actually other dimensions—namely, people and process—where greatest levels of improvement are needed acrossthe region.
Organisations are only ever as secure as their people. Each employee, no matter where they stand within an organisation, is often both the first and last line of defence. Better trained people, more cyber-focused skillsets, and a defined organisation-wide cybersecurity focus on improvement are three key means of improving organisational prevention, protection, and response.
Additionally, another area of focus should be improving the overall processes around cybersecurity. Many of the cybersecurity standards actually centre on the process aspect of the cybersecurity dynamic. Stronger governance, adherence to sound practises and procedures, and implementation of security first processes can ensure that systems and data remain secure while continued growth in digitisation and adoption of technologies like blockchain rapidly progress.
How will big data and blockchain technology impact the financial sector? What are the pros and cons of these technologies?
LZ: There is no doubt that big data, predictive analytics and blockchain technology in the financial sector (and beyond) have the potential to create a myriad of new services and a new frontier of business intelligence.
Deploying big data can fuel job creation especially for personnel with specialised skills such as data scientist, digital app developers, digital payment experts, and cybersecurity specialists. It can also fuel lateral job movements and a re-positioning of current jobs in the financial sector, whereby traditional counter clerk positions will transition to financial services analyst positions.
With the power of advanced data analytics, today’s counter clerk will be able to proactively and predictively offer a customer the most personalised services required when that customer enters a financial centre, or over the phone or internet—based on data insights from that customer’s financial behaviour.
This customer data will then allow institutions to benefit from data insights related to spending patterns, financial capabilities and income thresholds of customers. The more access to data, the better the ability to harness power to make customers more satisfied and employees more productive. These socio-economic benefits can lead to an increased customer base, a higher performing work force, and consequently to overall market growth.
Furthermore, data analytics capabilities will eventually allow for Data-Analysis-as-a-Service (DAaaS) offerings to different establishments—a merging of today’s credit rating companies and financial institutions, for example. This will allow SMEs to benefit from the data-analytics revolution and become more relevant and prosperous in their services industry.
The challenges would lie in that with the creation of these new services, comes the need to support their development, marketing, provisioning and continuous enhancement, among other requirements, to support the creation of jobs across the current and future financial services value chain. If this is overlooked, the potential of these services will not be realised.
As for blockchain technology, it can offer support on a wide range of use cases for financial institutions, including trade finance, remittances, syndicated loans, loyalty programmes and KYC registries, to name a few.
Blockchain improves cost efficiency, durability and reliability, ensures transparency and speeds up transactions, while enhancing security and privacy. Due to its decentralised network, blockchain does not have a central point of failure and is better able to withstand malicious attacks. Changes to public blockchains are also publicly viewable by all parties, which ensures that all transactions are unchangeable.
The blockchain payment system will, however, come with challenges. An example of this is the persistent doubt on whether the blockchain can handle the speed, scale, and security required to process high volume payments. To cater to a significantly larger volume of transactions, high-end servers would need to be put in place, which could impact the potential cost savings of moving to a distributed ledger.
There is no silver bullet on selecting the right path to develop blockchain technology for financial services in the GCC region. What is clear though is that central banks and financial services players need to engage with the technology to understand, harness, and develop it appropriately to bring about the potential benefits it promises to both businesses
and consumers.
The benefits which blockchain technology can offer both financial institutions as well as users include:
Cost efficiency: Financial institutions can benefit from reduced costs and fees due to the lack of required intermediary and associated overhead costs.
Durability and reliability: Due to decentralised networks, blockchain does not have a central point of failure and is better able to withstand malicious attacks.
Enhanced security and privacy: Parties are able to make an Exchange without the oversight or intermediation of a third party, strongly reducing counterparty risk.
Ensured transparency: Changes to public blockchains are publicly viewable by all parties, which ensure that all transactions are immutable.
Faster transactions: blockchain transactions can be processed in near real-time around the clock.
Source: Booz Allen Hamilton MENA
© Banker Middle East 2017
