Cybersecurity teams are grappling with a dizzying paradigm shift as Latin America’s banks change their IT infrastructure and product development strategies.
Agile development methods and a customer-centric design strategy are throwing up a fresh range of digital security challenges in banking. At the same time, integrations and collaborations with third parties pose both challenges and new opportunities, specialists have told iupana.
“Digital transformation opens new fields for managing operational risk,” said Tomás Zañartu, operational and technological risk manager at Chilean savings and loan cooperative Coopeuch. “Today’s clients expect digital financial services with the speed and service level like those of Uber or Netflix.”
See also: Old infrastructure, new services create fresh bank cybersecurity risks
Digital transformation & cybersecurity
As banks integrate with an increasing range of third parties such as fintechs, the panorama of potential risks is growing.
“You have to look at role of suppliers. You can’t just look at home, you also have to look at third parties,” said José Marangunich, head of corporate security at Banco de Crédito del Perú (BCP).
That includes both back-end integrations as well as customer-facing ones. The emergence of digital wallets such as Apple Pay or Google Pay, for example, mean that clients’ card details are often held on multiple servers. The internet of things offers further potential risks. Marangunich points to emerging integrations being trialed in Asia that incorporate augmented reality in to merchants’ sales process.
“If you’re part of a chain, your risks are also part of that chain,” he said.
Yet partners and third parties also present an opportunity for information security specialists. One example is the emergence of “Bug Bounty” schemes at Latin American banks. Brazil’s C6 Bank and Chile’s Coopeuch are among the banks that offer rewards for people who report digital vulnerabilities that they find.
Additionally, information sharing between banks regarding emerging risks and threats can help the whole system remain alert. “Collaboration is key for advancing in cybercrime prevention,” said Zañartu.
Agile development & speed
Cybersecurity teams are also grappling with banks’ new digital product development methods. As financial institutions hurry to launch new products quickly, and push out iterations and improvements to existing products continually, security teams are struggling to keep up with the pace.
“With every MVP and each product advance, you have to deliver a new client experience,” said Marangunich. “The standard control and securities processes aren’t that fast, which means we have to adapt to the trend.”
Similarly, making the digital security processes virtually invisible to the end user poses another new challenge.
“To be frictionless with high cybersecurity standards demands breaking paradigms and facing new challenges,” said Zañartu.
Phishing and the human factor
Yet, despite the rapid technological changes in the banking industry, some things don’t change. Phishing remains the most common route that digital attackers use to enter banks’ systems. And the risks – and opportunities – posed by people remain key.
“Without a doubt, people will continue to be the main factor,” said Zañartu.
That means that, for all the technological advances, a huge part of keeping a digital bank safe involves training people and making them aware of the risks.
“Robust communication with third parties is key – with clients, suppliers and staff,” said Marangunich. “Raising awareness and training are the most important.”
José Marangunich and Tomás Zañartu are speaking at CELAES 2019 on June 20 and 21 in Panama. The event is Felaban’s annual cybersecurity forum for the financial services industry. See the agenda and register here.