Back to Industry Home
Are Financial
Institutions Prepared
for Digitalisation?
Share the Insights
Digitalisation is directly impacting financial institutions' operational resilience. With escalating regulatory scrutiny, are firms prepared for an increasingly digitalised sector?
The COVID-19 pandemic has accelerated technological evolution across the financial sector, where rapid and widespread digitalisation continues to gather momentum. For firms that embrace this transition by enhancing cyber security, improving working practices, and building effective risk management frameworks, the impact will create an abundance of opportunities. Although this technological evolution brings efficiency and opportunity for growth, digitalisation is challenging operational resilience in new ways.
Reliance on information and communication technologies (ICT) and access to digital financial services have been amplified by the COVID-19 pandemic, with sustained social isolation and remote working models driving a 72% increase in the use of financial applications in Europe.
Operational automation, artificial intelligence (AI), digital payments, retirement plans, technology supply chains, and cyber threats – among other trends – are all testing financial institutions’ operational resilience. With the potential to trigger severe and sustained business interruption and reputational damage, a renewed focus is essential to protect firms’ bottom line.
By adopting best practices in operational resilience, firms will not only secure the competitive advantages that digitalisation brings, they will also be better positioned to manage volatility in the area of non-financial risks.
Self-assessment: do financial institutions feel prepared for increasing digitalisation?
Now more than ever, global business leaders are under increasing pressure. Amid the economic downturn and ongoing impacts of the COVID-19 pandemic, budgets are constrained and the pressure to embrace digital technologies is creating new and complex exposures – particularly as it relates to cyber security. Balancing risk and opportunity is driving firms to consider how to make the best decisions for cyber security budgets to support changing business models – while protecting their people, client, partners, and balance sheet.
Data gathered by Aon’s online cyber risk self-assessment platform Cyber Quotient Evaluation (CyQu) demonstrates that financial institutions consider themselves to be one of the best prepared for emerging cyber risks when compared against other global industries across four key themes: digital evolution; third-party risk; ransomware; and regulation.
Long before the COVID-19 pandemic, financial institutions have needed to accelerate their digitalisation strategy to remain competitive in today’s innovation-driven economy. As a result, there has been a surge in patent filings globally. Since 2013, large financial institutions have filed over 2,679 patents to improve operational efficiency and standardize practices.
Increasing reliance on intangible assets for both financial institutions and their clients adds new layers of complexity to first- and third-party risks. Articulating the value of IP and protecting it becomes ever more critical.
Increasing reliance on intangible assets
Supervisory authorities – the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA) – recently updated regulatory frameworks to promote the operational resilience of financial institutions and market infrastructures. The latest materials outline requirements and expectations for firms and financial market infrastructures (FMIs) to :
Regulatory pressures
•
•
•
Identify their important business services by considering how disruption to the business services they provide can have impacts beyond their own commercial interests
Set a tolerance for disruption for each important business service
Ensure they can continue to deliver their important business services and are able to remain within their impact tolerances during severe (or in the case of FMIs, extreme) but plausible scenarios
The scope of the PRA’s position on operational resilience now extends to business models and staff skills. Financial institutions’ business models are evolving. As digital payments continue to grow, manual processes are dissolving as automation evolves, driving a sector-wide need to reskill the workforce as part of the transition to digitalisation.
The demands on the workforce are changing rapidly, and financial institutions have a duty to support their people as the firm transitions to an increasingly digitalized operating model. A reliance on digital platforms will elevate cyber risk, and employees will need training and support to manage the firm’s exposures.
Until recently, there has been little intervention by the European Union into the generalist regulations, leaving national authorities to interpret and enforce the rules at their discretion. Certain aspects of digital operational resilience – such as ICT management, incident reporting and ICT third-party risk – have been partially regulated, whereas protocols on activities such as testing were excluded.
Inconsistencies in application and interpretation have led to duplication in regulation, and directly translate into high administrative and compliance costs for cross-border financial entities, or into high ICT risks.
ICT governance (Chapter I)
Managing ICT risks (Chapter II)
•
•
The DORA draft legislation was released in October 2020 and experts indicate the proposal is likely to be adopted within 18-24 months. Early preparation is key, and forward-thinking financial institutions should take action now.
Cyber attacks on financial institutions rose by 38% since the outbreak of the COVID-19 pandemic .
In response to the rapidly accelerating need for consistent guidelines and guardrails, the European Commission published its legislative proposal – Digital Operational Resilience Act (DORA) – which combines existing information and communications technology (ICT) risk management requirements with several other initiatives into one unified framework.
DORA focuses on building resilience against digital risks, with particular focus on:
38
%
Building digital resilience
1
ICT-related incident reporting requirements outlined in DORA define a number of reporting and classification obligations for financial institutions.
By leveraging real-world testing and simulations, cyber experts can enable financial institutions to understand vulnerabilities and strengthen defences. Tailored cyber security testing identifies system weaknesses and with the support of a specialist advisory team, firms can take necessary measures to address any issues which would breach regulatory requirements.
Testing
Reporting
2
Testing of ICT protocols and systems will be monitored with increasing scrutiny under new DORA regulations. Testing will no longer be discretionary. Firms will be required to conduct assessments to examine:
Financial institutions will need to examine each component of the new DORA regulation and identify specific areas for development within the firm. Existing industry trends suggest that firms should renew their focus across testing, reporting and third-party risk.
Preparing for DORA
Vulnerability assessments and scans
Open source analyses
Network security assessments
Gap analyses
Physical security reviews
Questionnaires and scanning software solutions
Source code reviews where feasible
Scenario-based tests
Compatibility testing
Performance testing
End-to-end testing
Penetration testing
•
•
•
•
•
•
•
•
•
•
•
•
Third-party risk
3
A new framework to assess, identify and resolve critical ICT third-party service providers to monitor digital risk will come into effect under new DORA regulations. Translating these obligations into actions for the firm will be time-consuming, and many firms will be challenged with implementing necessary protocols in time.
Access to experts with extensive experience in security advisory can help firms expedite the process by providing support in the implementation of immediate requirements and execution of ongoing third-party risk audits.
How can financial institutions leverage solutions to test and report digital resilience?
Security source code review:
using a combination of manual and automated security code review methodologies and tools, experts evaluate mission-critical software applications to identify vulnerabilities down to the exact line of code.
Network and could penetration testing:
conducting a controlled test of digital infrastructures attempting to compromise a broad range of systems using any method that a cyber attacker might use such as password cracking and publicly known or zero-day vulnerability exploitation.
Cloud and host configuration review:
building critical infrastructure in the firm’s cloud exposes vulnerabilities and insecure deployment practices. Since cloud-based applications often share resources and infrastructure with third parties, reviewing this software highlights data privacy and access control issues to address.
Social engineering testing:
By exploiting many possible attack vectors, including people, cyber specialists plan and execute a risk-controlled, no-holds barred attack to test firms’ resilience.
Hardware and Internet of Things (IoT) security testing:
To assess your hardware and connected environment, testing IoT technologies exposes code weaknesses and any underlying defects or vulnerabilities introduced by non-hardened hardware.
Ongoing vulnerability scanning and analytics platform:
a cloud-based vulnerability scanning service uses a combination of technology and human expertise to provide firms with on-demand, manually-verified security risks. With these insights, financial institutions can measure and track security posture and the impact of improvements over time by accessing the platform’s analytics dashboard.
With cyber specialists across a global network, financial institutions can access assessments with a tailored focus on regionalised regulation such as the TIBER framework promulgated by the European Central Bank, CBEST in the United Kingdom, iCAST in Hong Kong, among others.
Closing thoughts
"Many financial institutions are reporting that the ongoing impacts of COVID-19 are dramatically accelerating their timetable for digitalisation. This brings great opportunity but also increases volatility, strains on risk management frameworks and heightens people risk. New regulations such as DORA provide a useful benchmark to help firms adapt their working practices and embrace change.
By adopting best practices in operational resilience, firms will not only secure the competitive advantages that digitalisation brings, they will also be better positioned to manage volatility in the area of non-financial risks. Such an approach will support firms in securing insurance at a time when it is becoming an increasing challenge to access market capacity competitively."
The majority (62%) of financial institutions have mature network environments. This means that despite notoriously high volumes of legacy applications, there is robust architecture and strong defence mechanisms against perimeter breaches. There is also strong hygiene around network security, with 60% conducting regular network penetration tests.
Navigate new exposures: rapid digital evolution
Almost half of organisations (45%) scan their attack surface for vulnerabilities, while almost a third (27%) have not implemented two-factor authentication across all remote logins.
Concentrate on controls: ransomware
Almost 2 in 5 financial institutions do not have a robust third-party due diligence process in place. As third-part events increase in frequency and severity, establishing and maintaining a robust due diligence process is critical.
Know your partners: third-party risk
Construction
Manufacturing
Energy, utilities & Natural Resources
Retail
Life Sciences
Professional Services
Telecom, Media & Technology
Financial Services
Regulation
Third-Party Risk
Rapid Digital
Evolution
0%
10%
20%
30%
40%
50%
60%
70%
Daniel Butler
EMEA Head of Financial Institutions Industry Vertical and Risk Advisory
The European Commission: Digital Finance Factsheet (2020)
https://www.wsj.com/articles/BL-CIOB-9707
Aon 2021 Cyber Risk Report: Financial Institutions Insights
Aon’s 2021 Cyber Risk Report
https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
Footnotes
1
2
Source: Aon’s 2021 Cyber Risk Report
4
2
Perfect the basics: regulation
Although a reassuringly high number of organisations automatically encrypt data-at-rest, and in-transit, 18% have not deployed an adequate data classification scheme. This highlights the challenge data-heavy firms face in deploying a robust data management approach.
2
Ransomware
DIGITALISATION
Cyber risk preparedness: an industry lens
3
2
5
1
1
2
3
4
5
2
3
1
2
2
2
5
1
Read the rest
on a desktop
web browser -
aon.com/emea-industry-insights/digitalisation
ICT-related incident reporting (Chapter III)
Addressing gaps by introducing new requirements, such as digital testing (Chapter IV), information sharing (Chapter VI) and management of ICT third-party risks (Chapter V), which includes an oversight framework for critical ICT third-party service providers to monitor digital risks
Providing financial supervisors with the tools necessary to fulfil their mandate to contain financial instability stemming from those ICT vulnerabilities (Chapter VII)
•
•
Share the Insights
Home
Contact Us
Website
Legal
Privacy
Cookie Notice
Navigating New Forms of Volatility
If you would like to discuss any aspects of these insights, or to better understand our capabilities in this area, please do not hesitate to get in contact with our team.
Bruno Monteiro da Silva
M&A and Transaction Solutions - EMEA
brunomonteirodasilva@aon.com + 351 910 075 286
Anne-Christine Fischer
Global Consulting Life Science Industry Leader
anne-christine.fischer@aon.de
+49 176 1266 2810
Cyril Smith
Account Director, Life Sciences
& Practice Lead
cyril.smith@aon.ie
+353 1 2666811
Lars Sørensen
Global Life Science Industry Leader
lars.sorensen@aon.com
+1 312 286 8482
Talk With Us
If you would like to discuss any aspects of these insights, or to better understand our capabilities in this area, please do not hesitate to get in contact with our team.
Daniel Butler
EMEA Head of Financial Institutions Industry Vertical and Risk Advisory daniel.butler@aon.com
Mark Brannigan
Head of Cyber Solutions UK
mark.brannigan@aon.co.uk
Talk With Us
Contact Us
Website
Legal
Privacy
Cookie Notice