Financial Shutdown Risk Mitigation

Six cybersecurity tactics for financial services to prevent disaster

Anyone who has seen the apocalyptic cybercrime thriller Leave the World Behind will know just how terrifying a nationwide digital shutdown could be. Some shocking recent cybercrime statistics add plausibility to the risks posed by cybercrime: South Africa has the fifth worst cybercrime density globally, only 26% of local companies recently surveyed have cybersecurity insurance in place, and more than 10.9 billion sensitive records have been breached globally from 2005 to 2018. Cybercrime affects all industries, but two in particular - health and financial services - must always ensure uptime and sensitive data protection. 

Now imagine a scenario where a mass cyber event affects South Africa’s financial system. If digital payments and banking were to stop working, millions of people could be left stranded, unable to pay electronically for goods and services or withdraw their social grants or cash at ATMs. At the national level, financial institutions, the stock exchange and even the government’s ability to service its foreign debt or deliver services could be seriously jeopardised. 

There are key people and organisations in the local financial system who are actively working to prevent such disasters from occurring. One such person is Dirk Labuschagne, Chief Information Security Officer at one of South Africa’s largest banking and payments service providers, Direct Transact (DT). Based on DT’s various strategies to protect its clients which include several banks and payment providers, and Labuschagne’s role on a special SA Reserve Bank task team to prepare for the eventuality of nationwide outages, Labuschagne shares his top six cybercrime mitigation tactics for the benefit of financial ecosystem players, their IT teams, and the public. 

1. Ensure compliance with NIST's new 2024 Cybersecurity Framework (CSF)

The USA’s National Institute for Standards and Technology (NIST) offers the gold standard in cybersecurity best practices and guidance on the five key areas of cybersecurity namely “identify, protect, detect, respond and recover”. NIST has also just updated its guidelines in its new 2024 Cybersecurity Framework (CSF). The framework includes important updates to how cybersecurity should be governed within organisations, including covering the organisational context, risk management strategies, and supply chain risk management. The NIST CSF version 2.0 recognises global cybersecurity threats and offers practical guidance for achieving success. The NIST SP 800-55 framework for instance highlights the need for regular cybersecurity evaluations and improvements within organisations.

Source: https://frsecure.com/blog/nist-csf-2-0/ 

2. If your company handles card payments, ensure updated PCI DSS4 compliance

The PCI DSS Security Standards organisation offers very detailed guidance to the payments industry on how to maintain the highest levels of security when it comes to sensitive card payment data. It enables the industry to audit its cybersecurity to the highest, most updated standards, and its well-known PCI DSS compliance framework was updated this year to its Version 4, offering even more robust security standards for the payments industry to follow. PCI DSS standards apply to all entities that store, process, and transmit cardholder data, and covers technical and operational system components related to cardholder data. 

Source: PCI-DSS 

3. Heed SARB’s updated 2024 rules 

The South African Reserve Bank (SARB) recently released its “Joint Communication 2 of 2024 - Publication of the Joint Standard - Cybersecurity and cyber resilience”. The guidelines were released in line with the Financial Sector Regulation Act (FSR Act), the Executive Committee of the Financial Sector Conduct Authority and the Prudential Committee of the Prudential Authority. The Joint Standard sets out best practices and processes relating to cybersecurity and cyber resilience for the National Payments System in South Africa. The standard specifically looks at developments in the payments space, related to digitisation, financial technology, automation and artificial intelligence, and what risks need to be managed. It is critical for all banks, payment players and financial institutions to familiarise themselves with and implement these standards before they officially come into effect on 1 June 2025. 

4. Ensure buy-in from top management in terms of cybersecurity governance

Within any financial services organisation, it is vital to have strong leadership on cybersecurity, which is implemented and supported from the very top of the organisation down to every single staff member, customer, vendor and supplier. Cybersecurity cannot be relegated just to the IT department. A strong cybersecurity strategy needs to be driven from the board and C-suite level in order for it to become ingrained in the company’s culture, operations and workflows. Cyber attackers look for chinks in the armour of an organisation, and if an organisation is well-managed and unified around cybersecurity, it will be much harder for bad actors to find vulnerabilities. 

5. Gamify and incentivise staff awareness, participation and compliance

Phishing emails to staff remains one of the greatest security vulnerabilities for financial services companies. Deloitte estimates that more than 95% of cybersecurity attacks on organisations are preventable and that 90% of successful malware or ransomware attacks on organisations are due to staff negligence, such as clicking on phishing emails. When it comes to instilling a healthy and robust cybersecurity culture in your organisation, it’s far better to use a carrot rather than a stick approach. Ultimately, a cybersecurity education and awareness strategy can only succeed if there is willing participation from all staff members. Gamification and incentivisation are great ways to get cooperation from everyone in the organisation. 

6. Ensure your technology is up to scratch

When you set up a secure environment, both for your internal and public-facing systems, you need to invest in a few key technology elements: 

• Secure data storage (immutable storage), 

• Secure data transmission (internally or externally), 

• Secure data processing (secure handling of financial and personal data), 

• Regularly updated software (operating systems and applications, patch and vulnerability management)

• Secure Multi-Factor Authentication (MFA)

• SIEM (Security Information and Event Management) to detect, analyse and respond to security threats before they cause damage

• SOC (Security Operations Centre) to detect, analyse and respond to security incidents in real-time

Our team also regularly monitors Check Point’s live cyber threat map and Kaspersky’s real-time cyber attack map. It’s very interesting to watch global cybercrime activity in real-time!

Additionally, more than half the battle is won if you have an excellent data centre setup. In South Africa, the gold standard in terms of secure data centres is Teraco in Johannesburg, Durban and Cape Town. In essence, what you want from a secure data centre is immutable storage, application contingency solutions and disaster recovery, in the event of natural disasters, intensified nationwide load shedding and any other adverse and unexpected events. It’s also wise to do regular penetration testing on your data centre - we for instance use testers who are approved by the PCI Council, who we invite to try to breach our defences via multiple attack vectors. If they find vulnerabilities or weaknesses, we’ll know where to strengthen our defences. If issues relating to hardware are identified, the original equipment manufacturer will collaborate to patch the vulnerability. 

Conclusion: always remain in control

Bad actors are always after sensitive and personal information, including, amongst others, card data that can give them access to funds. To protect financial services businesses and their customers, it’s essential to benchmark cybersecurity practices against the best practice standards of international frameworks such as NIST and PCI DSS4, as well as local regulatory frameworks. Ultimately, it comes down to continuous cybersecurity policy buy-in and leadership from the C-suite, robust cybersecurity governance throughout the organisation, strong structural frameworks, monitoring and reporting systems, regularly updated policies and education initiatives, and technical and practical implementation. 

If you roll out these guidelines, you can achieve a 'cyber-resilient' organisation and help safeguard the safety of our digitally and economically active public.