Companies are adopting new approaches to protect critical business data from cyber threats as they leverage digital technology to boost growth and customer experience.
With the forthcoming launch of Open Banking and the continued use of Australia's New Payments Platform (NPP), firms are likely to look even more closely at establishing robust cybersecurity protocols. That's because these innovations bring opportunities, such as enabling the fast and seamless movement of money and data, and new vulnerabilities.
So what specific risks should your business keep in mind? At HSBC, we work with corporate clients to help them navigate cybersecurity threats. We have identified several risks you should consider, while taking advantage of the opportunities in the changing banking sector.
Open Banking – opportunities and risks
When it's rolled out on 1 February 2020, Open Banking will allow customers and businesses to give accredited third parties and banks access to their banking data.
Instead of several companies hosting your data, a single provider will – with your consent – aggregate all your banking information to help put you in a more favourable position. For example, you will be able to harness the power of your data to access more products or get better rates from providers.
However, aggregating your banking data could also concentrate your risk in one place. If someone gains unauthorised access to your provider's system, your banking data could be compromised. So it's crucial that you ensure your financial services providers have cybersecurity infrastructure that meets global security standards. You might also consider working with your data aggregator to explore how you could diversify your data storage.
At HSBC, we have global cybersecurity controls that prevent, detect and deter attacks and fraud. If we discover an attack or any suspicious activity, these controls enable us to correct potential vulnerabilities in our systems and rapidly recover from an attack. This is how we protect your accounts and ensure you get uninterrupted service.
Regulation variation and longer value chains
In the new financial services landscape, providers may not all be regulated in the same way – especially when it comes to security and fraud risk management.
As regulated institutions, banks must comply with requirements such as the Australian Prudential Regulation Authority (APRA) Prudential Practice Guide CPG 2341 for managing risks to their information and IT systems. At HSBC, we also follow global security standards, including the ISO 27000 series that sets out best practices for managing data security.
Businesses also need to keep in mind that Open Banking will create longer value chains, leading to a new area of vulnerability. As you authorise a third party to handle your banking data, you're building a longer chain of interconnected stakeholders with access to that data.
Insurers, fast-moving consumer goods providers, retailers, airlines and telecommunications companies could be particularly vulnerable because of the substantial amount of consumer data they handle. Some airlines have already suffered major data breaches. Last year, one airline reported unauthorised access to a system containing information for more than 9 million passengers. Another was hit by a data breach that affected more than 400,000 customers.
But longer, more complex value chains are inevitable in today's business environment. With or without Open Banking, they are a reality of modern supply chains. As your company expands or grows internationally, it must work with more distributors, buyers and service providers. To minimise your risks, you should identify the weakest links in your value chain and establish protocols to address potential threats.
Real-time payments and digital banking
With the introduction of real-time payment platforms (RTP) across the world, there are potential security issues that may not seem as obvious as those from Open Banking. It is important to be aware that the personal identification information used in these platforms has potential data privacy risks. In addition, real-time payment platforms complete transactions in five seconds or as close to real time as possible, which makes it impossible for banks to reverse payments.
Outside of Open Banking and real-time payments, businesses must be aware of the risks associated with online banking platforms. These are a key target for cybercriminals because if they can hack into a banking platform, they may also be able to access customers' data.
Besides adopting cybersecurity and fraud prevention measures, it is crucial to work with providers that have strong security controls.
At HSBC, we face our own cybersecurity risks as we expand our digital banking services. That's why we have established comprehensive controls to ensure the security of our online platforms – HSBCnet and HSBC Connect – and related customer information. Globally, we have capabilities to identify cyber threats and swiftly manage any attacks.
We also continue to bolster our digital security through innovative solutions. For example, you can now log in to HSBCnet on your smartphone to generate a security code, using HSBC's Digital Secure Key. This eliminates the need for us to supply a physical device that generates codes, and helps protect against fraud.
Further security measures
In addition to the above points, we strongly recommend that businesses wanting to make the most of Open Banking, real time payments and digital banking should follow APRA's CPG 234 or the ISO 27000 series as standards for security and fraud risk management.
We also recommend introducing controls for:
- access management – control employees' access to your systems and use strong access management tools, supported by two-factor authentication
- application security – make sure you have enough security for any new downloaded or created applications
- data classification – implement a system to classify information. At HSBC, we categorise data as public, internal, restricted or highly restricted. Our cybersecurity system recognises this classification and heavily scrutinises highly restricted files if they are exchanged within our network
- infrastructure – ensure your cybersecurity infrastructure complies with APRA's CPG 234 or a global standard equivalent, such as the ISO 27000 series
- physical information – create a system to manage physical information, including secure printing
- third-party providers – subject new vendors to a due diligence process and third-party security review. Make sure they comply with APRA's CPG 234 or the ISO 27000 standards.
Finally, it pays to look after the human side of cybersecurity. The strength of your security controls relies in part on your employees' cyber awareness – for example, knowing when not to open an email attachment or click on a link. One emerging security threat your staff, particularly your payments team, should be aware of is business email compromise.
A business email compromise happens when a fraudster emails your payments team impersonating a contractor, supplier, creditor or one of your senior managers. It can be difficult to detect this type of activity because fraudsters make the sender's email address appear the same as a known email address. Besides raising staff awareness of this threat, consider implementing payments security that includes a two-step verification process.
How we can help
We understand that some of our corporate clients don't have the capabilities to manage cybersecurity threats and prevent fraud. That's why at HSBC we want to support you in establishing your security controls. We run awareness sessions to offer guidance on creating security strategies and implementing best practices. Our experts can also advise you on how to get started so you can better manage cybersecurity threats.
For more details on how HSBC is protecting your financial information, please view the 'Protect' function on HSBCnet Plus, using your normal access to the platform.