The Cyber Clock Is Ticking: Derisking Emerging Technologies in Financial Services

Scam

As financial services companies around the world race to keep pace with a rapidly evolving technology landscape, they should consider not only what benefits new emerging technologies offer but also what risks they introduce.

Most survey respondents also recognize the need to strengthen critical cybersecurity capabilities, including third-party or supply chain management and privileged access management (PAM).

As companies continue to increase their reliance on newer technologies, they must ensure they have thought through and implemented the necessary risk management capabilities. Otherwise, they may find the risks outweigh the benefits.

As the technology landscape in the financial services industry continues to evolve rapidly over the next three to five years and as the associated risks mount, now is the time to future-proof the environment.

Financial institutions can lay the foundations for action by asking themselves four questions about their pursuit of emerging technologies:

  • Are we prioritizing the right technologies and cybersecurity capabilities? Are our technology priorities aligned with our security capabilities?
  • Are we investing in the right technologies and cybersecurity capabilities?
  • Do we have the right metrics and reporting? Can we, and do we, accurately and confidently measure against our risk appetite, provide transparency to regulators and executives, and identify strengths and weaknesses?
  • Do we have the right talent to close capability gaps? Do we have sufficient and appropriate talent not just to maintain existing capabilities now but to support future maturity and technology expansions?

Financial institutions have emerging technologies in their sights

With an increasingly crowded and fast-moving technology landscape, companies are facing pressure to keep up.

Financial institutions must not only grapple with how to best employ and protect their current technologies but also pay more and more attention to the growing field of emerging technologies that promise to strengthen their businesses—offering benefits such as increased automation, scalability, and cost savings.

To better understand how institutions are approaching and prioritizing new technologies, we surveyed companies around the world about the applicability of ten emerging technologies to their businesses.

The survey results reveal that financial services companies are not exploring all the emerging technologies equally. Instead, they are concentrating on those they perceive as most applicable to their organizations and likely to bring the most value, all while factoring in their current technological capabilities, their long-term business and tech strategies, and the potential regulatory impacts.

In recent years, financial services companies have evolved into technology-driven companies. This tech-centric approach is visible in the ways they are prioritizing their investments; in addition to embracing software technologies, they are prioritizing investments in scaling technology development, such as DevOps (software development and IT operations), and industrializing machine learning and AI.

Institutions are also weighing the current level of maturity of each technology in their plans, considering the proven (and unproven) use cases that could add value to their businesses. The most applicable technologies were further along in their maturity journeys than some of those that were deemed less relevant.

Cloud and edge computing lead the list, with 84 per cent of respondents recognizing their relevance to their businesses. Among those respondents, six in ten reported that more than 25 per cent of their workload now resides in the cloud.

This share will undoubtedly rise as cloud capabilities continue to evolve and as companies continue to transform their IT infrastructure through cloud migration and investment into cloud-native infrastructure—enticed by benefits such as flexibility, scalability, and cost efficiencies that are otherwise not offered by traditional, on-premise data centres.

Maturity and proven use cases undoubtedly help propel widespread adoption, and indeed survey respondents confirmed that cloud computing is already the most mature emerging technology used across financial services companies. Over 70 per cent of companies see their cloud adoption in the post-pilot stage, and 42 per cent consider their capabilities fully adopted and in the maintenance stage.

Applied AI gets nearly as much attention, with almost 80 per cent of respondents calling it relevant to their businesses. AI and machine learning have a long history in financial services. Corporate and investment banks, as well as insurers, were early adopters of AI and machine learning, decades before other financial institutions. The rest of the financial services industry has caught up in recent years, and adoption has only continued to grow.

This aligns with broader technology trends in financial services, as applied AI technologies continue to evolve and offer the potential for increasing value to companies. The next stage of AI—generative AI—promises unprecedented disruption of the industry (see sidebar “The promises—and risks—of generative AI”).

Almost 75 per cent recognize the applicability of next-gen software development to their businesses, enticed by the ability to transform their software development life cycle and simplify previously complicated custom development tasks.

AI-enabled development and testing, low-code and no-code tools, and other advances can improve processes and software quality in each stage of the development life cycle.

Next-gen software development is largely in the pilot stage across many companies. They stand to transform their software development life cycle, reaping the rewards of simplifying complicated tasks in custom application development.

While only 11 per cent of the survey respondents have fully adopted this technology, more than 50 per cent are in the pilot or post-pilot expansion stage, indicating they have had time to consider the benefits and use cases of the technology.

Trust architecture and digital identity are also advanced across many companies. Almost 50 per cent of the survey respondents put themselves in the post-pilot or maintenance stage of digital identity, and 70 per cent call trust architecture applicable to their businesses, with use cases regarding digital banking, omnichannel customer experience, a 360-degree view of customers, and digital-wallet offerings.

These efforts have demonstrated such benefits as faster innovation, stronger asset protection, and better customer experience, further persuading institutions to invest in underlying technologies, including zero-trust architecture, digital identity systems, and privacy engineering.

Digital trust efforts will most certainly increase as identity-related breaches, especially cyberattacks on identity systems, continue to grow. Eighty-four per cent of companies participating in a 2022 Identity Defined Security Alliance survey reported suffering an identity-related breach during that year.1 As organizations continue expanding their digital footprints, they must securely build and closely monitor their identity-related capabilities.

At the other end of the spectrum, less than one-third of the survey respondents are considering the following emerging technologies that stand to benefit financial services companies applicable to their companies today: quantum, future of mobility, and immersive reality.

Many institutions may not see adoption of these technologies happening soon and therefore are not prioritizing them today, because of the longer runway for adoption. It could well be that advances in quantum computing over the next few years may result in quantum quickly rising to a top concern, given its potential for materially affecting areas like password breaches and encryption breaking.

While this perspective is appropriate when considering the current maturity of these technologies, especially compared with more advanced and widely adopted technologies such as cloud and edge computing, financial services companies should not be so quick to dismiss them. Quantum computing, for example, is estimated to bring over $600 billion in value to finance, with potential benefits such as real-time automated decision-making and support activities such as holistic stimulations of liquidity or risk stimulations as part of large-scale, high-margin deals.

Adoption and maturity of these technologies, and undoubtedly others, are only expected to expand, as companies believe they should be spending more on those perceived as most applicable to their organizations.

Many noted that they do not believe they are spending enough on applicable technologies. More than half of the survey respondents recognize the need to spend more to continue building their capabilities in industrializing machine learning, next-gen software development, applied AI, future mobility, and trust architecture and digital identity (Exhibit 2). This spending imperative will only accelerate as the technologies ripe for investment continue to mature and proliferate.

Emerging technologies amplify existing risks and add new ones

Emerging technologies can offer significant benefits, but they can also exacerbate existing risks and introduce new cyber risks.

Cyber risk management is nothing new to financial services companies, but the importance of a robust, comprehensive strategy has never been more critical and will only increase as institutions expand their technological footprint.

Cyberattacks continue to increase, and financial services companies face well-funded, highly organized, and well-trained cyber criminals. These criminals are also adopting emerging technologies to aid in their attacks, including recent attacks utilizing gen AI as part of sophisticated phishing campaigns.

Cyber incidents are increasing in both frequency and severity year over year, and institutions must stay vigilant in their capabilities to defend themselves and protect their assets and finances against electronic crime.

According to the 2024 CrowdStrike global threat report, Electronic Crime (eCrime) continues to rise and lead as the most pervasive threat in 2023. Data-theft extortion also continues to rise, and 2023 saw a 76 per cent increase in victims named on eCrime dedicated leak sites compared with 2022.2 As companies increase their use of technology, they are also increasing the number of avenues for a potential cyberattack by mature threat actors.

We further surveyed financial institutions to better understand what cyber risks were top of mind. The biggest risks they reported that their organizations face include cyberattacks, AI, talent management, third-party and supply chain management, and data security.

While this proves that companies are aware of and considering the risks they face, it also raises a couple of questions: Do they have the right capabilities to mitigate risks? Are they considering the potential for increased risks as they expand their adoption of new technologies? While they overwhelmingly recognize that they are under attack and that emerging technologies introduce risk, they still lack the appropriate skilled talent to address these risks.

As companies expand their technology adoption, cyber risks are likely to grow. Specifically, each of the four technologies that received the greatest attention from survey respondents introduces its risks.

Take cloud migration, for example. As financial institutions move their workloads to the cloud and as network boundaries disappear, there’s an increased risk of exposure to threat actors and nation-states gaining access to networks.

Without proper management anchored in a robust cloud security strategy and strong security capabilities, companies face a multitude of cyber risks, including misconfigurations, data privacy breaches, and data loss.

Strong access controls, vulnerability management programs, data protection, and third-party management capabilities are critical to mitigating these risks; otherwise, organizations may find themselves susceptible to risks such as data loss through weak internal connections and service disruptions because of heavy reliance on third-party exposure.

Applied AI and gen AI usage introduce significant regulatory risks for companies. Regulators are increasingly eyeing the risks associated with AI and are developing requirements, such as those outlined in the EU AI Act, that are likely to see enforcement in the coming years. Financial services companies should build their security capabilities—including reporting, governance, and data privacy—in line with emerging regulations before they take force.

Next-gen software development and trust architecture can also subject companies to risks if they are not securely developed and implemented. Both technologies can provide increased efficiencies and increase security within an organization’s technology environment, but with them comes the risk of failure in involving the right skills in development and implementation or of failure to integrate the technologies fully and securely into the environment.

Consider the implementation of zero-trust architecture. Security misconfiguration and integration issues associated with legacy tools may increase the risks of data loss, reputational harm, and insider threats.

Financial services companies must rely upon their foundational cybersecurity capabilities to secure their technologies and protect their environments. Cybersecurity capabilities should be prioritized within the business as institutions continue to undergo technology transformations and recognize the benefits they bring with them. Without strong foundational security capabilities and controls within their cybersecurity programs, organizations will be exposed to risks brought on by their technology investments.

With this risk in mind, organizations must understand not only the benefits that new technologies may bring but also the accompanying risks. For institutions to truly harness their benefits, they must first coordinate their current capabilities by strategically investing in and maturing those that support the new technologies.

While financial companies undoubtedly recognize the importance of cyber risks and the actions they should take to manage them, the question is, are they fully aware of the added risks these new technologies bring?

Companies need strong foundational cybersecurity capabilities to counter cyber risks

Financial institutions feel pressure to keep pace with other organizations and worry they are not investing the right level of resources in the adoption of new technologies.

Fifty-seven per cent of surveyed respondents admitted they were concerned with keeping pace with emerging technologies, specifically concerning their cybersecurity expenditures.

While they recognize the importance of having strong cybersecurity capabilities to mitigate cyber risks, 31 per cent of companies are not confident that their capabilities can do so. To understand how companies are prioritizing and managing risks, we asked them to select their top strengths and weaknesses in their security capabilities across eight domains and numerous subdomains.

The weakest capabilities they identified require immediate attention, as many of them are essential to successfully developing and deploying the five technologies of greatest interest to the survey respondents (Exhibit 6):

  • Third-party and supply chain management. By far the greatest capability weakness—topping the list for 65 per cent of survey respondents—third-party management is critical as companies continue to expand emerging-technology use in cloud computing and applied AI, which relies heavily on third-party services for such critical components as computing, data usage, model bias, model usage, and security.

    As financial services companies rely more and more on third-party services, they must enhance their security capabilities to avoid exceeding their risk appetites and making their environments vulnerable to risks.

  • Metrics and reporting. Despite compliance being an important factor for investment into cybersecurity, a significant portion of the survey respondents (41 per cent) called their metrics and reporting capabilities a core weakness. Companies need reliable, insightful metrics and reporting (such as security compliance, risk metrics, and vulnerability tracking) to prove to regulators the health of their security capabilities and to manage those capabilities. New regulations such as the US SEC Cyber Disclosure Rule4 and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and similar regulations around the world have underscored the importance of better reporting, transparency, and governance of cybersecurity risk.5 Additionally, with an increased focus around the world on regulatory compliance, operational resilience, as well as third-party risk management, more and more financial institutions are being challenged to prove the resilience of their vendors and their reliability in times of extreme stress. It is therefore more critical than ever that companies can measure their risks properly.

    Without a robust process for measuring, reporting, and governing the risks associated with capabilities, organizations are flying blind, not knowing how much risk emerging technologies will pose. Companies, for example, will need evolved controls to measure model bias and risk, average time spent responding to incidents in the cloud environment, and the severity of vulnerabilities. These controls enable companies to identify their strengths and weaknesses and address those gaps before an issue materializes.

  • Identity and access management (IAM) capabilities. The survey respondents passed similar judgment on their IAM capabilities, specifically the higher-risk PAM capability. Despite investment in digital identity and an increased technology domain to protect, companies are still struggling to protect accounts with high-risk access. Without proper PAM, emerging-tech capabilities remain vulnerable to backdoor compromise by threat actors. In addition, as financial institutions increasingly depend on automated software development (like the next-gen software development that 74 per cent of respondents are funding), they need to implement safe IAM and PAM practices.
  • The cloud. The cloud expands the digital environment and overall attack vector that companies must secure. While they embrace digital trust, organizations struggle to manage digital identities. The automated deployment and easily scalable infrastructure in the cloud can increase the risk of data exposure. Unfortunately, developers often use domain administrator or master privileged accounts and default credentials in the cloud environment. Without proper PAM, they are practically inviting bad actors to grab the keys to the kingdom.
  • Data life cycle management. While many financial services companies are using next-gen software development and applied AI to pursue efficiencies and automation opportunities, they often fall short on the major foundational capability of data life cycle management, as 30 per cent of the survey respondents admitted. Without secure, reliable data management in following best practices from creation to destruction, companies will have difficulty optimizing the benefits of technologies that require reliable data sources.

Think about applied AI. Securing the model training data to prevent tampering and the introduction of bias is essential. As AI models are applied to data sets and as data passes through the models, understanding the full life cycle of data security from discovery to classification, monitoring, compliance, and protection is equally essential.

The top technologies in which institutions are investing also have the highest correlation with weaker capabilities. There is also a disconnect between the top-of-mind risks reported and the capability weaknesses companies are facing.

These disconnects pose huge risks for organizations, especially as they continue to rapidly invest, pilot, and deploy these technologies in their environments. Organizations should strengthen these capabilities now to protect themselves in the future against the growing level of risk associated with these technologies.

How are companies prioritizing and investing in cybersecurity?

Financial services organizations’ cybersecurity capabilities are struggling to keep up with the rapid pace of adoption.

To better understand how companies are approaching cybersecurity, we asked three important questions: What is causing organizations to mature their cybersecurity capabilities? How are they prioritizing spending on cybersecurity? Do they have the right talent to address their capabilities and gaps? (See sidebar “Cloud and edge computing—investments planned in tech but not security.”)

Companies should approach compliance as the minimum baseline of expectations rather than the aspirational goal. Likewise, regulatory compliance should be baked in proactively rather than as a reaction or an afterthought, especially as rule-makers delve into emerging technologies.

For many technologies, regulations are still under development (most notably in the AI space). As regulations catch up with the level of adoption across organizations, companies need to be prepared to comply. By using compliance as an essential aspect of adoption, organizations can future-proof their technologies by getting ahead of emerging regulations before their implementation.

Spending habits: Companies recognize critical underinvestment in cybersecurity

Acknowledgement of underspending capabilities has grown in the last three years. Seventy per cent of the survey respondents believe they are underspending and should spend more. Not one organization reported overspending. This marks a shift from prior surveys: in the 2020 IIF and McKinsey Cyber Resilience Survey, only 58 per cent of respondents acknowledged underspending. In 2023, a majority of companies said that they should increase cybersecurity spending by more than 20 per cent to build the requisite capabilities.

Companies rely on talent to address capability gaps

Efforts to close security capability gaps typically revolve around recruiting new talent and upskilling existing talent. All respondents reported relying on existing talent, as well as new talent, to secure their technologies.

However, 65 per cent noted concerns about gaining and retaining appropriately skilled cybersecurity talent. While companies can outsource some cybersecurity work, more than half of the respondents plan to rely on internal resources to close the capability gaps related to their emerging technologies.

Call to action: Future-proof the environment

The technology landscape in the financial services industry will evolve rapidly over the next three to five years, accompanied by mounting risks.

Technologies that are popular today may change tomorrow, and as use cases develop and mature, companies are likely to continually reassess their applicability and investment priorities. The time for action to future-proof the environment is now. Our survey found that even leading institutions are falling short and that smaller companies with significantly less budget or ability to attract top security talent face even greater challenges.

Financial institutions should lay the foundation for action by asking themselves the following four questions about their pursuit of emerging technologies:

  • Do we have the right technology priorities, and are they aligned with our security capabilities? Expansion into newer technologies, such as the cloud and applied AI, usually means greater reliance on third-party services. Companies should reflect on their capabilities and the maturity of their security before introducing any technology. The third-party risk management capability warrants special attention.
  • Do we have the right metrics and reporting? Whether to satisfy regulators or to hold teams accountable, financial services companies need transparent, value-based metrics for managing cyber risks. They can aid in monitoring performance, informing decisions, and identifying emerging issues for quick action. These metrics should measure cyber risk from an emerging technology perspective and be reported appropriately to the right stakeholders, including board members and executives, lines of defence, and the risk management team.
  • Are we investing in the right things? Decisions on technology investments should take security capabilities, especially IAM capabilities, into account. The growing risk of security breaches and the looming need for regulatory compliance shine a spotlight on these capabilities.
  • Do we have the right talent and technology to close capability gaps? Every organization needs to invest in talent, but hiring and retaining the right talent is a challenge and calls for exploring other ways to fill the talent gap, such as utilizing emerging technologies, including AI.

Emerging technologies are grabbing lots of attention in the financial services industry. Each brings cyber opportunities and risks. Most companies will have to build their cybersecurity capabilities to handle the risks. Today is the time to future-proof the environment, ensuring success for tomorrow.

ABOUT THE AUTHOR(S)

Leave a Reply

*