Brian, can you tell the Risk Insights’ readers about yourself and your professional experiences?
I am the Group Director of Fraud and Financial Crime Prevention for all of the Lloyds Banking Group brands. My role encompasses anti-money laundering, sanctions and terrorist financing, anti-bribery, and fraud prevention.
I am increasingly involved in cyber defences to ensure that our fraud and cyber defences work together, rather than in silos. Criminals do not work in silos, so it makes no sense for security professionals to do so.
We look forward to the Risk EMEA Summit where you will be joining a panel discussion on cyber and technology. Can you give us an insight into the increasing regulatory focus on cyber security in the last 5 years?
Cyber security has become a key focus in the last few years, but also the lines between cyber and fraud has become increasingly blurred. We have seen recent high profile fraud cases reported as cyber attacks, when they were really automated frauds. This has given rise to a new term of “cyber-enabled fraud”. This makes it ever more important that cyber and fraud teams work together to defend their organisations.
The FCA has become more interested in cyber defences, setting up a cyber unit, and various regulators around the world have introduced new requirements and assessments of cyber defences. It is clear that scrutiny will continue to increase, particularly as high profile breaches occur.
How has the role of the cyber criminal changed in that time?
The main difference today is the emergence of crime as a service. No longer are cyber and cyber-enabled crimes being committed end to end by single criminal groups. Increasingly, the tools for an attack are available for sale as a service to whoever wants to extract money or cause disruption.
This means that the targets of attacks find it even harder to identify who they are up against. It may be a different group that is conducting an attack than the person who is contacting the organisation claiming to be the perpetrator. At the same time, other unrelated parties may also claim to be responsible.
It also makes determining the intended purpose of any attack much harder to determine. Is it a disruptive attack based on activism, an attempt to extract money, or access the target’s data, or is it a distraction for other criminal activity such as fraud?
What are some of the advantages and disadvantages for banks in the rise of FinTech?
The rise of FinTechs provides an opportunity and a risk for fraud and cyber prevention. On the positive side, new tools and channels are being opened up to improve detection and prevention of crime, which enable cyber and fraud professionals to keep pace with the fraudsters.
On the less positive side, new channels introduce new vulnerabilities and smaller start-ups will tend to be less advanced in their defences. For cyber, the system is only as strong as its weakest link, so new players with weaker defences presents a potential entry point for criminals that is very difficult for the established players to close. It will be critical that all market players, new and old, work together to build appropriate defences to keep criminals out.
How do you see the role of cyber risk and fraud & financial crime professionals changing over the next 6-12 months?
I think these roles will move ever closer together. Very few organisations have responsibilities combined. As a minimum, the different functions need to work together to ensure that their controls deal with the overlaps between cyber, fraud and financial crime.
Many regulators will be looking closely at the New York State Department for Financial Services’ new cyber security requirements which requires a Senior Officer to be responsible for cyber controls and requires an annual certification of compliance.