Financial sector will have new regulation on information security
Due to the rise of electronic channels and the increase in cyber risks, the Financial Superintendence of Colombia will issue new instructions in addition to those related to the management of operational risks and information security.
According to the latest report by Ponemon Institute and IBM, the average total cost of a data breach in the US. UU reached a record of $ 7.35 million in 2017, in all industries, 5% higher than in 2016.
In Colombia, according to the report “Impact of Digital Security Incidents in Colombia 2017” carried out by the OAS, MinTIC and the IDB, there are many companies with costs related to the loss of intellectual property above $ 325 million. Colombian pesos: about 10% of companies, where 3% presented losses to the intellectual property of more than COP 4,000,000,000.
About the financial sector, the cost of worldwide infringements was $ 336 million during 2017, which represents an increase of 49%, compared to 2016, according to the latest report by the Ponemon Institute and IBM. Also, according to the study published in 2017 by the international computer security expert company, Kaspersky, a cyber incident can cost a bank entity up to 1.8 million dollars. The banking sector in Colombia is avant-garde in the development of digital transformation and cybersecurity. For Digiware Expert, Rímel Fraile, this is due, on the one hand, to the changing market conditions that cause the sector to develop new strategies to develop technology-based financial services; and on the other hand, to the high regulation that exists in the banking sector, to guarantee the economic development of the country, the prevention of money laundering and to ensure the trust that consumers have placed in their entity.
It is important to remember that in 2007 the Financial Superintendence of Colombia (SFC) issued the external circular 052, which helped to develop information security and quality within financial entities. More than 10 years have passed since then and with that, there have been multiple modifications to that circular, which today is a matter of compliance.
In this period, technological development has advanced significantly. The way the financial sector provides its services to its customers has changed. A simple example is that today there are fewer offices of entities and more mobile applications that provide the same services. “At present, unlike 10 years ago, the financial sector faces an organized crime market that has put its resources and motivations in the theft and sale of information, and have evolved it 'also using digital transformation' to the development of criminal activities such as the kidnapping of information and infrastructure, ”says Fraile.
According to the expert, it is necessary to understand that currently the risk and threat landscape is different and aware of this, the Financial Superintendence of Colombia (SFC) intends to develop a new regulation that allows facing this new scenario. “This new circular establishes specific requirements on the government of information security and cybersecurity and gives important, crucial, and much needed support to all those responsible for the matter so that they can aspire to an independent and exclusive budget, "He said.
Also, according to the Executive director of Digiware, Andrés Galindo Ortegón, this regulation makes a commitment to digital transformation and to that need that all those responsible for security in participation and early inclusion have for all the projects that an organization has, (... where the care and diligence that must accompany these innovation processes is established). "It is a reality that the digital transformation has brought some technical projects simultaneously, for which it can colloquially say‘ the hands of security officers are not enough ’to meet that demand."
Aspects related to awareness-raising, training, and updating are also important, and take into account the participation of senior management and third parties. This is hardly natural given that the technological and cyber threat landscape is constantly changing; giving a clear message, including to third parties: “cybersecurity is a topic that belongs to the entire organization,” says Galindo. Another aspect to highlight is cooperation, collaboration and reporting to incident response centers and authorities, which is expected to be an important tool to combat cybercrime.
The challenge is that financial institutions develop their current capacity to identify, react and contain a cyber-attack in a timely and successful manner, understanding that the capacity of cybercriminals is increasingly greater and more sophisticated. In fact, according to Asobancaria, cybercrime leaves profits in the world for 575 billion dollars a year, a figure equal to or like that obtained by drug trafficking. Evaluating the desirability of having a SOC might not be enough, and for Galindo, that is where the circular is correct, applying terms such as ‘management effectiveness and efficiency’ to ensure continuous improvement.
"Another relevant aspect and that, in my opinion, has not developed in the region, is‘have insurance that covers the costs associated with cyber-attacks. " It is a call to the same sector to develop services aimed at transferring risk, and it would be expected that it would not only be a subject of the regulated sector but that it could be developed for any sector and thus, give viability, tranquility, and confidence in the development of the digital economy of the country ”, recommends Fonseca. The requirements oriented to the organization's resilience are evident in this new circular since the financial sector is critical infrastructure, and consequently, it is unnecessary to mention how important it is for the country's economic development.