Digital Workplace. As with other industries with a high percentage of knowledge workers, BFSI organisations are grappling with granting remote access to staff. Cloud-based collaboration and Fintech tools, BYOD policies, and sensitive data traversing home networks are all creating new challenges for cyber teams. Modern approaches, such as zero trust network access, privilege management, and network segmentation are necessary to ensure workers can seamlessly but securely perform their roles remotely.
Looking Beyond Technology: Evaluating the Adequacy of Compliance-Centric Cyber Strategies
The BFSI industry stands among the most rigorously regulated industries, with scrutiny intensifying following every collapse or notable breach. Cyber and data protection teams shoulder the responsibility of understanding the implications of and adhering to emerging data protection regulations in areas such as GDPR, PCI-DSS, SOC 2, and PSD2. Automating compliance procedures emerges as a compelling solution to streamline processes, mitigate risks, and curtail expenses. Technologies such as robotic process automation (RPA), low-code development, and continuous compliance monitoring are gaining prominence.
The adoption of AI to enhance security is still emerging but will accelerate rapidly. Ecosystm research shows that within the next two years, nearly 70% of BFSI organisations will have invested in SecOps. AI can help Security Operations Centres (SOCs) prioritise alerts and respond to threats faster than could be performed manually. Additionally, the expanding variety of network endpoints, including customer devices, ATMs, and tools used by frontline employees, can embrace AI-enhanced protection without introducing additional onboarding friction.
However, there is a need for BFSI organisations to look beyond compliance checklists to a more holistic cyber approach that can prioritise cyber measures continually based on the risk to the organisations. And this is one of the biggest challenges that BFSI CISOs face. Ecosystm research finds that 72% of cyber and technology leaders in the industry feel that there is limited understanding of cyber risk and governance in their organisations.
In fact, BFSI organisations must look at the interconnectedness of an intelligence-led and risk-based strategy. Thorough risk assessments let organisations prioritise vulnerability mitigation effectively. This targeted approach optimises security initiatives by focusing on high-risk areas, reducing security debt. To adapt to evolving threats, intelligence should inform risk assessment. Intelligence-led strategies empower cybersecurity leaders with real-time threat insights for proactive measures, actively tackling emerging threats and vulnerabilities – and definitely moving beyond compliance-focused strategies.
The Digital Economy – a term first coined by Don Tapscott in 1994 – is not easy to define or measure. At one end, it is limited to the production and consumption of digital goods and services. On the other end, according to the European Parliament, “The digital economy is increasingly interwoven with the physical or offline economy making it more and more difficult to clearly delineate the digital economy“. We are, however, witnessing the Digital Economy transitioning to an economy that is digital.
Given the pervasiveness of the Digital Economy, its future will be determined by the complex interplay of several trends. Some of the trends that illustrate the future trajectory of the Digital Economy are:
We will see AI becoming ubiquitous as it is leveraged in every sector and sphere of activity. According to one estimate, AI is estimated to contribute USD 15.7 trillion to the global economy by 2030, which is more than the current GDP of China and India combined! We are also likely to see rapid progress in technologies related to Extended Reality (XR) in the coming years. COVID-19 is accelerating this trend, as we can see from the offerings of companies like Spatial and MeetinVR that facilitate virtual business meetings. The analog world’s rendering into its digital twin will see us moving towards a metaverse – a virtual shared space imagined in Neal Stephenson’s novel Snowcrash. Some of the biggest names in the tech industry – Apple (Apple glass), Facebook (Oculus), Sony (Playstation) – are assiduously working towards this direction.
Given the importance of telecom infrastructure to the Digital Economy, 5G networks are being rolled out in countries worldwide (Figure 1). However, even as 5G is being deployed, the buzz around 6G is getting louder. 6G may transmit data 100 times faster than 5G and may see deployment by 2030 given the decadal cycles for telecom: 1G in the 80s, 2G in the 90s, 3G in the decade following 2000, 4G in the decade starting 2010, and 5G beginning in the 2020s.
The availability of high bandwidth, low latency networks could lead to newer applications and further breakthroughs in innovative technologies.
The Future of Work
With the rapid growth in automation and AI, we are likely to see significant labour market disruptions. Moreover, COVID-19 has been a watershed for the global economy – its impacts will continue to be felt for many years to come. According to the International Labor Organization, 495 million full-time jobs were lost in the first two quarters of 2020 due to COVID-19. Lower and middle-income countries have suffered the most, with an estimated 23.3% drop in working hours – equivalent to 240 million jobs.
A recent report from the World Economic Forum estimates that by 2025, 85 million jobs may be displaced due to automation and AI, while 97 million new roles may emerge. We will see significant changes and turbulence in labour markets across multiple industries and geographies in the years ahead. If we look at how the top ten skills required by the top 10 US companies have been changing over time, we get an indication of the Future of Work. Companies are more focused on “soft” skills, that are not easily addressed by AI & Automation.
We are also likely to see a shift from humans adapting to technology to technologies adapting to humans. For example, the acceleration in digital twins combined with advancements in XR could allow unskilled workers to do skilled jobs. AR could guide a worker to repair a piece of mechanical equipment without long years of previous training. Similarly, the emergence of ‘Low Code No Code’ (LCNC) applications will allow ordinary individuals to do tasks that previously required specialised training.
Scientists have long focused our attention to limit the carbon dioxide in the atmosphere to 450 parts per million to avoid catastrophic climate change. In 2016, the World Meteorological Organization reported this concentration had crossed 400 parts per million, leaving us with a shorter runway to prevent calamitous climate change. We are, therefore, likely to see increased efforts to tackle climate change in the decade ahead.
Digital technologies can impact the global climate agenda in multiple ways: smart grids, smart buildings, smart appliances, intelligent transport systems, shared mobility, and 3D printing, to name a few. Digital technologies will also allow new sources of renewable energy to be tapped. For example, the molten core of the earth is over 6,000°C. “Just 0.1% of the heat content of Earth could supply humanity’s total energy needs for 2 million years,” according to AltaRock Energy. Advances in the use of digital technologies that allow for precise directional drilling will allow for advanced geothermal systems to be established as reliable power sources.
Tech bloggers like Doc Searls and Stephen Lewis had begun to theorise about a Splinternet as early as 2008. There was a danger of governments carving the world into geopolitical blocks and creating technology barriers. China’s Great Firewall and the US’s recent responses under the Trump administration are likely to hurtle us in the direction of a fractured internet. We may end up with the US dominating the western internet and China dominating a competing block of countries. The Digital Economy’s evolution would fracture into different camps, making it very different from what it is today.
The most valuable companies in the world today are in tech. Seven of the top ten companies in the world by market cap in 2020 are tech companies.
The recent investigation into competition in digital markets undertaken by the US House Judiciary Committee observed: “Over the past decade, the digital economy has become highly concentrated and prone to monopolisation. Several markets investigated by the Subcommittee – such as social networking, general online search, and online advertising – are dominated by just one or two firms. The companies investigated by the Subcommittee – Amazon, Apple, Facebook, and Google – have captured control over key channels of distribution and have come to function as gatekeepers. Just a decade into the future, 30% of the world’s gross economic output may lie with these firms, and just a handful of others.“
The call for the regulation of big tech will gain momentum in the coming years. The European Union is likely to lead here, just the way just it did in the case of its General Data Protection Regulation.
Governments will also require data monopolies to share data. China mandates its automakers to share data generated by electric vehicles with a government research institute. This data is essential for public safety and planning battery-recharging stations. The Australian Government promotes the concept of sharing “designated datasets” that could include data held by the private sector that has significant community benefits. Similarly, France’s Law for a Digital Republic requires the sharing data by certain categories of the private sector. Such blurring of boundaries between public and private data will become more important.
We will also see the growing importance of data trusts. These are structures where data is placed in the custody of a “Board of Trustees” who have a fiduciary responsibility to look after the interests of data owners. Such data trusts might give individuals better control over their data.
Every aspect of the economy is being digitalised today. In the next decade we are likely to witness foundational shifts in how the Digital or Data Economy is structured. It will also see increasing risks as cyber threats grow exponentially from cybercriminals and state actors. That the world in 2030 will be very different from today is obvious. We may, however, be surprised by the extent and sweep of the change ahead of us.
Singapore FinTech Festival 2020: Economic Summit
For more insights, attend the Singapore FinTech Festival 2020: Economic Summit which will cover topics tied to the state of the economy, path to recovery and re-framing the new financial services landscape
The data privacy violations reportedly began in 2014 when the company started collecting employee data including their personal information, holidays, medical records, informal chats and other private details. It was found that the information was unlawfully recorded and stored; and was further opened to managers. The violations were discovered in October 2019 when due to a computing error the data became accessible company-wide for a short span.
Ecosystm Principal Analyst Claus Mortensen says. “This is one of those cases that are so blatant that you cannot really say it is setting a precedent for future cases. All the factors that would constitute a breach of the GDPR are here: it involves several types of data that shouldn’t be collected; poorly managed storage and access control; and to finish it all off, a data leak. So even though the fine is relatively high, H&M should probably be happy that it was not bigger – the GDPR authorises fines of up to 4% of a company’s global annual turnover.”
Mortensen adds, “It should also be said that H&M has handled the aftermath well by accepting full blame and by offering compensation to all affected employees. It is possible that these intentions were considered by the HmbBfDI and prevented an even higher fine.”
The penalty on the Swedish retailer is the highest in Germany linked to the General Data Protection Regulation (GDPR) legislation since it came into effect in 2018 and the second highest throughout the continent. Last year, France’s data protection watchdog fined Google USD 58.7 million for not appropriately disclosing data collection practices to users across its services to personalise advertising.
Talking about the growing significance of fines for data breaches, Ecosystm Principal Advisor Andrew Milroy says, “To be effective, GDPR needs to be enforced consistently across the board and have a significant impact. It is too easy to ‘corner cut’ data protection activities. Some breaches may not have an operational impact. For this reason, the cost of being caught needs to be sufficiently large so that it makes commercial sense to comply.”
According to Milroy, “The sizeable fine meted out to H&M together with the publicity it has generated shows that the regulators are serious about GDPR and enforcing it. Other regulators around the world need to make sure that their jurisdictions don’t become ‘soft touches’ for malicious actors.”
EU Proposing New Data Sharing Rules
We are also seeing the European Union (EU) make moves to regulate digital services and customer data use by technology providers, as part of the European Union Digital Strategy. The EU is drafting new rules under the Digital Services Act to force larger technology providers to share their customer data across the industry, to create an even playing field for smaller providers and SMEs. The aim is to make the data available to all for both commercial use and innovation. This is being driven by the EU’s antitrust arm, aimed to reduce the competitive edge tech giants have over their competition and they may be banned from preferential treatment of their own services on their sites or platforms. The law, which is expected to be formalised later this year, is also expected to prohibit technology providers from pre-installing applications or exclusive services on smartphones, laptops or devices. The measures will support users to move between platforms without losing access to their data.
Click below to get data and insights on our cybersecurity study
However, any country that aspires to be a Digital Economy, must have robust data protection laws that safeguards its citizens’ data. Malaysia’s Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament in 2010 and came into force in late 2013. While the PDPA does provide guidelines for personal data protection to some extent, in light of technological advances, newer laws such as GDPR that are shaping the industry, and to keep up with the aspirations of creating a Digital Economy, there is a need for more comprehensive privacy laws.
“Growing the Digital Economy is a key agenda for Malaysia and a revised PDPA is a key component in ensuring trust and transparency,” says Shamir Amanullah, Principal Advisor Ecosystm. “The increasing and complex use of data and the proliferation of devices pose serious challenges which the data protection laws have to address. The recent US Federal Trade Commission’s hefty fines on Facebook and Equifax highlight the need to protect data of consumers and businesses alike.”
The PDPA is clearly a work in progress where while fast-growing areas such as electronic marketing and online privacy are mentioned in the act, there are no specific provisions to deal with breaches in these areas.
Updating the PDPA
In the last few years, Malaysia has realised that the PDPA fails to cover some areas. As an example, it does not take into consideration the proliferation of biometric data. The national ID card (MyKad) stores data using biometrics (thumbprints) and there is a clear rise in use of facial recognition technology in the country. Grab partnered with the Ministry of Transport last year, to use facial recognition technology to protect their drivers.
Malaysia is committed to their Digital Economy vision and is looking to update the PDPA, to make it more appropriate for contemporary needs and technology. The Government is consulting its citizens on possible ways to improve the PDPA. Between 14-28 February, the public can provide feedback on their thoughts and requirements on data privacy, through the Ministry of Communications and Multimedia’s web portal.
Some of the areas that have been found lacking and where feedback is being sought are expanding applications of the PDPA to data processors, making it compulsory to notify data breaches and simplifying cross-border personal data transfer.
Speaking about the areas that are likely to be addressed, Amanullah notes, “The review of the PDPA and the ongoing public consultation will deliberate extending the PDPA to non-commercial transactions. The existing PDPA does not cover non-commercial transactions involving charities, religious activities and even social media. The EU, Japan and – closer home – the Philippines have data protection acts which regulate both commercial and non-commercial transactions.”
Malaysia’s Communications & Multimedia Minister, Gobind Singh Deo, has from the start spoken about the need to update and bring the PDPA up to speed. “The goal of the Digital Economy is to take Malaysian enterprises beyond the country to Southeast Asian and global markets,” says Amanullah. “The EU GDPR is recognised as a leading global framework for data protection and is set to play a big role in the revised PDPA, to ensure that Malaysian companies adhere to the same data protection standards as global organisations.”
“The appointment of Data Protection Officers will be a major move to ensure that companies that hold sensitive private data have the necessary skills, processes and technology in place to comply with data protection laws.”
For more insights on global Compliance and Data Protection trends, please create your account on the Ecosystm platform.
The biggest fines issued by the ICO in the UK were to Facebook and Equifax – both of whom were fined GBP 500,000.
Facebook’s fine was for the notorious Cambridge Analytica data scandal, where the information of 87 million Facebook users was shared with the political consultancy through a quiz app that collected data from participants as well as their friends without their consent.
Equifax Ltd. fine was for something more similar to the British Airways case: In May 2017, hackers stole personal data including names, dates of birth, addresses, passwords, driving licences and financial details of 15 million UK customers. In its ruling, the ICO said that Equifax had failed to take appropriate steps to ensure the protection of this sensitive data despite warnings from the US government.
But these fines were all from before the General Data Protection Regulation (GDPR) came into effect. Now, under the new rules, fines can be as high as EUR 10,000,000 or 2% of total global annual turnover for the previous year (whichever is higher) for lesser data breach incidents. For significant data breaches and non-compliance, the fines can be double that: EUR 20,000,000 or 4% of total global annual turnover (whichever is higher).
British Airways’ GBP 183 million fine is the equivalent of 1.5% of its turnover in 2017. Had the ICO gone for the maximum limit, the fine could have been as much as GBP 489 million.
A lot can still happen before the fine is finally issued, and BA is likely to dispute the decision in court (Willie Walsh, the CEO of BA’s parent company, IAG, has said they will). But even if the fine ends up being significantly lower, there are obvious lessons to be learned from this case:
“People’s personal data is just that—personal.” These were the words spoken by Elizabeth Denham, the ICO Information Commissioner, in response to media enquiries on the fine. In other words: companies will need to take data privacy extremely seriously from now on or expect very hefty fines.
Attitude matters. British Airways chairman and chief executive, Alex Cruz, said in a statement that BA was “…surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”
Although we can’t know this for certain, the response may reflect what could be described as an “attitude problem” in how BA has been dealing with the ICO: a whiff of arrogance, blaming the breach on criminal hackers and failing to accept any blame or real responsibility for the incident.
We know from other GDPR cases in other countries that any failure to cooperate with the authorities may result in larger fines. Full transparency, full cooperation and accepting responsibility are the way to go. If it’s your data, then the buck stops with you.
The risks associated with IT cutbacks just went through the roof. The operating losses following the financial crises of 2008 made the carrier slash back its IT budgets (as well as other “expenditures”). Airlines, in general, are notorious for under-spending on IT, but when combining that with further cutbacks on IT expenditure, disaster may ensue. BA’s recent IT related woes may or may not be a direct result of under-spending on IT, but in the court of public opinion, this connection has been made.
In any case, with the new fine regime under the GDPR, the risks associated with under-spending on IT – and on IT security in particular – have now gotten substantially bigger.
More than ever, the notion that IT is an expenditure that can be cut back on is a false economy.