Skip to content

Cybersecurity in Open Banking – From Limitation to Business Propeller

Open banking has become a strategic priority for many financial institutions. To comply with regulations and meet demands from clients who want a better experience, banks are being forced to open their platforms to the outside world. 

It’s an exciting time to be involved in the digital banking transformation. We are witnessing many changes with data-first and customer-first processes, and cloud decentralization strategies that will ultimately provide more choices to individuals concerning the movement of their money, as well as information between banks and fintech companies. 

But in this context, many organizations still see the need for cybersecurity and IT infrastructure as limitations for their optimized business models. However, in an industry where the safety of assets has historically been of utmost importance, they couldn’t be more misguided. Security is, and always will be, what sets apart the financial institutions that shall prevail in an innovation-first environment.

Security challenges in a cloud ecosystem

A whitepaper published by Cisco revealed that in 2016 financial services firms were less likely to use cloud-based security tools than firms in other industries (only 18% had cloud-based vulnerability scanning at the time). Fast forward to today, and organizations of all sectors have turned to the cloud to reduce costs and improve security. But there’s a catch.

As reported in the 2022 Cloud Data Security Report by Netwrix, 80% of organizations that use the cloud store sensitive data there, and 53% of them suffered a cyberattack within the last 12 months.

Does this mean financial institutions are not safe and should completely abandon their efforts to build cloud ecosystems? Hardly so, unless they want to risk falling behind their competitors. But it does mean that every step taken towards open banking should be carefully thought through from a security perspective.

According to Scott Cruickshanks, Executive Director in the Cyber Security Team at J.P. Morgan, the time taken to implement things in a secure scalable way is the main challenge to a secure digital transformation. “The business needs to move fast to meet customer demand which often results in one-off security solutions being implemented,” he says. “They may work in the short term but are ultimately just creating technical debt.” 

In banking, the more secure you are, the more clients will do business with you. The integration of IT security into an open banking solution is not only a question of securing the planned services – it is an important element that must be transparent to customers to win their trust.

A complex, interconnected and customer-centric landscape 

“The time to apply fixes, patches, or digital vaccinations for public vulnerabilities has drastically reduced in the past years to only a few hours, sometimes even minutes,” says Christian Ulmer, Global CISO of Avaloq. According to him, nowadays “the distribution of data across systems, devices, and networks makes it indispensable that protection has to travel with the data.”

Technologically speaking, discussions in the industry regarding API security indicate a clear trend toward an upstream security layer that offers a series of advantages – namely the convergence of application security, API protection, and access management. At the same time, the security framework is key to transparency from a compliance perspective, tracking all requests and signing transaction confirmations.

But while that’s the core of it, it’s vital to remember the average customer is always looking for a better deal and, as this article from Adnovum makes the case, existing digital banking services can now be seen as substitutable commodities.

Flexible IT systems that support intelligent security processes will become the new factors to drive clients’ decisions going forward. For example, if a single sign-in enables a client to use multiple applications and services, that’s an instance of identity management that is capable of bringing together a coherent brand experience with cost-efficient processing.

The weakest link in open banking?

With APIs, encrypted data transfer, and reduced information sharing, security is at the core of open banking. However, as the ecosystem grows, experts agree that it’s inevitable that fraudsters and attackers will find new ways to take advantage of users’ shortcomings and exploit the financial industry.

“Too many fantastic PowerPoint strategies are met with significant real-world challenges. We must not overlook the human aspect,” says Mark Barwinski, Global Head of Cyber Operations at UBS AG in Zurich. “How do we inspire teams and develop them? How do we establish credibility and support our businesses to thrive?”

As ransomware concerns skyrocket, fraudsters have now more entry points to try to get into the banking system to initiate a payment or intercept personal information:

  • Hybrid & Cloud-Based Data Centers
  • Online and mobile channels that are used for banking needs
  • Exposed web applications and APIs
  • Extensive deployment of SD-WAN connectivity
  • Third-Party Providers
  • Employees…

… Just to name a few. To cover all variables, the human element is something the industry needs to tackle head-on. Only by taking people’s security into consideration, financial enterprises will be viewed as trusted partners. 

Join the discussion

If you are interested in further insights about secure finance and banking, and you would like to connect personally with the security experts featured in this article, we invite you to join the Global Cyber Conference.

Follow these links to check the conference agenda, partners, and the full speaker lineup.