London-based airline EasyJet revealed on Tuesday that nine million customers’ personal information was stolen in what it called a “highly sophisticated” cyber-attack.
In addition to email addresses and travel details being accessed, 2,208 of those customers affected also had their credit card information stolen. EasyJet clarified that no passport details were uncovered in the breach, and that it would contact those affected.
It is not yet known how the historically large data breach occurred, but EasyJet said that it had “closed off this unauthorised access” and reported details of the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre.
The size of the breach raises the possibility of EasyJet being forced to pay significant compensation, as was the case for British Airways after the personal information of 500,000 customers was stolen. In that case, the ICO fined the airline £183 million.
A similarly sized fine would likely be a significant blow to EasyJet, which has already said it expects to make a loss of around £275 million this year as the COVID-19 pandemic continues to drive demand for air travel through the floor.
Reacting to the news, Tony Pepper, CEO of Egress, called the breach “another stark reminder that airlines must take a comprehensive risk-based approach towards protecting customer data”.
“For organisations, it remains crucial they continue to prioritise data security at all times, but especially when there’s widespread introductions of new systems as there has been in response to sustained remote working during the COVID-19 pandemic.”
Well, all too often these processes utilise simplistic methods, such as spreadsheets. This ignores the multiple benefits that more technologically advanced processes can bring, most notably far greater accuracy. More accurate forecasts will help businesses in many ways, from securing funding from banks or investors to identifying future shortfalls. While rethinking how to approach cash flow forecasting will always be relevant and beneficial for businesses, in today’s uncertain climate of business instability due to COVID-19, it is especially important.
In fact, cash flow forecasts are almost useless if they are inaccurate and it is only the businesses with accurate forecasts that will flourish. Accurate forecasts allow businesses to run predictably, generate funding and make informed decisions on capital investment. In contrast, inaccurate forecasts can lead to potentially devastating outcomes. At the lighter end of the scale, an inaccurate cash flow forecast can result in missed opportunities while the business had surplus cash in the bank. Whereas, at the heavier end, an inaccurate forecast could lead to overtrading and the end of the business. It is clear that this must be avoided and remedied, but how? Andy Campbell, Global Solution Evangelist at FinancialForce, shares an alternative method with Finance Monthly.
The Difficulties
Although popular, the spreadsheet presents many issues as a tool for cash flow forecasting. The first of these is that future income and future expenses are typically completed in monthly increments. This is an issue because it means that the future is generated using data from the past so by the time the forecast has been generated, the data is out of date and, therefore, no longer accurate. Another issue is that it takes a lot of time to assimilate data from the many different sources required for this process which causes further delays. A solution to this problem is that all data from each department be made visible to the finance teams so that they can create an accurate and real-time data set.
A well-built data set will become the foundation for accurate forecasting, so it must be able to process the variety of data produced by each department. This is because companies generally process a combination of both product and service-based revenues. Therefore, the data set must be able to manage both of these sources and their different payment structures.
Although popular, the spreadsheet presents many issues as a tool for cash flow forecasting.
Volatility presents another difficulty to be reckoned with. As the current pandemic has shown, volatility can come in unexpected forms and not all can be protected against. However, preparation is key, and some volatility is more predictable. For example, businesses themselves are volatile by their very nature with the changing of business models in line with the latest developments. Therefore, it is to be expected that business revenues would also be prone to volatility. This can be mitigated against by ensuring that all data has human oversight and is regularly reviewed. Doing so will ensure that any projection is in line with the company’s strategy and should prevent unexpected outcomes.
Cash flow forecasting comes hand in hand with revenue forecasting, which is the greatest of all these challenges. Revenue generation crosses all departments: starting in marketing, it is then delivered by sales, realised by operations and, finally, measured by finance. As already stated, the collating of data from multiple departments is tricky, revenue generation crosses all departments so presents a tangible difficulty here. Currently, the typical finance department addresses this using a complicated interlinking system of spreadsheets which often presents further problems. Another issue is that there can be disconnect between departments where a lack of trust means that data is not readily shared. To solve this, businesses must remove the culture where each department treats its goals separately rather than looking at one overarching goal and working together.
How to Overcome These Difficulties
The problems can be broken down into two main categories – technology and people. In terms of people, this comes down to the business culture and only a business that can successfully change its culture will be able to successfully implement new technologies. It is very important that employees are properly briefed and trained in the new processes or technologies that businesses want to implement so that they feel part of the processes and are adequately prepared. Simply enforcing a new process and expecting it to be a success will not work and there will be no visible improvements to the business. Successful change to a business culture, at all levels of seniority and across all departments, will result in more tangible improvements.
[ymal]
In regards to technology, the days of spreadsheets are over, it is time to retire them and let new technology take over. Finance needs to have clear and direct visibility into active opportunities to be able to generate accurate cash flow forecasts. A simple way to do this is to integrate the CRM with finance which will give a window directly into the required processes. The data set can be further strengthened using data from the past, for example past win rates and payments can indicate what the future may hold. AI can analyse historic data sets to identify customers who were slow to pay in the past and, therefore, are likely to be slow to pay in the future.
Ultimately, the more integrated a business is, both in terms of people and technology, the more smoothly it will run and the better its outcomes will be. Having a finance team that can produce accurate cash flow forecasting and a business reaping the rewards is not as difficult as it may seem. There are tools and technologies to help along the way. It is time to say goodbye to spreadsheets and to embrace the new way to approach cash flow forecasting.
Finance teams are still spending too much time in ‘excel hell.’ Every hour spent grappling with spreadsheets, pivot tables, and pie charts are hours that could be spent helping make better business decisions. And yet, astonishingly, top finance functions are still devoting 75% of their time to data analysis, according to a recent PWC study. Eugene Hillery, Senior Director of International Operations at Tableau, offers Finance Monthly his thoughts on the issue and why it should be turned around.
Spreadsheet drudgery isn’t just frustrating and inefficient, it’s outdated. There is a huge range of intuitive, interactive and highly visual data software available – what some call ‘visual analytics’ - designed to help knowledge workers see and analyse the data that matters to them, faster.
Delivering insight from data should be the core competence of finance – not spreadsheet navigation. Yet, research from Sage shows two thirds of CFOs (64 %) are still unable to make data-driven decisions to drive business change. Here are five reasons to kick-off an analytics overhaul:
1. You Can Work (And Collaborate) From a Single Source of Truth
Conventional spreadsheets are capable of handling many tasks, but real time collaboration has never been their strongest suit.
Inconsistent version control, restricted server access and unnecessary duplication are a drag on far too many finance teams. When there are multiple sources of ‘truth’, hours of time are needed to make sure conclusions are built on accurate and up-to-date data. The longer this process takes, the less value you can claim from any time-sensitive data.
With more advanced analytics products, finance teams can bring diverse data sets together from across an entire organisation, allowing everyone to work from a single source of truth. This offers a holistic view and saves time especially when everyone, whether from AP, AR, Tax or Purchasing can collaborate on the same data in ‘real time’.
Inconsistent version control, restricted server access and unnecessary duplication are a drag on far too many finance teams.
2. You Can Get Insight Overnight
More than ever, the ability to connect to offices around the world is a business necessity. The power of a rolling international handover between knowledge workers using accurate, up-to-date data, is tremendous.
For example, if daily sales or staff performance data is be collected at the close of a business day in London, it can be turned into insight by teams in the US literally overnight. This means recommendations for action land on desks at the start of the next day in the UK, and issues can be resolved faster.
If a coherent view of your accounts means drawing information from data sources in China and the US, for example, trying to reconcile them through different spreadsheets will only bury insight. Quick answers are critical for teams operating across different time zones, as for any business that needs an accurate overview of what’s going on in a hurry.
When diverse data sources are unified in a single interactive dashboard, drilling into the numbers can be done by anyone, wherever they are.
3. You Can See Both Granular Detail and the Big Picture
Managing business expenses is a never-ending task, but it’s another area where working smarter beats working harder.
Data analytics software helps uncover the kind of hard to spot correlations that can be invaluable in finding new ways to keep costs down. Dashboards should make it easy, for example, to see which employees are in the habit of booking flights well in advance (saving the company money) and those who rack up huge bills by making last minute purchases.
A faster understanding of data outliers is also valuable in the quick response to business challenges that may exist. Instead of questioning ‘what’ is happening, conversations are led with ‘why’ it is happening. Data analytics makes it easier to uncover cost drivers and make predictions about cash flow. This equips finance teams to identify the source of a challenge faster than ever and help drive the solution.
[ymal]
4. You Can Put Your Focus on the Future
Access to an organisation’s accounting full history means the finance team is best placed to offer predictions for its future. In general, the richer and more diverse the data that underpins those forecasts, the more accurate and useful they become.
With data analytics, finance teams can use a cash flow summary dashboard to help management understand the outlook in aggregate. They can ask useful questions like “what are our balances by currency, subsidiary, country, banking partner or geography?” The ability to reveal and answer these is fundamental to supporting other financial processes like preparing for audits and SOX compliance.
Combining effective data analytics and artificial intelligence support allows teams to compile and comprehend far bigger data sets, and even help present larger, more evidence-laden projections. This level of authority is what enables finance teams to play a more strategic role in the boardroom - advising CEOs, boards and investors, not to mention staff or customers. In fact, eight in 10 CFOs in the UK (78 %) say their role has changed recently and they are focusing more time and effort on business-wide operational transformation, according to Accenture.
Access to an organisation’s accounting full history means the finance team is best placed to offer predictions for its future.
The best visual analytics software make comparisons between external data sources like economic trends, and internal sources like operational numbers or sales figures. This in turn empowers finance teams to be more efficient and intuitive, making better recommendations with longer lasting impact.
5. Investing in Your Money People
The pace and scale of digital transformation is something finance teams understand better than most. After all, they are the ones processing payments for every major IT investment a company makes.
It’s not surprising then that it is so frustrating to see finance teams often overlooked for technology investments which could in fact create efficiencies that drive business forward.
Of all business areas that stand to benefit from the ongoing revolution in data analysis, finance departments have the most to gain. Gartner research shows that the number of finance departments deploying advanced analytics will double within the next three years. Visual and AI-empowered analytics can untap the insight and creativity currently locked in finance teams across the UK – but only if they can look up from their spreadsheets and see them.
Dermot O’Kelly, Senior Vice President, Europe at Finastra
Think your organization hasn’t embraced AI? Think again. The reality is that there are hundreds of applications of artificial intelligence embedded in everyday organizational life. From pay-per-click ads to social listening, chatbots to lead scoring, biometric security to network attack detection. As Europe at Finastra's Senior Vice President Dermot O'Kelley outlines below, the chances are that your organization is already relying heavily on AI for a range of functions.
It’s true that many of these services may be provided by third parties connecting directly to systems via open APIs. The organization therefore doesn’t need to become the expert. In fact, there is a proliferation of external experts as AI becomes ever more accessible. In less than two years, training time for machine vision algorithms dropped by over 99%. It went from three hours to just 88 seconds – whilst computational costs dropped from ‘thousands of dollars to double-digit figures’.
It therefore comes as no surprise that organizations are looking at how they can benefit from the AI revolution, to help boost areas such as operational efficiency, security, predictive capabilities, product development or customer satisfaction.
In less than two years, training time for machine vision algorithms dropped by over 99%.
Leading the way is the financial services sector, not least because of the vast amounts of data held by legacy organizations, but also in response to the changing expectation of consumers. Tech giants created new models of engagement, platforms that consolidated services and captured data to further fuel predictive capabilities, and this expectation of convenience is now shifting to financial services, where consumers are now more than comfortable with concepts like robo-advisory. Institutions, regardless of whether they’re providing retail services, lending, trade finance, wealth or any other line of business, are racing to adopt similar models without relinquishing customer data.
As data proprietors, the world of opportunity that AI affords any organization is immense. Data is the new currency as we enter the fourth industrial revolution, and all AI applications rely on huge amounts of data to function well. So, why aren’t all organizations rushing to embrace AI?
- Firstly, the lack of appropriate, compliant data. Successful AI models require tens of thousands of records, cleaned and labelled, that have been captured and stored according to strict regulatory conditions.
- Secondly, the growing urgency for transparency and accountability in data, models and decisions to stop the cumulative effect of bias. Best practices are offered, but as yet there is no universal regulation or consensus.
- Thirdly, the ethical implications - just because you can doesn’t automatically mean that you should, particularly where privacy is concerned. As Cap Gemini noted, consumers are attuned to ethical practices…get it wrong and the trust – and business – is lost.
- Finally, the well-documented shortage of skilled AI and Data experts. Thankfully, through open APIs, all organizations can connect in AI-based capabilities developed by specialist third parties – it doesn’t always pay to build in-house.
[ymal]
The intelligence race continues unabated, with escalating VC investment in AI and new, exciting applications that are having tangible success. Still not sure what Artificial Intelligence can do? Very soon it will be easier to recall the few things the technology can’t do.
The FCA, the authority that regulates UK banking and financial services, has this week admitted to accidentally leaking the private data of around 1600 people that complained against the regulator.
In a document on its website, the FCA published names, phone numbers and addresses in response to a freedom of information request in November 2019. No other data like financial information or passport info was included, however. The private data belonged to those who complained against the FCA between January 2018 and July 2019.
The FCA has admitted to the leak and apologised, with the intent to address each person whose data was revealed and apologise to each in writing. It has referred itself to the Information Commissioner’s Office (ICO) and will likely expect a fine for the data breach.
On the back of this news, Andy Barratt, UK MD at international cybersecurity consultancy, Coalfire, told Finance Monthly: “The question on a lot of people’s minds will be how does the ICO respond to a data breach at a fellow regulator.
“Together, the ICO and FCA enforce some of the largest monetary penalties for data breaches and there could be cries of foul-play if one’s punishment of the other appears to be a light touch.
“While many will see this as embarrassing for the FCA, it now has a real opportunity to go through the same pain as those it regulates and learn from it.
“Human error is, to an extent, unavoidable and it will be interesting to see whether the FCA better empathises with those it polices in future.”
Here Andy Barratt, UK managing director at international cybersecurity specialist Coalfire, explores how the financial services sector can turn the tide on costly, high-profile cyber missteps.
It’s fair to say that the financial services sector has struggled to secure positive consumer sentiment for itself recently – particularly in relation to cybersecurity. At the end of October, the government’s Treasury Select Committee (TSC) went so far as to say that the number of IT failures at banks and other financial services firms has reached a level it deems “unacceptable”.
The criticism, which highlighted poor IT performance within financial firms and a lack of decisive action from their regulators, comes in the wake of a string of high-profile and costly cyber glitches in recent years. Most notable among those is TSB’s unsuccessful attempt to migrate its systems over to new parent company Banco Sabadell.
Customer details were left easily accessible and vulnerable to fraud attacks, as well as resulting in thousands being unable to access their accounts. But TSB are not the only culprits: Barclays, RBS and VISA are among a raft of other major financial service providers to have suffered serious technical glitches in the past few years.
Why then, with so much at stake, are financial firms lagging behind when it comes to their cyber strategy?
Complex legacy tech infrastructure
The first aspect that makes large firms so susceptible to attacks is that their IT systems are often complex and, significantly, outdated. Hackers can easily find weak spots in the system or, as in TSB’s case, vital information can slip through the cracks.
The first aspect that makes large firms so susceptible to attacks is that their IT systems are often complex and, significantly, outdated. Hackers can easily find weak spots in the system or, as in TSB’s case, vital information can slip through the cracks.
Our inaugural Penetration Risk Report, which took place around the time of TSB’s issues, found that the largest firms are less likely to be prepared to face up to cybercrime than their mid-sized equivalents – despite greater budgets and resources – due to their cumbersome and slow-moving infrastructure.
More recently, we’ve seen those larger businesses close the gap, mostly through the support of in-built cloud security services, but the risks still remain for many. In the financial services sector specifically, this year’s study indicated that the level of external threat has actually increased.
The rush to implement services under a new ‘Digital’ initiative sometimes comes at the cost of addressing the underlying legacy issues too. Whilst the big banks rush to keep up with the online-only challenger banks they re-allocate budget for the new apps and forget the underlying infrastructure they depend on.
‘Yes’ culture
One of the key risks boosting that threat is a habit within large corporate cultures for IT teams or risk managers consistently ‘downgrading’ risks due to lack of understanding or complacency when reporting to those further up the pecking order. This is dangerous and can lead senior figures to the conclusion that everything is ‘ok’ within their organisation when, in reality, an IT crisis is just around the corner. This is particularly true when organised crime groups are targeting financial services with highly sophisticated attacks that are often discounted by management with a throw away ‘nobody would do that’ comment.
Companies should attempt to foster a ‘safe’ environment where staff feel comfortable raising problems they encounter so that solutions can be found before disaster strikes. They should also to remain current with intelligence from their incident response and forensic partners who will see the sophisticated threats when they do cause a breach.
An enhanced understanding of the issues facing the business is less likely to leave senior spokespeople up a creek without a paddle when facing the media. No one would expect a CEO to know all the ins-and-outs of their IT infrastructure, but basic comprehension can go a long way. Knowledge is power.
[ymal]
Weak links in the chain
Due to the nature of the industry and the services they provide, banks and large financial firms are required to interact with third parties on a massive scale. Unfortunately, this isn’t without its drawbacks.
Many third parties – and, by extension, their own supply chain – lack the sophistication and / or the wherewithal to deal with cyberattacks. As such, they are often the first port-of-call for a hacker looking to worm their way into a major system.
An example includes the British Airways data breach in the summer of 2018, when hackers were able to take information directly from the airline’s website thanks to access from a third party.
Often, being subject to this form of intrusion is pure bad luck rather than bad planning. However, large firms must ensure that they’re sufficiently protected and that access for third parties is limited. It’s a simple case of making sure that your back’s covered wherever possible.
Human error
Perhaps the most common error (and the most tangibly addressable) is the human risk inherent within any business. Naturally, the larger your workforce, the greater the risk you face, which is a major issue within the financial services sector.
Phishing, a scam that prompts staff to provide their username and password, is still one of the simplest but most successful ways potential attackers get their foot in the door.
The key to combatting the danger is providing constant training to employees so that they’re fully aware of the threat and the responsibility that they have towards protecting the business.
What’s more, the high-profile cases mentioned above are dangers in themselves: when the glitch or failure makes the news, a sign post is placed for hackers looking to break in. Each headline is an ‘x-marks-the-spot’ for a company’s weak spot, as well as their competitors’.
It’s a brutal world that financial services businesses face as technology advances but, with such large amounts of money at stake, they must be up to the challenge.
The company’s report, ‘Saudi Aramco After IPO – Company Overview and Development Outlook’, reveals that five major expansion projects – four crude and one natural gas – are being planned to boost output in the country.
One eighth of the world’s crude oil from 2016 to 2018 was produced by Saudi Aramco. As well as being the world’s largest oil producing company, it is also the most reliant on oil production, with 88% of its total 2018 upstream production coming from crude.
Somayeh Davodi, Oil and Gas Analyst at GlobalData, commented: “The major expansions at Saudi Aramco’s offshore oil fields of Marjan, Zuluf, Safaniyah and Berri are expected to comprise the majority of the company’s upstream investment over the next three years. Although these developments will also add gas and NGL capacity, the main addition will be oil.”
In 2018, the company’s MSC capacity (maximum barrels of crude oil that can be produced during a year) was 12 million barrels per day (bd) with 10.5 million bd oil produced plus the remaining 1.5 million bd available as spare capacity. This capacity allows flexibility to respond to market supply and demand fluctuations. The new expansions will add 1.45 million bd additional oil capacity.
Davodi adds: “Future production, including the ability to realize output gains from new capacity additions, is likely to be highly dependent on OPEC quotas. Production cuts are set to continue into 2020, but could be extended further.”
The interest in ATM malware and attacks is persistent and poses a threat to financial institutions and ATM manufacturers alike.
Here Amina Bashir, Associate Product Manager at business risk experts Flashpoint, offers Finance Monthly some insight into the underground market for malware designed for use in ATM cash-out schemes.
As giant boxes of cash, it’s understandable that ATMs are magnets for nefarious activity. Like many other forms of financially motivated crime, malicious activity against ATMs is supported by an underground ecosystem of illicit offerings and resources, as evidenced across Flashpoint’s datasets.
For example, information sourced across illicit online communities, encrypted chat services, and paste sites shows threat-actor mentions of ATMs on a par with mentions of distributed denial-of-service (DDoS) tools and attacks, far exceeding mentions of Remote Access Trojans, crypters, botnets, and ransomware. The interest in ATM malware and attacks is persistent and should be on the radar of financial institutions and ATM manufacturers alike.
Here’s a look at some known threats to ATMs:
Skimmers and Shimmers
Skimmers and shimmers are small, physical devices which are inserted into ATMs to steal payment card data. They are a popular commodity among fraudsters, but some criminals favor a more straightforward form of theft: directly stealing cash from the machine.
ATM Jackpotting
Jackpotting is the manipulation of an ATM so it ejects the cash within. It is often carried out with the help of specialised malware sold on illicit online marketplaces. During the past several years, malware-enabled ATM jackpotting attacks have been reported worldwide, from Europe and the U.S., to Latin America and Southeast Asia.
ATM Malware
ATM malware continues to be popular among threat actors operating across various platforms. Analysts have observed that ATM malware appears to be sold by only a few threat actors, some of whom may be associates. This is in contrast to other types of malware, which are sold by a wide range of vendors.
[ymal]
Inside the ATM Malware Market
WinPot, Cutlet Maker, and Yoda are among the most mentioned ATM malware variants. Due to similarities in posts, it is possible that some of these malware families are being created or sold by associated—if not the same—threat actors. Moreover, Flashpoint analysts have noted that many threat actors who advertise ATM malware also peddle other offerings on the cybercrime underground, including carding services and access to compromised bank accounts.
Uniquely among cyber threats, ATM malware attacks inherently require a physical presence at the targeted site. In fact, since most common and popular ATM malware variants are installed via USB, where attackers must physically open the machine’s exterior panel and connect an external device—attacking an ATM is hardly an inconspicuous endeavour.
And while some forms of ATM malware, such as ATMitch, can be administered without physical access to the machine by leveraging a known exploit against a financial institution’s servers, such an attack still requires the threat actor or a money mule to physically retrieve the stolen cash from the machine. As such, jackpotting crews are known to select their targeted sites carefully; ATMs stationed not at banks, but rather at small businesses, shopping centres, gas stations, and other retail locations are the most desirable targets for jackpotting crews.
ATMs stationed not at banks, but rather at small businesses, shopping centres, gas stations, and other retail locations are the most desirable targets for jackpotting crews.
So, in addition to keeping ATMs updated with the latest security software and patches, one of the best ways for operators to avoid being targeted in a malware attack is to noticeably bolster actual and perceived physical security at ATM sites. For example, an outdoor ATM set back from the sidewalk in a poorly-lit area could be a natural target for jackpotting, but the addition of motion-activated floodlights and conspicuous security cameras monitoring the premises from several angles to avoid blindspots could immediately deter threat actors.
In addition to enhancing visibility and surveillance, changing the lock on an ATM’s exterior panel is another simple way to thwart threat actors sniffing out vulnerable ATMs that use a generic, mass-produced key provided by the manufacturer.
Assessment
Despite being controlled by a relatively small number of threat actors, Flashpoint analysts believe the underground market for ATM malware will continue to flourish, serving a global customer base of threat actors and posing a threat to financial institutions and ATM manufacturers worldwide.
Flashpoint analysts have observed wide variance in the price of ATM malware within illicit marketplaces, from as low as $25 USD up to $5,000 USD depending on the malware being offered, in addition to other factors, such the vendor’s reputation and level of customer support, customisation, and bundled services.
Bitglass recently released its 2019 Financial Breach Report: The Financial Matrix.
This year’s study found that only 6% of all breaches in 2019 were suffered by financial services firms. However, these breaches compromised significantly more records than those that occurred in other industries.
In total, more than 60% of all leaked records in 2019 were exposed by financial services organisations. This is at least partially due to the Capital One mega breach, which compromised more than 100 million records. Despite this outlier, average breaches in financial services companies still tend to be larger and more detrimental than other sectors’ breaches. Fortunately, they do occur less often.
“Given that organisations in the financial services industry are entrusted with highly valuable, personally identifiable information (PII), they represent an attractive target for cybercriminals,” said Anurag Kahol, CTO of Bitglass. “Hacking and malware are leading the charge against financial services and the costs associated with breaches are growing. Financial services organisations must get a handle on data breaches and adopt a proactive security strategy if they are to properly protect data from an evolving variety of threats.”
Hacking and Malware remain the primary cause of data breaches in financial services at 74.5% (up slightly from 73.5% in 2018). Insider Threats grew from 2.9% in 2018 to 5.5% today, while Accidental Disclosures increased from 14.7% to 18.2%.
The cost per average breached record in financial services ($210) has increased over the last few years and exceeds the per-breached-record cost of all other industries except healthcare ($429).
For mega breaches, which affect approximately 100M or more individuals, the cost per breached record in financial services is now $388 – up from $350 in 2018.
Many financial services organisations are still not taking proper steps to secure data in our modern cloud and BYOD environment. Consequently, they are suffering from recurring breaches. For example, Capital One and Discover each experienced their fourth significant data breach in 2019.
The top three breaches of financial services firms in 2019 were suffered by Capital One Financial Corporation (106 million individuals), Centerstone Insurance and Financial Services (111,589), and Nassau Educators Federal Credit Union (86,773).
Javier Meseguer has been appointed as General Manager Southern Europe. Based in Madrid, he will report to Steffen Schaack, Senior Vice President Global Business Development, and will oversee Drooms’ business expansion in real estate, corporate finance and M&A in Spain, Portugal and Italy.
Drooms has also expanded its UK sales team with the appointments of Ditte Nielsen as Senior Business Development Manager and Alessandra Azzena as Business Development Manager. They will report to Rosanna Woods, Managing Director of Drooms UK.
Alexandre Grellier, co-founder and CEO of Drooms, commented: “We continue to see a need for digitalisation among our customers. This not only means making documents available in digital formats but also by ensuring that entire work processes are digitalised. Our latest expansion is the logical next step in our support for customers around the world in this process. Our new offices in Madrid and Barcelona means we are ideally placed to tackle this need in southern Europe head on. As we see it, data protection and data transfer have no borders and we plan to continue our expansion globally in 2020”.
Steffen Schaack, Senior Vice President Global Business Development at Drooms, added: “Our new team members will strengthen our presence in their respective markets and develop further our relationships with customers. We are now widely recognised as the global, independent experts for secure data transfer and digitalisation.”
Javier Meseguer has 16 years’ experience in digital services and data rooms and has invaluable expertise in establishing sales networks. He previously worked as Director of Sales for Snowflake, a provider of cloud-based data rooms, as well as IntraLinks, SAS Institute and The MathWorks.
Prior to joining Drooms, Ditte Nielsen worked as Senior Account Manager at Merrill Corporation, a global SaaS provider for M&A. Alessandra Azzena arrives from Tableau Software, where she oversaw account management and sales in her role as Commercial Territory Manager.
Drooms has also appointed Dennis Kasch as Business Development Manager for the DACH region sales team, bringing its total number of employees across the European market to 170.
You can find our latest interview with Drooms specialists here.
According to Dominic Buch, Co-Founder and Managing Partner at Caple, in order to support that growth, many CFOs will be expected to examine and recommend suitable funding solutions.
Finding an appropriate form of finance is more complex than it used to be. For most of the twentieth century, business lending was based on the value of a company’s assets such as property, stock or invoices.
To help firms access funding, finance directors have therefore developed a good understanding of how lenders would assess their company’s physical assets.
However, today, companies are more likely to be investing in intangible assets such as data, software or a strong brand than tangible ones.
This investment in intangible assets has spurred growth and innovation. But using them as collateral to borrow against remains difficult. Although value is built in intangible assets, finance is raised against tangible ones.
Without a new approach to funding, finance directors, especially in asset-light sectors such as professional services, technology or media, may struggle to find suitable funding for their business.
The growth of the intangible economy
As most finance directors would recognise, companies now build and grow through investment in intangible assets, alongside a continued focus on human capital.
We can see this from the businesses that succeed today.
Airbnb is valued at $35bn because of its network and data, not because it owns apartments. Google has become a global behemoth because of its algorithms.
These companies are valued so highly because of their intangible assets, including the skills of the people that develop them.
The same is true of many smaller but growing businesses too. Service-based businesses contribute around 80% of UK GDP and more than £160bn in annual exports.
For instance, growing financial firms, technology companies and media businesses rely on intellectual property and brand to stand out from their competitors.
But because financial standards have not kept pace with these changes, finance directors may struggle to accurately value their asset and their business.
The challenge accessing capital
Intangible assets present a challenge to traditional lending models based around recoverable security such as property or machinery.
If a company with physical assets goes out of business, a bank can recover its money by selling those assets. Lending decisions can therefore be centred around the value of the assets, rather than the performance of the business.
Intangible assets are less transferable, they cannot easily be recovered and sold to a new owner.
As a result, businesses with intangible asset bases find it more difficult to access debt finance, regardless of the strength of its operations and the associated cash flows.
When asset-light service-based businesses sector are such a vital part of the UK economy, this puts a brake on growth.
How unsecured lending can help
Traditionalists will say equity funding through venture capital or private equity is the solution. Often that holds true.
However, as finance directors will know, third party investment, does not suit every sector, firm or business owner. It also dilutes ownership.
Instead, asset-light companies can now benefit from unsecured lending, based on an understanding of the future cash flows generated by the business, rather than the value of physical assets.
Working with external advisers such as an accountant or business advisor, finance directors often play an important role in helping their business access the right funding.
Both by identifying suitable lenders and in supporting the development of the forecasts and business plans central to a credit process based on future cash flows.
When expanding businesses are important for both jobs and growth, we need to do all we can to help fund them.
We need a new approach to lending where finance directors can help their firms access the right growth funding for them.
According to Simon Hill, Head of Legal & Compliance at Certes Networks, this is mostly due to the fact that financial institutions are not only heavily regulated by data privacy requirements, but they are also under mounting pressure to be open to consumers and businesses about how they are protecting their data from potential breaches.
Additionally, no bank or financial services organisation wants to face the consequences of a data breach. This is demonstrated by the fallout of numerous data breaches in the industry over the years - from Capital One in 2019, to Equifax in 2016 and Tesco Bank in 2017. In the case of the Capital One data breach, a hacker was able to gain access to 100 million Capital One credit card applications and accounts. This included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Additionally, an undisclosed number of people's names, addresses, credit scores, credit limits, balances and other information dating back to 2015 was involved, according to the bank and the US Department of Justice.
What’s more, the damages of these data breaches are not only reputational, but also financial. As a result of Equifax’s data breach, the organisation reached an agreement to pay at least $575 million and up to $700 million to compensate those whose personal data was exposed. In 2016 Tesco Bank was fined £16.4 million by the Financial Conduct Authority (FCA) over its "largely avoidable" cyber-attack that saw criminals steal over £2 million from 34 accounts. This clearly shows that these consequences can arise no matter how ‘large’ or ‘small’ a data breach may seem; companies that do not encrypt their data adequately enough to safeguard it will be penalised.
On top of this, the increasing expectations of consumers means that banks and financial institutions are trying to achieve a balancing act: how can they protect data privacy, while at the same time remaining transparent about how data is being protected? However, it doesn’t have to be a trade-off between meeting customer expectations and meeting cyber security compliance requirements. Banks and financial services organisations can utilise technology to the fullest extent while still protecting data and avoiding the unthinkable repercussions of a data breach.
The balancing act
To achieve this balance, banks and financial services organisations need to take greater measures to control their security posture and assume the entire network is vulnerable to the possibility of a cyber-attack. Robust encryption and controlled security policies should be a central part of an organisation’s cyber security strategy. When stringent policies are generated and deployed, it enables greater insight into applications communicating in and across the networks. New tools are now available to enforce these policies, not only impacting the application’s workload and behaviour, but the overall success of the system access.
Conclusion
Banks and financial services organisations should not have to worry about keeping data secure and protected when it is entirely possible to do so. Adopting new ways to look at how organisations define policies through micro-segmentation and separating workloads by regulations, is one example of how to keep data more secure. Also, ensuring policies define only those users who have a critical need to see the data limits network vulnerabilities. And lastly, a robust key management system that is automated whereby keys are rotated frequently, can also help to safeguard system access and strengthen the organisation’s security posture.
