Earlier this month I was a guest on Episode 47: Innovation and Tech Zoom In of the European Edition of the Breaking Banks Podcast Moderated by Ajit Tripathi. The podcast looks at “European Unicorns, Startups, Founders, Regulators and Leaders innovating the rapidly evolving Fintech scene, with some of the world’s most well-known hosts and influencers in fintech. Produced in cooperation with FintechStage.”
With this blog, I would like to summarize my reflections on the relationship between AI and cybersecurity which specific reference to the financial sector.
The multiple dimensions of AI and cybersecurity
The relationship between AI and cybersecurity in the banking and finance ecosystem can largely be divided into three dimensions of use:
- Offensive use of AI: in this dimension, cyber criminals make use of AI to identify and detect passwords or user credentials, also exploiting images and audio which can then be used to commit identify fraud or theft, to carry out more credible phishing attacks, or even to develop new malware.
- Defensive use of AI: in this dimension AI is used to fight against cyber-attacks, “creating enormous investigative capabilities by analysing large amounts of information and identifying patterns and anomalies”, which could be applied, e.g. in the financial sector as a preventative measure.
- Targeting and exploiting AI: in this dimension, the vitality of establishing cybersecurity requirements for AI is made clear in a situation where the increasing proliferation of AI and their sensitivity in highly sensitive sectors such as finance (but also think about the energy, healthcare, or transportation sectors where lives can even more be directly put at risk).
Please see the: EU Security Union Strategy – Communication from the Commission to the European Parliament, the European Council, The Council, The European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy. Brussels 24.7.2020
Policy reflections on AI and cybersecurity
“Cybersecurity is essential in establishing the reliable and trustworthy deployment of AI – this is a principle area of work by the EU Agency for Cybersecurity.” In the context of a webinar organized by ENISA, the European Agency for Cybersecurity, which took place earlier this month (October 2020), it was noted that while at the moment there is not a “concrete baseline for cybersecurity in AI”, that the Agency is working on developing one. In fact, ENISA is currently looking into the AI cybersecurity ecosystem and should publish its Threat Landscape for AI Cybersecurity Report already by the end of the year. In the words of its Executive Director Juhan Lepassaar, “Cybersecurity is the foundation of trustworthy Artificial Intelligence solutions. It will serve as a springboard for the widespread secure deployment of AI across the EU.”
Trust plays an important role in the area of AI, especially when it comes to technological adoption and uptake by the general public. Along these lines, MEP and Chair of the Future of Science and Technology Panel in the European Parliament, Ms. Eva Kaili has noted that “Trust is one of the most important factors for the adoption of new technologies. Recent cases of deepfakes or manipulation of citizens’ data and cyber threats faced by businesses, foster distrust in technology; Europe must lead in a safe digital era without compromising privacy, especially in relation to AI, a technology that has exponential transformative powers. We must take advantage of the opportunities that AI brings for the European society and economy in a safe and secure way with respect for digital rights and quality standards for all. Cybersecurity is therefore key in inspiring trust in AI and we as regulators have to ensure that an all-encompassing cybersecurity strategy in Europe complements our ambitions towards developing our European AI capabilities.”
Despina Spanou, Head of Cabinet for European Commission Vice President Margaritis Schinas, furthermore underlined that “There cannot be AI without cybersecurity if the technology is to expand and be beneficial for our society and the economy.” Trust in the banking and finance sector is essential for consumers to make use of such institutions and in turn, is necessary for the sector to flourish. Individuals need to be able to trust their banks and related apps and have faith that their information and finances will be adequately protected from malicious actors.
FinTech and cybersecurity: reflections on how the banking and finance/fintech sector is impacted by AI and cybersecurity
The FinTech sector is characterized by its high level of innovation inside of a complex ecosystem comprised of banks, financial service providers, and start-ups, among others. In this ecosystem, financial technologies are driven by vast amounts of data that can range from payment data, credit data, financial transaction data, all the way to geolocation and even special categories of personal data, which when compromised can present significant risks to the rights and freedoms of users. It is precisely this vast amount of data in combination with the vulnerabilities inherent to new technologies that make the sector is an attractive target for cybercrime. The sector presents novel risks not only to the rights and freedoms of data subjects, but also to their financial assets and potentially their economic wellbeing.
Recent research has suggested that alongside a 72% rise in the use of Fintech apps in the period of the coronavirus, so too have malware and ransomware been driven by the pandemic. According to ZDNet (May 2020) “The coronavirus pandemic has been connected to a 238% surge in cyberattacks against banks.” In fact, the third edition of the Modern Bank Heists report notes that “financial organizations experienced a massive uptick in cyberattack attempts between February and April this year — the same months in which COVID-19 began to spread rapidly across the globe; adding that 80% of firms surveyed have experienced more cyberattacks over the past 12 months, an increase of 13% year-over-year.”
As distributed denial-of-service attacks, malware, phishing and ransomware attacks increase over time and FinTech solutions become more established and widespread, innovation in the cybersecurity field will become ever-more important to protect users from financial cybercrimes.
Cyber-attacks and data breaches
Earlier this year it was reported that Dave, a US FinTech giant, suffered a major “breach of customers’ personal data via a third party supplier, after researchers found a database containing millions of records for sale online.” Allegedly more than 7.5 million records (associated to 3 million addresses) are for trade on the dark web. According to Dave, “As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form using bcrypt, an industry-recognized hashing algorithm. The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers.”
It should be noted that Dave claims that there is “no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident”. However, it should not be discounted that passwords could be decrypted and used by cybercriminals or even that the information obtained in the breach could foster future and more credible phishing attacks against those whose data were exposed.
Perhaps one of the most well-known cyber-attacks in the banking sector is the 2014 JPMorgan Chase data breach where allegedly more than 83 million accounts and 7 million small businesses were impacted. Exposed data in this case consisted of names, email addresses, physical addresses and phone numbers, something which is known to opening victims to phishing attempts. Banks are increasingly under the radar of European Data Protection Authorities, especially concerning data breaches. Late this spring the Italian DPA fined major bank Unicredit 600,000 Euro following a complex investigation into a data breach caused by abusive access to the personal data of over 700,000 customers which took place between April 2016 and July 2017. At the end of July 2017, the bank notified the Authority of a data breach it had suffered. It was found that unauthorized access took place at two separate times, using the profiles of employees of an external business partner, leading to the access to information that included personal and contact details, profession, levels of study, identification details on identification documents and information relating to the employers, salaries, loan amounts, payment status, “approximate credit classification of the customer” and Iban code.
Another example of a prominent AI-related breach is that of Cense AI, where it was found that over 2.5 million medical records had been leaked, compromising information such as insurance records, medical diagnoses, and payment records. It is said that researcher Jeremiah Fowler, discovered “two folders of medical records available for anyone to access on the internet. The data was labelled as ‘staging data’ …hosted by artificial intelligence company Cense AI, which specializes in ‘SaaS-based intelligent process automation management solutions.’”
What the EU is doing to fight cyber-crime in the financial sector
The EU is actively engaging in defensive operations against criminals in the financial sector. Just last month (September 2020) an operation supported by Europol and Eurojust in cooperation with Estonia, Lithuania, and Romania successfully dismantled a criminal organization that carried out phishing, fraud, and money laundering activities. Phishing attacks were launched by the group “via text messages and emails impersonating legitimate banking institutions. The messages contained links to fake banking websites, through which the suspects created either new Smart ID accounts or collected bank account credentials and passwords from their victims.” Using the obtained credentials, the organization made unauthorized wire transfers to a number of bank accounts in EU countries, steaking more than EUR 200,000 from nearly 600 individuals.
It should also be noted that one of the three mandates of Europol’s European Cybercrime Centre (EC3) is that of countering payment fraud. In fact, thanks to its Joint Cybercrime Action Taskforce (J-CAT), Europol has already “supported several high-profile cybercrime operations and investigations, such as Operation Imperium, which targeted an organised crime network active in payment fraud.” In this case, “Bulgarian and Spanish judicial and law enforcement authorities, working in close cooperation with Europol’s EC3, have dismantled a significant Bulgarian organised crime network suspected of a variety of crimes including large scale ATM skimming.” Resulting in double digit searches and arrests and the seizure of numerous devices such as “1000 devices, card readers, computers, phones, flash drives and plastic cards ready for encoding seized.”
Risk management and governance for financial institutions
It goes without saying that “The security needs of financial institutions are unique, as cybercriminals constantly target attacks at entities where they can experience the most financial gain.” A 2019 EBF position paper on AI in the banking industry confirms this. As the sector is ripe with risk, it is all the more important that financial institutions ensure that they adequately govern privacy, data protection and cybersecurity matters and have in place appropriate organizational and technical measures, procedures and policies to do so. Furthermore, it is essential organizational governance of cyber risk must take into consideration the vast number of players involved in the provision of financial services. As the Unicredit sanction and Dave breach above confirm, supplier selection and relationship management throughout the supply chain should be given adequate attention. It is increasingly the case in the new digital economy where organizations rely on a complex chain of supply partners that careful due diligence is carried out with respect to both data protection and cybersecurity.
A vital figure in ensuring that risk is adequately measured can be found in the figures of the Chief Information Security Officer (CISO) and risk officers, who can ensure resilience. Resilience in the realm of cybersecurity is defined as “The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs” (See NIST SP 800-39 under Information System Resilience and NIST SP 800-53 Rev. 4 under Information System Resilience).
Seven risk management and governance priorities to be considered by organizations in the financial services sector:
- Provide products and services that are designed and developed – along the whole value chain – according to the principle of Data Protection and Security by Design, which consists of following internationally recognized standards such as those put forward by ISO Standards and the work of ENISA, among others;
- Promote an organizational culture of cybersecurity where all employees and members of the organization are made aware of and regularly alerted to data protection and cyber risks that may come to life, giving them the tools to address them;
- Make use of Integrated Data Protection Impact Assessments and Security Risk Assessments, which will assist the organization in effectively identifying and managing real and potential risks;
- Follow the Zero-trust security approach according to which “organizations should not automatically trust anything (actors, systems, or services operating) inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”
- Ensure resilience and the ability, also of supply chain partners, to quickly respond to both actual breaches and any potential threats and risks that may arise.
- Invest in AI-enabled cyber protection systems, as has been promoted by the High-Level Expert Group on Artificial Intelligence set up by the European Commission in its Policy and Investment Recommendations for Trustworthy AI report.
- Develop new innovative approaches for risk management to adequately address current and future cyber challenges in the financial sector.
The current legal framework and possible certifications
The shortcomings of the current European data protection framework to adequality address issues related to AI has already been confirmed (see the European Commission’s White Paper on Artificial Intelligence – A European approach to excellence and trust). Even more, as it presently stands EU product safety legislation only applies to products as opposed to services “and therefore in principle not to services based on AI technology either (e.g. health services, financial services, transport services).” In accordance with the EU’s Coordinated Plan on Artificial Intelligence, the EU legislative framework should ensure that AI is both able to flourish and that AI systems are adopted while as the same time, “addressing possible risks raised by the use of, and interactions with the technology, including cybersecurity concerns.” This calls for cybersecurity as a means to both prevent “abuse (e.g. hacking or manipulation of the AI algorithms or manipulation of the data processed by the AI algorithm), as well as for the inclusion of mechanisms to ensure the safety of consumers and effective redress to victims in case of damage and to facilitate investigations if the AI system is compromised.”
In fact, the European Commission has already suggested that cybersecurity requirements for AI should be specified as well as certified under the proposed European Cybersecurity Certification Framework, noting that “businesses acting in security relevant fields (e.g. financial institutions, producers of radio-active materials, etc.) the use of certain AI products and processes serves public interest therefore their use may be made compulsory. An adequate safety and liability framework guaranteeing a high level of safety and effective redress mechanisms for victims in case of damages is essential for building trust in AI.”
A recent survey has shown that the majority of people in the EU (55%) are concerned about their data being accessed by criminals and fraudsters. The globalized nature of the economy, products, and services we have access to only accentuates these threats. Furthermore, third country industrial policy, “combined with the continued cyber-enabled theft of intellectual property, are changing the strategic paradigm for protecting and advancing European interests.” This is all the more exaggerated by the use of “dual-use applications – making a strong civilian technology sector a strong asset for defence and security capability. Industrial espionage has a significant impact on the EU’s economy, jobs and growth: cyber theft of trade secrets is estimated to cost the EU €60 billion.” Calling upon us to reflect on “how dependencies and the increased exposure to cyber threats affect the EU’s capacity to protect individuals and businesses alike. Use of Artificial Intelligence, new technologies and robotics will further increase the risk that criminals exploit the benefits of innovation for malicious ends.”
Such threats, as is underlined in the EU Security Union Strategy, necessitate a response at the EU level in order to most adequately defend European citizens and businesses. However, it should be remembered that “When security vulnerabilities can come even from small inter-connected household items such as an internet connected fridge or coffee machine, we can no longer rely on traditional state actors alone to ensure our security.” Economic operators must therefore take greater responsibility for the cybersecurity of products and services they place on the market. This can also be accomplished by way of adherence to principles, such as those enshrined in the Maastricht University Data Protection as a Corporate Social Responsibility Framework (Maastricht DPCSR Framework).