October 3, 2023
This article was authored by Adriana Villasenor, Senior Director in FTI Consulting’s Cybersecurity practice.
On September 18, more than 9,000 payments professionals gathered at Sibos 2023 in Toronto to reflect on the future of the global payments system.
Over the course of last year, global transaction banks, financial market infrastructures, central banks, and other custodians of critical payments data have dealt with emerging issues that continue to challenge and redefine how global trade is conducted. With thought-provoking discussions around geopolitics, cybersecurity, artificial intelligence, and Central Bank Digital Currencies (CBDCs), panelists and attendees from around the world addressed this year’s theme: Collective Finance in a Fragmented World.
Below is a summary of key takeaways from this global gathering.
Geopolitical Upheaval, Resilience, and a GPS for the Cyber Threat Landscape
Multiple panels addressed the state of geopolitics, generally reaching a consensus on the pivotal role that geopolitics play in today’s business environment and the increasing risks they bring. Global trade has been notably impacted as sanctions are applied around the world, and global businesses attempt to adapt, innovate, and grow amid the uncertainty and operational disruption that conflict, illegality, and malicious activity feeds.
Geopolitical risk and fragmentation carry significant cybersecurity implications. Sanctioned entities have proven time and again they will resort to sophisticated cyber intrusions to achieve their goals. Whether financially motivated, espionage related, or destabilization driven, large scale cyber activity can be directly correlated with geopolitics. Simply put, to know where – and often how – cyber risks will pose the greatest threats, financial institutions can look at the state of geopolitics and leverage them as a guiding light, a cyber threat Global Positioning System (GPS).
Rising geopolitical risks are changing the way banks and financial market infrastructures plan and strive to stay resilient. During a session on geopolitical resilience, the chief risk officer at a global financial market infrastructure indicated that today’s environment calls for management to regularly consider geopolitical risk, and for it to be embedded into risk management practices, including accounting for cybersecurity risk.
For the hyperconnected payments infrastructure that underpins global business transactions, geopolitics are an obvious concern. A Chief Payments Officer at a global transaction bank stated, “As much as we want to keep that helpful interconnectedness, we will have to scenario plan for some very unhelpful lack of connection.”
Senior leaders with accountability for cyber risk management cannot afford to ignore geopolitics and the associated need for timely threat information. Staying ahead of the evolving geopolitical threat landscape has to be an essential aspect of an organization’s cyber risk management strategy.
Artificial Intelligence Goes Mainstream, but Also Criminal
As expected at a global payments event like Sibos, artificial intelligence (AI) played a prominent role in discussions, debating whether it will unencumber thousands of bankers from non-value adding analysis to arguing that it will create cyber risks at scale.
During a session about AI in the context of cybersecurity, a deputy CISO from a leading, global financial services firm offered three ways in which they are looking at this technology:
1) Malicious use of AI – How adversaries can use AI to simplify how they target financial institutions.
2) AI as a resource augmentation tool – How it can simplify what cybersecurity teams do every day, especially those whose job entails consuming large volumes of data.
3) Security of in-house AI models – How financial institutions can secure AI so adversaries do not abuse the models for their goals.
Despite its benefits, it is clear that the democratization of AI will add more vulnerabilities. It will remove the barriers of entry for threat actors and enable them to perfect social engineering and deepfakes, while launching attacks at scale. This puts added pressure on the controls and protective capacity of financial institutions, especially as technology stacks grow and become significantly more distributed.
AI implementation will also require a shift on how financial institutions build cyber awareness across their organization. For years, employees had been asked to be mindful of emails with typos and broken English or URLs. Now, threat actors can use AI to write phishing emails or social engineering scams that are increasingly difficult to identify as malicious.
AI has the undoubted potential to help cybersecurity professionals evolve from diagnostic evaluation to predictive action. It can help automate and deliver at pace, but the deputy CISO indicated, “if someone builds a better mouse trap, someone is going to build a better mouse.”
Central Bank Digital Currencies, the Ultimate Cyber Resiliency Test
For many, Sibos was the perfect stage to showcase the value proposition and status of a myriad of CBDC projects. The theme of interoperability in the context of CBDCs carried through the conference nearly as frequently as AI.
As panelists discussed the use cases, scale, and a transition period in which traditional cash and CBDCs would co-exist, the need for robust cybersecurity and resiliency frameworks became stunningly evident, especially considering geopolitical concerns. This seemingly unstoppable movement compelled the Bank for International Settlements (BIS) to allocate resources toward “Project Polaris: secure and resilient CBDC systems, offline and online,”  aiming to provide Central Banks and CBDCs enthusiasts with a cybersecurity framework to ensure the resiliency of this new monetary era. “Secure-by-design” becomes instrumental if there is a reality in which CBDCs become part of billions of citizens’ daily life.
On a global panel about CBDCs, it was explained that as payments become more digital, one can imagine a world in 5-15 years where cash is no longer available, and only commercial bank (private) money is circulating. This raises the question if there is need for a system to preserve the co-existence of private and central bank money, to prevent the abuse of power from a single player.
Risk in a Hyper-Digitized Payments Era
Risks to the financial sector and how they upend the payment systems that move money around have undeniably changed over time. Cyber crime and the financial sector’s ability to track it, prevent it, defend against it, and recover from it are never static. Quite the opposite, they are fast-moving, adaptive, reactive, and dynamic.
The Head of Global Enterprise Payments at a multinational bank said, “Today managing risk is the single greatest investment that we can make in payments…Our ability to succeed with the new technologies that everyone is heavily investing in will be gated by our ability to manage cybersecurity and third-party risk.”
Risk management cannot happen in a silo. As more comprehensive payment data becomes available, the system can pivot into real-time fraud and cyber crime monitoring. This warrants, however, that financial institutions become equipped to connect with participants in a secure and standardized way. Risk management in today’s hyper-connected environment cannot continue to follow the traditional approaches used to manage operational risk. It is no longer appropriate to review risk once a quarter in risk and audit committees, but instead real-time, threat-led risk management is critical to position the organization to react in a timely and effective manner.
The Head of External Engagements at a global post-trade market infrastructure explained today’s reality as a melting pot of activity, where the maturation of how financial institutions are using technology and third parties to provide services and products converges with the interconnectedness of financial markets. This means that a cyber incident in one part of the world can create a ripple effect in the global markets. When looking at risk mitigation and resilience, technology cannot be viewed as a safety net. As new technology is added, new risks and vulnerabilities created by that technology must be considered.
The global payments infrastructure and its thousands of participants, are the foundation for global trade. These enablers of growth are going through a dramatic transformation, driven by the confluence of new technologies as well as geopolitical disruptions.
No one single institution can realize the value of its investments without augmenting its risk management model to incorporate the speed, scale, and interconnectedness of the system.
The convergence of these factors mean that financial institutions will have to move away from “check- the-box” approaches to risk, cybersecurity, and resilience. Risk management approaches require wholesale remodeling to keep pace with cyber risk, and traditional approaches need a thorough review. Table-top exercises can no longer stay domestic, nor be constrained by scenarios based on past events, they must pivot to global perspectives and be forward-looking. Cybersecurity will remain a focus for boards of directors and management teams of financial institutions large and small, and regulatory regimes will continue to hold individuals accountable for this activity.
Diverging cybersecurity maturity levels will pose risk to the most mature organization if the gap continues to widen. No matter the size of the financial market infrastructure or the bank, everyone is now tasked to follow the highest available industry standards around cybersecurity and resiliency. As the Head of Regulatory Affairs for a European payment infrastructure said, “we are all on this together, we are only as safe as our weakest link.”
 Project Polaris: https://www.bis.org/about/bisih/topics/cbdc/polaris.htm
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2023 FTI Consulting, Inc.
All rights reserved. fticonsulting.com