In this interview, we spoke to Marc Martínez, Partner, IT Advisory, and Head of Cyber security, KPMG in Spain and Francisco Uria Fernandez, Head of Financial Services in EMEA EMA and Spain, and Senior Partner, KPMG-Abogados, to discuss cyber security from a Financial Services perspective. Here, they focused on the cyber security landscape in the Europe, the EU’s General Data Protection Regulations (GDPR), and the various security risks impacting the Financial Services industry.
Marc, what cyber security issues are you seeing in the Spanish and broader European market?
Marc: I would say number one is probably ransomware. It’s a top risk at this moment, and this because it's been really effective and it’s also affecting a lot of businesses across industries. I would say that any other type of malware that is infecting companies is a top security issue as well. For instance, this would be malware oriented to steal data or retrieve data from the companies.
There are also phishing scams, mostly oriented on getting user credentials, passwords, credit card numbers, and bank account numbers. These scams are having a lot of success, along with CEO fraud, which focuses on misleading people within the organization for financial gain.
Third party providers are also top-of-mind when looking at cyber security issues. Those that are working alongside the company through good relationships are also high-risk and an easy target for cyber delinquents trying to access company data.
Do you think the EU’s General Data Protection Regulations (GDPR) have made a difference?
Francisco: Yes, for sure. I would say that the GDPR as a whole does not have the same formal compliance approach as the previous regulation. Instead, it has a risk management approach, which addresses how to manage risk and how to deal with the risk that organizations have. This also applies to cyber risk and how it could affect privacy, personal data and the rights of the customers.
Now, the question for companies is how to manage the security risk, operational risk, and cyber risk. To prevent and to deal with security events, and to minimize the impact and consequences for the clients and customers, having very specific formal obligations on reporting of incidents involving personal data is crucial.
In addition to that, it is not only GDPR. Companies must also take into account other regulations that apply to specific companies providing essential services, as the NIS directive, applicable, amongst others, to transport, energy, or financial services companies. In addition, financial institutions have to comply with the PSD2 regulating payment services.
Do you find that most companies are being compliant to GDPR or are there still some gaps that you’ve seen?
Francisco: My impression is that companies are absolutely compliant to GDPR – they have compliance programs in place that have prepared them for the implementation and implications of the new regulation. The Spanish administration on data privacy has been very active in this regard, and I would say that Spanish companies are quite prepared. The level of preparation is probably better in larger international companies compared to smaller ones.
All in all, I think the level of awareness, knowledge and readiness linked to the new regulation is now higher than it was previously, but there is still work to be done. The COVID-19 pandemic has also revealed some weaknesses that the companies should pay attention to in the near future.
Francisco, what are the greatest risks for financial services businesses? And what can businesses do to avoid them?
Francisco: First of all, I would say that the financial service, banking and insurance industries are based on trust, so the main risk is losing the trust of clients. Compromising this trust and relationship based on confidence is likely a major threat for financial institutions.
There is also a risk related to every transaction. Simply put, this would be stealing money from banking accounts or any other kind of fraud. And today, the money is not physically in the branches, it's in the IT systems, which poses a new threat in a more digital context.
Risk related to data is also top-of-mind. The financial services industry in particular has a lot of sensitive information on clients and they have the duty to protect this information. With this, there is a threat of someone trying to obtain this information illegally and trying to use it illegally.
Overall, I would say that there is a combination of traditional fraud, talking about transactions, now digital, and a new one that has to do with the data, where the information about the clients and these are stored in the – in the banking and the insurance company systems.
Marc, how should businesses handle the issue of ransomware?
Marc: We have to start by protecting and defending the business from having a ransomware attack. In many cases, this can be done through some very simple things that, in some cases, are not being done beforehand.
For instance, training and awareness. Often times, a ransomware attack happens because people are doing things that they shouldn't be doing, which has nothing to do with technology – it's about people. And then, as I mentioned before, third-party risk is also something to look at because you can train and educate your employees, but you then have the additional risk associated with working with third parties. So, first, you have to protect and then, if dealing with a ransomware attack, you have to be prepared beforehand to respond quickly.
What legal options are available to prevent and retrieve leaked data?
Francisco: Recently, companies are paying a lot of attention to cyber security risk from an IT perspective and they're investing a lot in securing themselves for any kind of attack. However, as important as IT prevention and action is, so is legal readiness.
And what we are seeing in the marketplace is that not all companies are as prepared as they should for these kinds of situations, which means they need to start paying attention to many things. Firstly, employee contracts must outline that they are doing their best in order to protect the company and the data the company stores. Secondly, outsourcing to third-party companies is a threat in itself, so you have to be protected against any weakness that an external relationship may bring. Thirdly, you should have a careful look into insurance policies – are you covered for cyber security incidents or events? Are you prepared and covered for a ransomware situation? These are some of the questions you should take into account. Lastly, companies must determine who is going to be the person or the body making the decisions if an attack happens. It’s important to have a legal protocol on what to do once the attack has happened, a clear idea on the regulation that is specifically applicable to you, and also an idea of the public bodies and authorities you have to notify should you encounter a data leak.
Marc, earlier you talked about third-parties – how effective is the use of injunctions against third-party websites used to share stolen data?
Marc: Often times, third party websites are not located in jurisdictions where we can have control over them. If the website was based in the European Union, for instance, we could easily access those parties and try to influence them, but most of the time they are located in countries like China, Russia, Brazil.
So, depending on where those third-party websites are located determines the influence we can have over them. And the reality is that most times, we cannot.
Speaking of the world as it is, has COVID-19 produced an increased level of risk?
Marc: I would say yes for a few different reasons. Some risk may have happened anyway, but not over such a short period of time. This is probably a result of companies quickly working to transform and digitize their business processes, bringing an increased level of cyber security risk based on the new technologies those companies are using.
I believe that would have happened eventually, but because of COVID, most companies have had to rush and implement new processes and technologies with less controls than they should. Also, with most of employees working from home today, there are new risks being exploited by cyber delinquents.
So, yes COVID-19 has increased the level of risk for companies around the globe.
Francisco: To add to that, specifically from a financial services perspective, it's clear that there is a general acceleration in the digital transformation of the financial entities, especially in the countries that did not transform as fast as others in the past. And, as the volume of people working from home increases, there are people that are not so well prepared and equipped to use non-in-person channels and digital channels. So, that is why the risk is clearly growing.
I would also say that the financial institutions are strong in their capabilities, and they are effectively protecting their clients, their money and their data. So they have been able to succeed in preventing cyberattacks to be effective but now the risks and threats are bigger as we evolve towards a more digital relationship between the financial industry and their clients.
To conclude, what can KPMG Global Legal Services do to support clients when they face a cyber security attack?
Francisco: KPMG firms are part of an extraordinary global network that provides support to help our clients in everything related to cyber security, both in prevention and also once the attack has already taken place.
But it’s important to consider that regulatory compliance and legal risk that should also be taken into account. Our experience in the market and, in particular, with our clients, is that by working together with our advisory experts and our legal professionals, we are able to provide full coverage on client needs, the IT side, and also on the legal side.
Together, we can help our clients determine what the proper course of action is, who the decision-maker should be, what the correct information to disclose is, when to notify the authorities, how to work with third parties, how to minimize risk, and more. And all of these questions need a legal perspective, and KPMG Global Legal Services is here to help.
Partner IT Advisory & Head of Cyber security
KPMG in Spain
Link to bio
Francisco Uria Fernandez
Head of FS in EMEA and Spain
Senior Partner of KPMG-Abogados (Spanish Lawfirm in KPMG)
Insights on cyber security from a technology, data and legal, and financial services perspective.
Insights on cyber security from a technology, data and legal, and financial services
Throughout this document, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.
Certain member firms of the KPMG global organization, including the US firm, KPMG LLP, do not provide legal services or have KPMG Law service entities. Some or all the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.