ALPS blog

From Trend Micro

Available everywhere, as cheaply as possible and preferably digitally – these are the demands customers make on their bank’s services today. The Corona pandemic has accelerated this trend even further: Almost two-thirds of Europeans have considered switching from “banking with a branch” to a digital platform in the past year, according to a study by Mastercard. This also means that banks will have to rely more on digital services in the future in order to remain competitive. Financial institutions have also recognised the high potential of cloud services and the vast majority of German institutions are already using them. After all, only those with a flexible and powerful IT infrastructure can react quickly to changing customer needs and provide customers with holistic advice.

Security in view

Many banks see the issue of security as a hurdle on their way into the cloud, because the aspect of security is of course extremely relevant for financial institutions. One of the central challenges in digitalisation for these companies is still not to jeopardise their decisive competitive advantage, namely customer trust, vis-à-vis betechs and fintechs through outsourcing and the adaptation of new services. And in the event of vulnerabilities in cloud security, highly sensitive payment and customer data are at stake in this industry. In the event of a data breach or service outage, banks would not only lose the trust of their customers and suffer reputational damage, but also risk heavy fines for breaching regulatory requirements. But with these important concerns, financial institutions should still keep in mind that cloud offers not only risks, but also opportunities.

Regulatory burdens

Compliance requirements are perceived as very burdensome. According to the study “Digital Outlook 2025: Financial Services” by Lünendonk & Hossenfelder, 77 percent of the respondents rate the hindrance by regulatory requirements for the use of cloud in the financial industry as strong or very strong. Among other things, they have to fulfil the requirements according to MaRisk (Minimum Requirements for Risk Management), with which BaFin specifies what banks and financial service providers have to observe when outsourcing processes. This set of rules, specified by the Banking Supervisory Requirements for IT (BAIT), requires banks to have a permanent and effective information security management.

An important compliance requirement here is patch management, which is used to close open vulnerabilities. Especially in complex, hybrid infrastructures, this can become a very time-consuming task. The IT infrastructure of banks has grown historically and can still contain numerous on-premise legacy systems for which there are no longer any patches. Testing patches before roll-out also often costs a lot of resources and a lot of time, which you don’t have once new vulnerabilities have been identified.

Virtual Patching: One Worry Less

A security solution that offers virtual patching can therefore mean the difference between a vulnerability that was only detected and a vulnerability that could also be closed in time. This is because Virtual Patching closes vulnerabilities automatically at the network level and is more performant and secure than exploit filters from conventional IDS/IPS solutions (Intrusion Detection System/Intrusion Prevention System) and firewalls. Unlike these solutions, Virtual Patching does not have to develop a new filter for every new exploit. Instead, Virtual Patching looks at the vulnerability itself, avoids false positives and is also protected against future exploits thanks to the use of the Zero Day Initiative (ZDI). The ZDI collects data from vulnerability researchers and makes it available to vendors. Virtual patching, which is based on the data from the ZDI, can thus close vulnerabilities that have not even been published yet.

Conclusion

The number of credit institutions exploiting the potential of the cloud for themselves is steadily increasing. Those that have not yet ventured into the cloud due to “fear marketing”, compliance and security concerns are missing out on important opportunities in holistic customer service, in improving their risk management and in defending against cyber attacks.

But just as important as the move itself is choosing the right cloud security partner. Because every minute counts when it comes to defending against cybercriminals, and just one data protection incident can cast a long shadow over the relationship with the customer.