With upcoming regulation deadline and multiple technological developments in the financial sphere, security is quickly changing. What are the main trends to look for? Patrick Brusnahan sits with the CEO and founder of security firm Huntsman, Peter Woollacott, to find out more

GDPR

I think that GDPR certainly going to require a relook at how people manage at their data, particularly the category of data that says, “I want my identity back”. That’s a difficult piece of type of data to get back.

To get all of your history back, that’s quite difficult. The practicality of that will probably take longer than 2018 to work out how that’s all going to happen. Obviously, people store data in legacy systems which aren’t really designed for that sort of access.

It was never designed to give this back. That’s going to be an issue. With newer systems it’s fine, but in banks, which have a lot of information, they have a lot of legacy systems.

In Australia, when I look at this, we’re about to go through mandatory disclosures. It’s a long way away from GDPR requirements and so businesses conducted with handles, handing over card details, my email address, I don’t regard that as personal data. That’s the means by which we communicate, keep in touch. I don’t give my home address or home phone number. There’s a huge question on ‘What is private information?’ There will be a lot of interpretation about that as well over time.

GlobalData Strategic Intelligence

US Tariffs are shifting - will you react or anticipate?

Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.

By GlobalData

Consumers becoming more aware

What I would say is that as a general rule, in the last little while, there are numbers coming out of the US from analysts that tell me that customers are more conscious of providing excessive information. You’re buying a train ticket and you need to give date of birth, address, credit card number.

When applying to attend a conference, I had to provide a lot of information and there were conditions that meant they could sell my information. Before, I used to be able to pay on the day. I do think people are becoming aware and sensing an oversupply of information. They’re also sensing that things can’t be right. It’s hard to control and manage a good level of governance over this.

Issues with PSD2

I think with PSD2 coming in, it’s going to be one of the key things in all of this. Yesterday, banks and financial institutions were responsible for cybersecurity. As you open it up to more players, there’s a whole lot more points of exposure.

If I’m a very small business and I’ve decided to arbitrage certain capabilities due to PSD2, I may not have the security sophistication to be able to satisfy the security requirements. As you introduce more points of access, you quite naturally increase risk. As PSD2 encourage more participants, you get more risk due to its nature.

What I would say is that this really is an absolute shift in how banking services are. Suddenly, everything is much more opened up and it’s much more challenging to meet and monitor obligations. If you’re saying banks aren’t ready, then certainly some of the new entrants won’t be. I think they’ll be behind the banks.

Automation and AI saving the day

The likelihood of AI and automation starting to be introduced more as that’s the only way the physically handle the increased volume of transactions, the ability to analyse, and to make decisions.

The probably most critical benefit of automation is it comes back to cybersecurity and that cybersecurity is conducted by analysts, humans, who are by nature pretty random and not particularly systematic. My question is how do you manage that in an overall process?

Automation is putting some system and some process into what can sometimes be a random puzzle. I’m not suggesting analysts are random and haphazard but if you can delvier some process and systematic means in which tasks can be achieved, the real benefit is then you can then deploy measurement.

These things should be happening at this speed, at this rate and people should be doing this. This leads to a much better position. One of the key benefits is introducing processes with a systematic base. It also brings more accountability into the process. This is a requirement.

Both PSD2 and GDPR have tight reporting times. This is in an industry which usually has a resolution timeframe of weeks or months, not three days. Even big banks are not getting that sort of response time.