Lead Machine Pink 160x1200

Lead Machine Pink 160x1200

iTWire TV 705x108

Tuesday, 01 March 2022 04:58

What do financial services need to know about cyber and compliance?

By Racheal Greaves, co-founder and CEO, Castlepoint Systems
Rachael Greaves, CEO and Co-Founder of Castlepoint Systems Rachael Greaves, CEO and Co-Founder of Castlepoint Systems

GUEST OPINION: Most organisations are focused on immediate priorities, and have a short planning horizon for cyber. Cyber doesn’t seem as immediate as the need to meet targets, respond to Freedom Of Information, or complete reporting cycles. Anything that disrupts core business is seen as too high a price to pay.

But the most serious cyber incidents have a slow burn. Threat actors can lie dormant in systems for years before striking, or can be slowly exfiltrating data without detection.

For critical infrastructure, foreign state actors position themselves to cripple networks in the event of a conflict, shutting down our economy and infrastructure to weaken our defences.

Below are recent events in the sector, and how those breaches happened:

1. Insider leak, whether malicious or accidental. This is by far the most likely. Staff already have access to systems, and are trusted to use them. This is what happened at NAB in 2019. That year the bank paid nearly $700k in compensation to affected customers.

2. Software vulnerabilities. A glitch in US financial research firm Morningstar’s systems exposed the alert profiles of KPMG executives in Australia.

3. Malicious breach. Compromise of the Accelion infrastructure affected many organisations, Reserve Banks of New Zealand, and ASIC among them.

None of these things are in the control of the day to day user, or even most Executives. It’s widely recognised that being breached is almost inevitable. If we quickly consider the many types of breach, and may types of threat actor, we can get a better picture.  

Key types of threat actor

There are several different groups who perpetrate these breaches.

Foreign State actors. Foreign governments have a lot of capability to breach networks, and do so in order to undermine Australian national interests, as well as to steal IP. If you service so government and critical industry clients, have PII, or have unique IP, you are a potential target.

Criminal. Cybercriminals use hacking to extort money, or sell credentials they steal. Organised crime groups may also want to target you because of your client data, or for ransom.

Competitors. While usually less capable than other threat actors, competitors may be highly motivated to steal your trade secrets and IP.

And feeding into them all, the trusted insider. It is much more likely that someone in the company will be tricked into, or recruited into, facilitating a breach by one of the other types of threat actor. Insiders can be motivated by money, ideology, compromise, or even just ego.  With work from home and churn from the labour shortage, it’s extremely hard to monitor and continuously vet our people.

Reducing the impact

We need to do what we can to reduce likelihood of a breach – but we can never completely prevent one. What we need to focus much more on is reducing the impact of a breach.

How do we do this?

The Supply Chain Principles are available on the Home Affairs website, and the very first principle is: Understand what needs to be protected, why it needs to be protected, and how it can be protected.

We have to know our own data, so that we can focus our efforts on the data that has the most risk.

What is this risky data?

  • National security
  • Sensitive personal
  • Financial (PCI for example)

These are fairly easy to detect as they are consistent.

What about risks specific to your organisation? Every organisation has a unique risk profile. Different organisations have different types of risk data unique to them.

Firstly, IP. This is always unique and specific, and can’t be identified by generic pattern matching algorithms.

Secondly, core business data that is sensitive. The fact that you are doing a certain merger, or running a certain kind of project, or engaging with a certain entity, might be sensitive. But not all mergers, projects, or relationships are. It’s up to each individual business what topics you consider risky, and it’s not repeatable across organisations. Sometimes, a certain business activity will be politically sensitive to the community – knowing where that data is, and who can see it, is vital.

Finally, regulated information. This is data that, if you allow unauthorised access or use, can result in civil or criminal penalties. There are more than 500 secrecy provisions just in Commonwealth legislation – and more apply for every jurisdiction you operate in. Secrecy provisions go beyond the usual suspects, to things you might not consider sensitive if you’re not familiar with those laws.  

The way ahead

Knowing and applying regulatory rules is one of the best ways to reduce cyber risk. But how can we find all that risky data, track it, match it to the regulations and rules, and manage it compliantly?

The way to address this is with Artificial Intelligence (AI).

Castlepoint is a new kind of AI where we register every system in an environment, in the cloud and on prem. We register every record in every system (structured or unstructured), and every file in every record, and we use Natural Language Processing to extract all the meaningful topics and entities mentioned in every item, no matter the format. We capture every event on the data, as well as all metadata.

We do all this without agents or connectors, and without moving, duplicating, or modifying data. This provides command and control through powerful discovery, audit, and automated records management. It is completely invisible to general users, and we are unique in managing all information, for its whole lifecycle, with no impacts.

Artificial Intelligence makes this possible. Some of the problems this technology has recently solved have included:

  • Finding references to potential child abuse in government databases with 99.8% accuracy
  • Providing command and control over more than 56,000 systems for one organisation
  • Reducing the cost of legal discovery for one agency by 97% per year.

To help you manage your risk, you will need defensible, transparent visibility of your obligations, as well as your data.

Read 1177 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News