Interview with Olivier Baranek, Global Chief Information Security Officer at Natixis
Why does cybersecurity represent a major issue for banks?
In our business, customer relations are built on trust, on our ability to protect the sensitive information we hold on them. For individuals, this includes data relating to their identity, their financial situation and their banking transactions. For companies, the range is even broader: we must protect the confidentiality of an ongoing transaction, whether it is a merger and acquisition, financing or any other factor affecting their development strategy.
What is it that makes these questions so burning today?
On the one hand, the relationship is becoming more and more digital and therefore increasing exposure to cyber risk; on the other hand, new financial players are emerging and offering bank intermediation services such as account aggregators and payment services for shopkeepers. The outsourcing of the banking information system, cloud computing, is also a trend that requires a rethink of our approach to security.
What risks does this outsourcing entail?
It raises a number of questions, such as where the data will be located or how it will be secured, and we need to ensure that our service providers maintain a sufficient level of security and handle the information we entrust to them in an appropriate manner. Ultimately, we remain responsible for the protection of this data and will suffer the consequences of an incident even if it is the fault of a third party.
How do you ensure that your service providers have a level of security that meets your requirements?
Together with our experts, we carry out audits of our external service providers. We visit them on site to see how they operate and assess their ability to meet their commitments. The legal and contractual dimension is also very important; it allows us to formalize our respective commitments. We also rely on certification programs to feed into our risk analyses.
Faced with cyber risk, can banks act alone?
No, of course not, because banks are not isolated economic players. They are part of an ecosystem and there is always a domino effect if a bank fails. This systemic risk only reinforces our obligation to protect ourselves and our customers.
How has the banking sector organized itself to deal with this systemic risk?
Banks have set up CERTs (Computer Emergency Response Teams): these are the “firefighters” capable of intervening when an incident occurs. Within these CERTs, information-sharing mechanisms are essential: there is a daily dialogue on proven or suspected attacks. Banks also cooperate with the authorities (ANSSI and specialized police services).
Finally, can it be said that French banks are fairly well protected against cyber risks?
Rather than “well protected”, I would say that we are deploying all the technical and human resources necessary to enable us to deal with cyber risk. We must remain humble because the technicality and scale of attacks is constantly on the rise.