The rise of digital has provided benefits to consumers and businesses, such as faster, more efficient processes and systems, however it has also created new threats. Jonathan Minter looks at how companies are looking to combat these threats.
A UK government report in May 2016, Cyber Security Breaches 2016, revealed that almost seven in ten businesses (69%) put cybersecurity as either very high or fairly high on their organisation’s senior management priorities. This was even higher (90%) when looking at financial or insurance firms.
According to the report, which surveyed more than 1,000 UK business, practically one in four (24%) of all UK business experienced one or more security breaches over the past 12 months. The likelihood of an attack increased in proportion to the size of firms, with just 17% of the smallest firms suffering, compared to 65% of the largest firms.
Clayton Locke, chief technology officer at IT specialists Intelligent Environments, says: “Cybercrime is very clearly on the rise, with the ONS estimating the overall cost of cybercrime to the UK at £27bn and growing.
“The damaging effect of these attacks has also increased, with the government suggesting that the average cost of online security breaches for big businesses is almost £1.5m – up from £600,000 in 2014.
“It’s not just major organisations that are suffering at the hands of cybercriminals though, it’s happening to ordinary people too. Our new research has found that one in five British consumers has fallen victim to cybercrime. It’s therefore important that all financial organisations respond to consumer concerns by taking greater action against cybercrime.”
Motor finance firms do not operate in a bubble, and they have had to face this reality as the industry has stepped up its digitalisation game in recent years. As businesses, motor finance lenders tend to possess large amounts of data and use third parties, both of which make them candidates for potential cyberattacks. As a result, motor finance lenders have increasingly worked to improve their cyberdefences.
“The motor finance industry deals with vast amounts of personal and private data, day in, day out.” Locke notes.
“Because of this, there is an increased risk of cyberattacks in the industry. Any organisation that lends money, including motor finance, has an onus on them to keep customer data safe.”
Part of the challenge comes from the variety of threats facing them. According to the government report, 68% of firms suffered at least one attack or breach from a virus, spyware or malware programme; 32% said they’d been impersonated online or in an email, while 15% had been on the receiving end of a DoS attack.
This variety of threats is reflected in the variety of answers motor finance lenders provide when asked about the cyberthreat to their business.
Darren Greenyer, deputy head of lending at Raphaels Bank, for example, says companies that store data electronically need to be aware of the threat of data theft from either a security breach or through a DoS attack.
Julian Rance, head of motor finance at Paragon Car Finance, instead highlights the problem of corporate phishing, which has increased in recent years. Traditionally this has been a method fraudsters used to steal personal information from consumers.
However Rance says: “We’re now seeing that type of email come in on a corporate basis.
“It’s a fairly recent trend. From a systems perspective – and this is industry-wide – we’re seeing an increase in this.”
Miles Hutchinson, group head of information security at Hitachi Capital says his company has also witnessed an increasing trend in phishing attacks, but adds Hitachi has also seen an increase in DoS attacks and application misuse attacks.
“The main challenge for all business is staying ahead of ever-changing cyberthreats that appear daily,” Hutchinson says. “As one cyber risk is combated and contained, others are identified and require equal attention. It’s the nature of cybercrime.”
Helen Davenport, a director at law firm Gowling WLG, breaks down the main types of cyberattack she sees into two categories. The first is data theft and systems failures.
She says: “A potential threat may be online hackers accessing systems and stealing valuable data. The remote nature of modern digital activity also means that this can be done from anywhere in the world, making it difficult to track down the perpetrator.
“This is coupled with the fact that the role of law enforcement agencies is to raise awareness of the issue and react to incidents rather than actually detect hackers.”
She adds that a lax IT infrastructure or failure to ensure that an outsourced provider has adequate cybersecurity can expose businesses to malware that purposely disables an internal system, diminishing the level of service that can be offered in the process.
The second type of threat she identifies is financial and identity theft by customers. An example she gives of this occurs when an individual manipulates or lies on his or her application in order to secure motor finance.
“Others include individuals trying to take out motor finance in a bogus name because their credit history is not good enough to warrant a successful application.”
A key point to note is that these threats are not all unique to the motor finance industry. While the types of data, and the types of system motor finance companies face might be different from other industries, the types of attack, such as phishing and DoS are common across the world.
This is confirmed by Claudia Marley, ICT director at FCA Automotive Services UK. She adds that threats could be either malicious or unintentional, and can come from both internal and external sources.
She says: “It could be a disgruntled staff member; it could be someone deliberately after your data; it could be someone doing it just for fun; it could be a denial-of-service attacks; it could be accidental damage – somebody deleting a whole load of stuff or posting a whole load of stuff they shouldn’t have. So it could be any one of a number of things.”
When it comes to combating these types of crime, the potential for staff to cause a cyberattack can be problematic as, in general, companies need to trust their staff to a certain extent.
“There are quite a number of data breaches or security threats which actually come from internal staff members rather than the outside world, so you need to protect yourself from both,” Marley adds.
Overcoming these threats can involve good housekeeping, and Marley suggests one solution to minimising risk can be to ensure, when people move between roles, they are only allowed access to the information they need for their new job.
For example, she says: “If people don’t need access to a customer’s bank account details, then don’t give them access, because it’s just asking for trouble.”
Allan Cummings, digital channel manager at Moneybarn, says the main cyberthreats occur any time validation occurs as part of the application process with the customer.
He says: “For me, the trick is to create a really efficient transaction tunnel during which you are able to validate without being too invasive to the customer and their statutory rights. The key thing here is to try to ask the right types of question by which, when we get an application either through a broker or direct, we can actually establish who they are.”
Validation means checking the customers’ identity, validating their credit and banking history, and validating whether they can actually afford to make the payments. It also involves validating that the vehicle exists, and qualifies for the finance, and also making sure the source of the vehicle seller actually exists and is who they claim to be. Finally, the lender needs to validate that the buyer intends to follow the rules of the finance agreement.
He concludes: “Where I see the threat come in is any time you can’t actually go directly to the source – where you’re getting customers to provide you with the documents over the phone or even sending them via email. It enables them to take advantage of that trust.”
While it’s true that most lenders will recognise the dangers here, one weakness with any system is that it requires dealers physically to make sure the checks are carried out in person. And for Davenport at Gowling WLG, this is a potential weakness in some systems.
An example she gives is overlooking certain checkpoints in order to rush through an application so it is successful and the commission is received by the handling agent.
She adds: “Situations such as this raise the need for rigorous staff training issues around this, and also due diligence checks by senior management to confirm that no stages are being skipped or under-examined, and
that personal data is being handled appropriately.”
Once the data has been entered, Rance at Paragon notes that it is still vulnerable through transit, and this makes the use of encryption “vital”.
Digital solutions can help here, according to Marley at FCA Automotive Services UK. She agrees that the actual time when a customer is buying a car tends to be the biggest weak point for motor finance companies, and there are various identity, fraud, and money-laundering checks that need to be completed.
She says: “That’s one of the key things, and we have a number of IT checks in place to help us do that, in terms of systems and automated checks.”
Another area of risk is the computer in a dealer’s showroom, which is a potential entry point into a lender’s network, and, as a result, Marley says FCA Automotive Services UK has had to make sure there aren’t any security gaps in the front end because of this.
With so much to protect, and so many points of vulnerability, there’s a question of when first-party and third-party security systems are most appropriate. As with the main threats a company faces, it’s clear there’s not a single right answer to this, as different lenders face different threats.
Greenyer, for example, says Raphaels Bank leverages third-party expertise as part of its general strategy, in order to allow the lender to concentrate on its core business.
“Security is no different, and we believe in building strong and enduring relationships with our chosen partners, so that we can adapt to the changing threats faced today,” he adds.
FCA Automotive Services UK also broadly uses third-party technologies according to Marley because, for these third parties, cyber is their business speciality and their core business focus.
She notes: “For the people providing that security technology, that’s absolutely their day job. Our day job is providing finance, so they’re going to be better at it than us,” adding: “That’s essentially the logic.”
Hitachi Capital, meanwhile, uses a mixture of internal and external cyber expertise for its security.
Hutchinson adds: “The value of internal expertise is the immediacy of response and intimate knowledge of our business. We look to external expertise for flexibility in service provision against the ever-changing threat landscape and the ability to bring global issues of interest to life in real time.”
Moneybarn similarly uses a mixture of first- and third-party technologies and knowledge. Cummings says: “There’s a lot of training that’s involved with managing customers in the subprime space, so there’s a lot of bespoke work that’s done in all of our internal networks.”
This, he says, is then fused with third-party pieces to build reliable credit scores, to understand fraud, and use social media networks.
“All these have to be amalgamated to try to create a package which enables us to do the due diligence, and also the due diligence to make sure we are treating customers fairly across the board.”
Introducing third-party technologies is, on the surface, easier than it has been in the past, due to the use of application programming interfaces (APIs).
“Anyone who’s now looking at developing what you would call cybersecurity needs to be able to use APIs in which the connection between the packages is very easy,” says Cummings.
The difficulty, he adds, is making sure everything flows properly or, in other words, properly managing the relationship between these kinds of tools.
“So I think it’s easy to buy them and get them in, but it’s more complex to make sure they fit within your customer relationship,” he says.
Preparation is key
There are a number of things companies should be doing to prepare for a potential attack, key among them is planning for disaster.
“One of the most important things is backup,” says Cummings.
“If you rely purely on a third party, you also have to think about recovery. Fortunately for a long while, we’ll probably have hard copies which we are making at the moment.
“Even though we probably have the ability to go completely third-party, most likely most businesses will have a backup of all the information held in servers which are protected.”
Marley also says that disaster-recovery planning is key, with regular backups a key part of this, alongside regular checks, regular restores, and making sure resilience is present across the different components of FCA Automotive Services UK’s infrastructure.
“You know if a supplier goes down or if the application goes down, we’ve got an alternative means of providing it,” she says.
Greenyer at Raphaels Bank agrees: “Disaster recovery is a key part of our business planning. We backup all our applications and ensure we have a secondary source available in case of failure.
“We perform regular, robust tests that provide reassurance that, should any systems fail, there will be minimal impact on the bank or its customers.
“We expect the same rigorous testing and corresponding evidence from any third parties,” he adds.
Hitachi also says it is continually assessing its business continuity plans, and has measures in place to address any impact of system failures, which are routinely tested.
In addition, all its systems are hosted across multiple geographically diverse data centre locations, where it has built resiliency and redundancy into its key systems and locations.
Similarly to other lenders, Hitachi says it ensures all third parties that provide critical services have similar levels of resilience and recovery, and that this is routinely tested.
One thing is clear from all these answers: When considering cybersecurity, ensuring your third parties are also secure is a key part of any strategy and, according to Greenyer, security and resilience are receiving increased attention when Raphaels Bank looks to form new relationships.
Importantly, he adds: “This is all part of the focus on the ‘wider enterprise’ and a realisation across the board of the need to look beyond your own capabilities and into those of your partners. Due diligence has moved a long way from its original focus on purely legal and financial matters.”
This is not unique to Raphaels, and Rance says Paragon has a rigorous process for the selection and oversight of third parties, and performs due diligence before making an appointment, including an in-depth review of the organisation itself, as well as its information security and business continuity approach.
When a lender works with a new third party, for example a new dealer, a number of lenders talk about the need to train the new partner’s staff, to make sure they are aware of the intricacies of the new finance product.
Included in this training will be elements of cybersecurity, and digital protocol. Cummings says Moneybarn has employees to train dealers’ staff if needed, and that the lender also conducts checks.
“It’s a lot of checking and a lot of trust, and at the same time it’s also validating the things they do,” Cummings adds.
“The proof of the pudding is that we don’t have huge issues.”
For Davenport at Gowling WLG, the first piece of advice she gives when it comes to the use of third parties is to make sure a strategic partner is absolutely needed.
She explains that third parties present an “obvious risk” for data sharing, adding: “If there is resource and capacity to handle a process in-house, then that is preferable.”
Where third parties are necessary, Davenport describes it as “vital” to check their approach to cybersecurity as a core part of the supplier selection process, especially in relation to regulation.
In particular, she notes: “Agreeing, where possible, a shared responsibility for risk is also important and a key issue is that of data protection.”
Davenport’s colleague, fellow director at Gowling WLG, Kirsten Whitfield, notes that, even with the UK leaving the EU, it is vital that businesses look to comply with the General Data Protection Regulation (GDPR) standards, which cover the need to protect data from unauthorised or unlawful processing and protect against loss, destruction or damage.
“Although these do not come into force until May 2018,” she adds, “not preparing for these now and/or believing that Brexit has made this less of a priority would be unwise.”
Under the GDPR, a failure to keep personal data secure could result in a fine of up to €20m (£17.3m) or 4% of global annual turnover (whichever is highest). That is before any additional costs for handling a breach and reputational damage are taken into consideration.
Analyst firm Neustar found that, in 2015, a typical DoS attack could cost firms $100,000 an hour. It makes sense why companies are so keen to ensure they are prepared for potential attacks, even if these processes can be expensive. These costs have increased over the past few years.
Paragon Car Finance has had the opportunity to see this increase in the starkest terms. The business stopped operating in 2008 as the credit crunch removed liquidity from the market and car sales plummeted, only to return in 2014, six years later, complete with a banking licence.
Rance admits the lender is spending more on cybersecurity now than it was before, but adds: “We’ve increased our spending in line with the industry.”
In general, lenders are not willing to talk about the specifics of their cyber spending. But where they do so, the message is similar to Rance’s: Spending has undoubtedly increased.
At Hitachi, for example, spending is said to have increased in line with the growing cyberthreat. Hutchinson says: “As the business grows and more dealers and their customers use our finance options, the more of a target we become. It’s a current-day cost of being successful in business. It comes back to being on the front foot and ahead of cyberthreats.”
A key part of this investment has been in training, and Hutchinson notes: “Investing in our employees is paramount, as they have a powerful role to play in protecting our company and customers.”
As with Moneybarn, Hitachi is also looking to expand its education and training offering to business partners.
One final area Hutchinson says is: “We’ve also invested more, over time, into proactive services that provide insight into near-term security trends and placing a spotlight on chatter and noise about our brand on the ‘dark web’.”
Through monitoring the dark web (parts of the internet not indexed by search engines, and that typically need software to use), and even the surface web, it’s possible to find common uses for lenders.
Cummings, for example speaks about how Moneybarn is able to monitor social media content to look for fraud. He describes cases where people openly talk about fraud they’re committed or are intending to commit, however there’s more to it than that.
“It’s about listening and understanding the trends that customers have, and behaviours of people when they’re committing fraud or they’re actually disgruntled. Sometimes disgruntled people make silly mistakes.”
As the field of social listening improves, Cummings suggests it will become part of a lenders ongoing ability to understand the mindset of good and bad customers.
“By having your ear to the ground you can be tipped off quite well about the good and bad activities. You know there’s just as much advocacy out there which you can pick up which is positive in social listening as there is which is bad.”
Locke adds: “In order for the financial services industry to continue the fight against cybercriminals, it must change its approach from a perimeter-focused solution to one that can detect and neutralise threats in real time from within the application.
“The sector needs to evolve, to start using technology that can anticipate and understand the difference between typical user behaviour and criminal behaviour and then have the capability to cope with threats in real time. By doing so, we can bring the fight to the cybercriminals, and make both financial organisations and their customers safer in the process.”
According to Locke, regulation is a key factor in addressing this challenge.
He says: “We at Intelligent Environments have in the past campaigned on the issue, urging the Financial Conduct Authority (FCA, not to be confused with FCA Automotive Services UK) to establish a more robust security regulation framework for the financial services industry in the UK. A mandatory testing process, similar to that for the payment card industry (PCI-DSS), would definitely push banks to focus on more sophisticated security measures.”
While one area pushing businesses into greater security is the potential financial costs of not being prepared for a cyberattack, a second area is incoming and existing regulation.
Aside from the aforementioned GDPR standards, the FCA is also likely to take a dim view of companies not deemed to be taking enough care of customer information.
It’s little surprise, then, that Rance describes regulation as one of the many dimensions shaping the lenders security measures and protocols.
For Marley at FCA Automotive Services UK, increases in regulation are something that should be in companies’ minds: “I can only see there becoming more regulations that we need to adhere to, from a security point of view and from a data protection point of view.
“So things like the changes on data and access requests, data access breaches, those sorts of things, it’s in our planning and in our thinking in terms of how, and what, we need to do going forwards.”
This will increasingly push companies to place a greater emphasis on using technology to combat fraud and breaches, and Marley says a lot of technology has been developed recently, and lots of developments in terms of identifying individuals and finding out more about potential customers to help with underwriting can be expected in the future.
“Everything is getting faster, everything is getting more digital, so there’s just a lot more information out there and some of the tools you’ve got these days can help you to evaluate that information and find out what the actual threats are and what you can do about them,” she concludes.
One example Cummings gives for this is in the use of documentation, or, as he explains: “The idea of being able to document all the steps one makes when they deal with us as a finance business.
“That’s one element of the FCA, to make sure we are able to show what a person’s put forward, what information they’ve been provided with, what tools we provide customers with so they can make insightful decisions.”
Another area where the rise of the FCA has encouraged firms to re-evaluate their cybersecurity is the area of data protection, according to Richard Ellis, principal associate at Gowling.
Ellis notes the forthcoming Network Information Security Directive is also due to introduce further guidance on technical and organisational measures for operators of essential services, which will include financial services providers and banks to the extent that they provide critical services as part of a network or information system, as well as sanctions for non-compliance.
Technology, Ellis says, is both an underlying reason for regulation, and also a response to it and he notes that the two feed into each other.
When asked specifically how technology can help a firm cope with regulation, he says: “Many technical solutions either exist or have as components technology to avoid hacks (for example detecting suspect transactions), frauds and inappropriate transfer of information outside an organisation that shouldn’t be transferred. Rendering data unintelligible (for example through encryption) could avoid or mitigate regulatory issues in the event of any data being lost.”
Another way in which technology can help in this respect is in reducing the time companies have to spend dedicated to regulatory issues.
Greenyer, for example, says: “Applying technology to the day-to-day running of a business can free up time to concentrate on monitoring and maintenance and allow companies to meet their regulatory obligations more effectively and efficiently.”
While regulation is an important part of why technology has become a first-line defence in a company’s security system, it is far from the only one.
Rapidly advancing technology has left businesses and their customers potentially more vulnerable than ever before. A sensible use of technology combined with staff training and well-thought-out best practises are key to combatting these.
Due to the variety of types of lender in motor finance (independent and captive, prime and non-prime, and so on), as well as the variety of threats, there is not a single, catch-all solution to cybersecurity. In the majority of cases, at least some use of third-party technology seems to be used to beef up security, as the companies behind these technologies are made up of specialists in the field, and in so doing lenders are able to free up potential internal resources for their primary business purpose: lending.
As technology continues to improve, keeping one step ahead of hackers and fraudsters is likely to continue to become more technologically advanced.
For now, at least, it appears motor finance lenders are aware of this, and investing for the future. <