fintech cybersecurity - paypal
TRANSCRIPT
Cryptojacking
Malware Web and Mobile Application Attack
majority of breaches again this year. In 2019, across the world, 67% of breaches were caused by credential theft errors and social attacks.3
Botnet
FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 11
Southeast Asia’s FinTech sector is growing at an exponential rate. While it offers many benefits for the region and beyond, rapid digital adoption in the ASEAN region has also created an opportunity for malicious actors to attack organizations and unsuspecting end-users alike. The COVID-19 pandemic has only increased reliance on the internet, giving fraudsters greater access to susceptible individuals to perpetrate cybercrime.
Small and medium enterprises (SMEs) are the backbone of the regional economy, accounting for between 89% and 99% of total establishments and between 52% and 97% of total employment in the ten ASEAN Member States.1 This segment is vulnerable to attacks as it is often resource challenged in preparing against sophisticated attacks.
Firms in the financial sector are attractive targets to cybercriminals due to the value of the data they handle. According to a recent study, financial services firms are 300 times more likely to face a cyberattack than other companies.2
Email has become the most prevalent medium for the delivery of phishing attacks. Phishing was responsible for
target financial institutions. Globally, 70% of breaches in 2020 were caused by external actors leveraging botnets and other mechanism at their disposal.5
Botnets are networks of compromised computers and devices controlled by cyber criminals, which can be used to
Following the rise in value and popularity of crypto-currencies, cryptojacking saw a 30% increase in early 2020 and is expected rise further.6
Unauthorized use of victim’s computer to secretly mine cryptocurrency affects both businesses and individual users.
in the ransom demanded by hackers, which has increased by 60% since the start of the year to a global average of USD 178,000 per incident.4
Ransomware attacks continue to evolve and are very prominent on the cyberthreat landscape. 2020 saw a rise
rise in publicly disclosed cybersecurity incidents in Q2 2020 and 35% of all reported incidents globally were malware attacks.7
Malicious software are installed in unsuspecting user devices to conduct nefarious activities. There was a 22%
apps also rise. Attacks on web and mobile apps doubled from last year and are responsible for 43% of all external breaches worldwide.8
As organizations use more varied application stacks, the number of vulnerabilities in their web and mobile
Phishing Ransomware
TOP CYBERSECURITY THREATS IN ASEAN ECONOMIES
Global cost of cybercrime Average cost of breach in ASEAN20252015 2021
USD 3
trillion
USD 6
trillion
USD 10.5
trillion
2019 2020
USD 2.51
million
USD 2.71
million
Source: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ Source: https://www.ibm.com/sg-en/security/data-breach
The PayPal ASEAN FinTech Cybersecurity Study was commissioned to provide a snapshot of the ASEAN cybersecurity development and its impact on FinTechs in the region.
PAYPAL ASEAN FINTECH CYBERSECURITY SURVEY
FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 2
This report draws from a survey that was conducted with ASEAN-based FinTech companies in late 2019 to get their views on cybersecurity-related challenges and opportunities as well as the rapidly evolving cybersecurity regulatory landscape in the region. The survey results reflect the diverse nature of FinTech firms in the region. These firms often have to make difficult choices regarding resource allocation – which is exacerbated by the fact that nearly one-third of them have experienced a cybersecurity incident in the past year.
While most have prioritized cybersecurity while making budgetary and personnel decisions, some face challenges. This is a cause for concern considering how expensive and detrimental potential data breaches can be – to the firms themselves as well as to their customers.
Have you experienced a cybersecurityincident in the past 12 months?
Figure 1:
Yes No Not Sure
Nearly one-thirdof the firms surveyed had experienced a cybersecurity incident in the past year.
Moreover, while these firms care deeply about cybersecurity, they are spending disproportionately on cybersecurity compliance – without necessarily receiving commensurate returns in terms of cyber resilience.
Figure 4:
Hiring and investments priority areas
Data Security& Loss Protection
72.7%63.6%
45.5%
36.4%
2.3%
13.6%15.9%18.2%
31.8%
RegulatoryCompliance
Authentication& Authorization
IncidentManagement
Network Security& End PointProtection
Third PartyManagement
ThreatIntelligence
SecurityAssurance
Others
Share of participants stating as priority
Share of cybersecurity professionalsin the organisation
Figure 2:
Less than 1 person
Between 3-5 person
More than 10 person
Between 6-10 person
2 person
1 person
Share of operating budget dedicatedto cybersecurity
Figure 3:
Less than 1%
More than 5%
Not Sure
3% - 5%
1% - 3%
56.8%31.8%
11.4%
13.6%
11.4%
22.7%15.9%
9.1%27.3%
27.3%
13.6%
15.9%
29.6%13.6%
FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 3
Even as regulatory requirements drive increased investments in cybersecurity, FinTechs in the region are still facing significant challenges in ensuring compliance. The results show that FinTech companies may need assistance messaging the importance of cybersecurity from a management priority and budget perspective. Research has shown that corporate stakeholders often have a myopic view of cyber risk, thinking that investing in new technologies will suffice to combat or mitigate it.
Share of participants
Share of participants
Key driver for investments in cybersecurityFigure 5:
Challenges in complying with cybersecurity regulationFigure 6:
Resources (complianceand certifications are
expensive)
85.7%
60.7%53.6%
3.6%
Skillsets OthersManagementprioritization
Note: Other: Hacks; Fraud.
Cybersecurity effortsundertaken by peers
OthersCompliancerequirements
Demand fromcustomer
4.6%6.8%
18.2%
70.5%
FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 4
PAYPAL ASEAN FINTECH CYBERSECURITY MATRIX
Based on the survey results and open-source research, we developed the PayPal ASEAN FinTech Cybersecurity Matrix (“the Matrix”) to assess and analyze the cybersecurity regulatory ecosystem in the region for FinTech companies in the ASEAN member states. The Matrix provides a snapshot of the landscape at the time of the writing of this report, as analyzed from publicly available information.
Brunei
Is there a cybersecurity law, regulation, or policy in place,either standalone or as part of a wider digital security frame-work?
Is there a national body/agency specifically responsible forcybersecurity (beyond the national CERT)?
Is there a regulatory sandbox for the FinTech sector runby the financial regulator/central bank?
Is there a government-run national framework/programspecifically devoted to developing cybersecurity skills(for SMEs, students, professionals, retirees, etc.)?
Is there a government-run national certification/accreditation framework for cybersecurity professionals?
Are there any government mechanisms to encourageskills and capacity-building in the field of cybersecurity– specifically for FinTech companies?
Is there a national budget specifically devoted tocybersecurity?
Are there government-run funding programs devoted to helping FinTech companies strengthen their cybersecurity capabilities?
Are there government-run public awareness campaignsdeveloped and implemented specifically for cybersecurity?
Are there any government-run campaigns specificallydevoted to strengthening consumers’ digital and financialliteracy?
Is there a government-led (semi-) formalizedcollaboration framework between the cybersecurityindustry and the FinTech sector?
Are there any intergovernmental bilateral ormultilateral agreements on growing, strengthening,or improving domestic FinTech sectors?
Absent / Information not publicly available
Present
In progress (includes instances where plans have been laid out but information aboutimplementation is not publicly available)
PayPal ASEAN FinTech CybersecurityMatrix 2020
STAKEHOLDER COMMUNICATION ANDCOLLABORATION
CYBER HYGIENE AND FINANCIAL LITERACY
INVESTMENT AND SPENDING
KNOWLEDGE AND SKILLS
LEGAL AND POLICY
Cambodia Indonesia
FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 5
Absent / Information not publicly available
Present
In progress (includes instances where plans have been laid out but information aboutimplementation is not publicly available)
Laos Myanmar
Is there a cybersecurity law, regulation, or policy in place,either standalone or as part of a wider digital security frame-work?
Is there a national body/agency specifically responsible forcybersecurity (beyond the national CERT)?
Is there a regulatory sandbox for the FinTech sector runby the financial regulator/central bank?
Is there a government-run national framework/programspecifically devoted to developing cybersecurity skills(for SMEs, students, professionals, retirees, etc.)?
Is there a government-run national certification/accreditation framework for cybersecurity professionals?
Are there any government mechanisms to encourageskills and capacity-building in the field of cybersecurity– specifically for FinTech companies?
Is there a national budget specifically devoted tocybersecurity?
Are there government-run funding programs devoted to helping FinTech companies strengthen their cybersecurity capabilities?
Are there government-run public awareness campaignsdeveloped and implemented specifically for cybersecurity?
Are there any government-run campaigns specificallydevoted to strengthening consumers’ digital and financialliteracy?
Is there a government-led (semi-) formalizedcollaboration framework between the cybersecurityindustry and the FinTech sector?
Are there any intergovernmental bilateral ormultilateral agreements on growing, strengthening,or improving domestic FinTech sectors?
PayPal ASEAN FinTech CybersecurityMatrix 2020
STAKEHOLDER COMMUNICATION ANDCOLLABORATION
CYBER HYGIENE AND FINANCIAL LITERACY
INVESTMENT AND SPENDING
KNOWLEDGE AND SKILLS
LEGAL AND POLICY
Malaysia
FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 6
Absent / Information not publicly available
Present
In progress (includes instances where plans have been laid out but information aboutimplementation is not publicly available)
Philippines
Is there a cybersecurity law, regulation, or policy in place,either standalone or as part of a wider digital security frame-work?
Is there a national body/agency specifically responsible forcybersecurity (beyond the national CERT)?
Is there a regulatory sandbox for the FinTech sector runby the financial regulator/central bank?
Is there a government-run national framework/programspecifically devoted to developing cybersecurity skills(for SMEs, students, professionals, retirees, etc.)?
Is there a government-run national certification/accreditation framework for cybersecurity professionals?
Are there any government mechanisms to encourageskills and capacity-building in the field of cybersecurity– specifically for FinTech companies?
Is there a national budget specifically devoted tocybersecurity?
Are there government-run funding programs devoted to helping FinTech companies strengthen their cybersecurity capabilities?
Are there government-run public awareness campaignsdeveloped and implemented specifically for cybersecurity?
Are there any government-run campaigns specificallydevoted to strengthening consumers’ digital and financialliteracy?
Is there a government-led (semi-) formalizedcollaboration framework between the cybersecurityindustry and the FinTech sector?
Are there any intergovernmental bilateral ormultilateral agreements on growing, strengthening,or improving domestic FinTech sectors?
PayPal ASEAN FinTech CybersecurityMatrix 2020
STAKEHOLDER COMMUNICATION ANDCOLLABORATION
CYBER HYGIENE AND FINANCIAL LITERACY
INVESTMENT AND SPENDING
KNOWLEDGE AND SKILLS
LEGAL AND POLICY
Singapore Thailand Vietnam
Develop principles-based cybersecurity regulations and frameworks driven by outcomes and evolving risks
FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 7
Here are six key recommendations to strengthen the ASEAN FinTech ecosystem for sustainable and inclusivegrowth in the region
RECOMMENDATIONS
More than two-thirds of respondent firms in our survey reported that compliance requirements are the key drivers for their investments in cybersecurity. However, it is important to note that compliance does not always equal security. ASEAN needs to move away from a rigid box-ticking approach towards cybersecurity to one that incentivizes investments in cyber resilience. We recommend the adoption of risk-based requirements commensurate with the level of risk and complexity of the financial services offered.
Invest in developing a strong cybersecurity workforce to support a resilient ecosystem
Even as the cyberthreat landscape continues to expand, across the world, about 3.5 million cybersecurity positions are expected to go unfilled in 2021. In our survey, we found that more than a quarter of FinTech firms do not have a dedicated cybersecurity expert in their organization. We recommend ASEAN governments to work closely with the private sector to increase talent development and access in order to adequately service the needs of business.
Enable adoption of strong cyber hygiene through ASEAN-level compatibility as well as alignment with global security standards
The ASEAN FinTech sector has the opportunity to reap the benefits of regional economies of scale. However, this can only be done if cybersecurity regulations and norms across the region are standardized. Cyberthreats are cross-border in nature and defending against them requires a collaborative approach. ASEAN should create a regional cybersecurity framework that is aligned with global standards and practices. Such a framework would enable exchange of innovative cyber defense measures and expertise and ensure the retirement of legacy processes that hold back technology adoption.
Promote a multilateral regulatory sandbox for knowledge sharing and risk management in the FinTech ecosystem
formalized channels of collaboration and knowledge-sharing between national sandboxes in ASEAN to enable FinTech companies in the region to benefit from each other’s experiences and collaborate on innovations and risk mitigation. The long-term goal of these endeavors should be the creation of an ASEAN-wide sandbox – one that can help companies test their products designed with an ASEAN regional consumer base in mind.
An important first step towards planning for the future would be the introduction of cybercrime mitigation, data analytics, automation technologies and cybersecurity skills in the primary and secondary educations stages of the schooling systems in ASEAN, with educational pathways drawn through to university. We encourage the public and private sector to work together to encourage under-represented groups in the cybersecurity arena such as women and mid-career workers to consider a career in the sector. Additionally, ASEAN can see immense benefits from exploring innovative schemes like credential passporting across the region to enable easier movement of cybersecurity talent across Southeast Asia.
Sandboxes enable regulators to foster innovation in the FinTech ecosystem while also understanding potential risks of new products and the ways to protect their citizens and financial systems against such risks. Each ASEAN nation should host its own national sandbox in order to fully realize the benefits and the potential of the FinTech sector while also identifying country-specific risks and challenges. We recommend the establishment of
REFERENCES
Even the most sophisticated defense systems, the most advanced infrastructure, and the most rigorous cybersecurity laws cannot protect an ill-informed end-user. Newly digitalized consumers are especially vulnerable to cyberthreats and scams. As a result, there must be a concerted effort between governments, businesses, and academic institutions to educate the public about cyberthreats and the means to protect themselves against them. We recommend the establishment of a region-wide repository of cyber scams and threats for information
sharing. Furthermore, ASEAN governments can implement and encourage internationally recognized best practices on anti-virus, patching, and anti-phishing standards.
https://www.ifac.org/knowledge-gateway/contributing-global-economy/discussion/smes-backbone-southeast-asia-s-growing-economy https://www.bcg.com/d/press/20june2019-global-wealth-report-222692https://enterprise.verizon.com/en-sg/resources/reports/dbir/ https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report#1 https://enterprise.verizon.com/en-sg/resources/reports/dbir/ https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-cryptojacking McAfee’s Quarterly Threat Report November 2020 as quoted at https://www.infosecurity-magazine.com/news/covid-themed-attacks-surge/ https://enterprise.verizon.com/en-sg/resources/reports/dbir/
Encourage public-private partnerships in research, hiring and information sharing
Multi-stakeholder consultative processes must become the norm in the creation of new cybersecurity regulations and policies. We encourage the creation of public-private forums for stakeholders from a diverse range of institutions to consult on new regulations, manpower, training needs, and to share best practices, among others. Additionally, we encourage improved collaboration on research efforts that bring together experts across the public, private, and academic sectors to create innovative solutions in cyber defense.
Establish comprehensive programs for training and awareness on fraud and security bestpractices for general public and businesses
FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 8
This [Highlights Document] should be read in conjunction with, and is qualified in its entirety by, the more detailed information contained in the Full Report (including, but not limited to, the Disclaimer Statement).
TO READ THE FULL REPORT, VISIT:
12345678
Steven Chan, Senior Director andRegional Head of GovernmentRelations, Asia-Pacific
Phoram Mehta,Chief Information SecurityOfficer, Asia-Pacific
FOR MORE INFORMATION, CONTACT:
DISCLAIMER: