Digitization and legacy systems in financial services: balancing the security risk
A study conducted by Deloitte back in 2016 determined that 90% of senior executives from the financial services industry agreed or strongly agreed that digital technologies were disrupting the industry to a great or moderate extent. Fast-forward to 2023, newcomers Monzo, Revolut and other fin-techs are snapping up consumers with feature heavy applications.
Established banks are expected to offer the same features and services as companies at the forefront of digital innovation - improving the customer experience, and launching new products and services more rapidly than ever before. According to a survey conducted by Mobiquity, 40% of the respondents said that they would switch their accounts to access better digital tools and be more likely to do so in the future compared to previous years.
During the pandemic, 1 in 5 of customers who were new to online banking used it for the first time and research shows that in general companies accelerated the digitisation of their customer interactions by 3-4 years.
What are legacy systems and how do they impact digital banking?
Legacy core banking systems are typically outdated mainframe-based platforms that enable a bank's back-end operations for the essential functions and often with a history spanning multiple decades, as far back as the 1970s. They ensure the continuation of the key functions of banks : account opening, account setup, transaction processing, deposit processing, and loan processing.
The 2022 World Retail Banking Report found that 95% of senior banking executives worldwide acknowledged that their legacy systems were hindering their ability to effectively implement data-driven and customer-centric growth strategies. However, attempting to modernize and appeal to customer demands without taking into account core wireframes increases the likelihood of unpatched vulnerabilities being exploited. Outdated tech, misconfigurations or unpatched systems in legacy core infrastructure means that extra care must be taken with the external facing systems.
What are the biggest security challenges?
1. Higher risk of vulnerabilities
Older systems often lack the latest security patches and updates, making them more vulnerable. The process of identifying vulnerabilities and patching remains time-consuming, as well as labor-intensive - and it is not an easily scalable process. As banks introduce new internet-connected devices to a network, they represent thousands of new individual access points and patching older vulnerabilities falls behind in the to-do list.
Cybercriminals quickly capitalize on these overlooked old vulnerabilities. 76% of the vulnerabilities currently being exploited by ransomware groups were first discovered between 2010 and 2019. Such as a vulnerability in Microsoft Office, that enables the hijacking of Microsoft Excel to execute malicious code (CVE-2012-0158) - hackers are still using it to launch ransomware attacks, over ten years after the vulnerability was disclosed.
2. Outdated security measures
The isolation of data wrapped up in legacy infrastructure is increasingly attractive to hackers as it is not backed up or protected by the latest security protocols used to safeguard other enterprise data against potential threats. Modern standard practices such as multi-factor authentication, single-sign on and role-based access are not a given. Insufficient audit trails also present a challenge.
Accellion FTA, an over twenty year old appliance used for transferring files gained attention after a zero-day exploit was reported - over 300 known organizations fell prey to the vulnerability. Morgan Stanley acknowledged that the attackers were able to obtain an unspecified number of documents containing personal information such as customers' addresses and Social Security numbers. Accellion had stopped licensing the FTA to new customers in 2016, but allowed previous customers to renew existing licenses warning them to move to newer system Kiteworks. On average, the window of exposure in the financial services industry is 365 days for 40% of applications - the Accellion breach is the outcome of systematic failures to address outdated risks.
3. Talent shortages
Despite generous salaries and benefits the financial services industry can offer, the talent shortage nonetheless affects banks as the pool of candidates with the right skills shrinks. There are only a limited number of experts who possess the technical and institutional knowledge required to secure internal systems.
Developed almost six decades ago, the Common Business-Oriented Language (COBOL) has been progressively substituted by newer, more flexible programming languages such as Java, C, and Python. However, it remains the backbone language of the majority of mainframe structures in the financial sector. The estimated daily commerce flow facilitated by systems using Cobol is $3 trillion. But with the number of competent Cobol programmers dwindling, the risk of an exploit due to misconfiguration rises.
Why do banks continue to use legacy systems?
1. Huge hazards of digital transformation
Attempting to reconstruct brand new systems that enable key functions is a daunting process that involves many risks - a report from McKinsey finds that only 30% of first generation banking platform reconstructions have been successful.
Mistakes when transferring data on a large scale can be catastrophic. As seen at TBS, who attempted to transfer the records of over 5 million customers from former owner Lloyds Banking Group to new systems. 1.9 million people were unable to access their accounts and the issue lasted for over 3 weeks for some. The total loss was £176 million, excluding the indeterminable damages in reputation.
2. Large costs of digitization
Successful digitisation can deliver some economic benefits. Transferring email from on-premises to a well-established platform like Microsoft Office 365, may be a simple move and can yield a cost cut quickly. The Bank of England estimates ready-to-go cloud services could reduce technology costs in the finance industry by 30-50%.
But striving to move more intricate and antiquated legacy systems results in greater migration difficulties and higher costs. The integration price tag can surpass $50 million for a medium-sized bank, subject to the level of complexity involved. In the case of larger banks, it's not uncommon for the integration cost to range between $300 million and $400 million. It is unsurprising that banks are reluctant, considering the digitisation process does not guarantee success.
How ASM mitigates the risks for core banking systems
Legacy infrastructure needs to be updated, but it will likely be a slow process. Many banks will embrace a hybrid approach with some legacy core infrastructure and more modern systems that are customer-facing. It is essential that the customer-facing systems are secure in order to protect the core, which is likely to have exploitable vulnerabilities. An ASM solution can help find these risk, learn more by contacting Hadrian.