Thoughts from the CTO: Cybersecurity and Privacy

Thoughts from the CTO: Cybersecurity and Privacy

In my opinion, 2017 was the year nothing seemed safe. Various data breaches were reported – Equifax being one of the worst breaches of all time. The cat and mouse game of cybersecurity measures and countermeasures between financial institutions and hackers continued all over the world. Fintech firms, especially the successful ones, have also become an attractive target for hackers. For this reason, making cybersecurity an integral part of the software development life cycle is a requirement that’s been trumpeted by security experts for years now.

It is more easily said than done, but with the increased awareness and fear of breach, firms are now being more and more proactive about cybersecurity. While the big banks standing at the frontline of many cybersecurity attacks are resourceful and experienced, new fintech firms have the advantage of being are more agile and quick to adapt cybersecurity innovation.

Artificial Intelligence (AI) and Machine Learning (ML) are increasingly being used in this space as well for predicting whether a certain activity or event may be a cybersecurity threat. This is done by learning patterns over time and identifying activities or events that deviate from known patterns. AI-based threat detection is used for identifying attempts to hack the system. It is also used for automating “threat hunting” activities, continuously scanning the system to detect an existing breach. Once detected, these tools can be authorized to automatically take action and block the threat.

AI-based cybersecurity tools are being commoditized and will become available for more and more organizations as an additional layer on top of their existing cybersecurity tools.

At the regulatory level, the European General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. The goal of the GDPR is to protect all EU citizens from privacy and data breaches. GDPR applies to all companies processing personal data in the EU, regardless of the company’s location. GDPR requires companies to get explicit consent from users in order to use their personal data, give users access to their personal data upon demand, and allow users to move their personal data to another company or delete it altogether. GDPR makes breach notifications and the appointment of Data Protection Officers mandatory, and Privacy by Design a legal requirement. Furthermore, it lays out heavy penalties for companies who do not comply with GDPR.

The GDPR will certainly affect all Canadian and US companies that have European presence. But will it drive change in the privacy and data protection laws in Canada and the US? Only time will tell.

If you like this article, read the last post from my “Thoughts from the CTO Series” about AI-Based Financial Management.