Case Study

Enhancing cybersecurity by reducing complexity for an entire industry

The financial services sector has a more detailed appreciation of risk and compliance than many other industries, and in a strictly regulated environment, it is critical that companies stay abreast of the regulatory and technological developments.

December 8, 2020

Est. reading time 7 minutes

The Challenge

Across the industry, financial institutions and insurance companies were diverting critical human and financial resources away from preventing cyber threats in order to manage burdensome compliance requirements. This complicated regulatory environment resulted in inefficiencies, lost time, and substantial financial impacts for financial institutions. According to the Banking Policy Institute, one chief information security officer indicated that his team lost 40% of their time reconciling various cybersecurity and regulatory frameworks. BCG Platinion was brought in by a global coalition of 150 companies to develop the architecture of a unified cybersecurity framework that would improve cybersecurity outcomes while reducing costs.

‍

The Approach

Working with BITS, the technology division of the Banking Policy Institute, and a coalition of over 150 financial services institutions, BCG Platinion developed the Financial Sector Cybersecurity Framework Profile, which harmonizes and consolidates regulatory requirements. The project began by performing exhaustive reviews & analyses of disparate regulations & frameworks to create a single harmonized taxonomy & lexicon. Based on the insight, BCG Platinion provided technical thought leadership to the industry to achieve critical business & cybersecurity objectives while reducing costs. The process took 18 months and involved over 40 working sessions with more than 300 individual experts. Participating organizations ranged from community banks and credit unions to large multinational banking, investment, and insurance firms.

‍

‍

The Impact

Created a flexible framework for companies of all sizes & complexities
Saved financial institutions countless hours and compliance costs.
Addressed 80% to 90% of regulatory requirements, providing regulatory evidence to be shared among multiple regulators

‍

‍

Looking Into the Future

The profile now allows institutions and individual regulators to focus on the core elements of their cybersecurity risk-management missions. And it eliminates the need to “reinvent the wheel” for every new rule. It is expected to address regulatory requirements at any given point in time, providing for a single set of regulatory evidence to be shared among multiple regulators. In this way, it frees regulators and companies to focus on the areas of the greatest priority and need.

More to Explore

Teaming Up For Disaster Mitigation

Everybody is feeling the impact of climate change on the environment – for instance, in the form of dramatic natural disasters in areas that were previously rarely affected. As such, a catastrophic natural disaster in the heart of a Europe has severe consequences, including loss of lives and livelihood. BCG and BCG Platinion were immediately on hand to enhance resilience in a European region hit by the worst catastrophe in its recent history. The team worked with passion and deliberation to develop a sustainable and resilient concept to better deal with similar situations in the future.

The Core & Beyond - A Tailor-Made Transformation

Replacing or keeping the legacy Core Banking System (CBS) is one of the most fundamental decisions for a financial institution to make. This strategic bet should be carefully evaluated, with three key aspects in mind: a clear view on the entire IT platform (wider than legacy CBS and its constraints), a strategic vision set within a specific time horizon, and the return on investment. For organizations with a burning platform, CBS replacement may be a necessity, but in many cases the real investment potential is located elsewhere – in areas such as data platforms, integration layers, portals, or process engines. This alternative approach leads to numerous non-trivial questions: Where does the value come from? Is legacy the real issue? Which areas to reinforce and in which order?

Setting up a Secure and Resilient IT Infrastructure in the Cloud

Everybody who considered Europe’s energy infrastructure as safe against attacks got an eye-opener when the Nord Stream 2 natural gas pipeline erupted on the Baltic seabed: It clearly is not as safe as previously thought. With the winter looming ahead, energy service providers have to assure the security and resilience of critical infrastructure. This is not only limited to physical buildings, but must also focus on IT, especially in the light of a rising number of cyberattacks. Especially for older IT infrastructure that is difficult to modernize, migration to the cloud has proven to be a solution, severely improving security and resilience, not only in the long-term, but also in the short-term.