fintech cybersecurity - paypal

B

An ASEAN OutlookHighlights

FinTech Cybersecurity:

Cryptojacking

Malware Web and Mobile Application Attack

majority of breaches again this year. In 2019, across the world, 67% of breaches were caused by credential theft errors and social attacks.3

Botnet

FINTECH CYBERSECURITY: AN ASEAN OUTLOOK 11

Southeast Asia’s FinTech sector is growing at an exponential rate. While it offers many benefits for the region and beyond, rapid digital adoption in the ASEAN region has also created an opportunity for malicious actors to attack organizations and unsuspecting end-users alike. The COVID-19 pandemic has only increased reliance on the internet, giving fraudsters greater access to susceptible individuals to perpetrate cybercrime.

Small and medium enterprises (SMEs) are the backbone of the regional economy, accounting for between 89% and 99% of total establishments and between 52% and 97% of total employment in the ten ASEAN Member States.1 This segment is vulnerable to attacks as it is often resource challenged in preparing against sophisticated attacks.

Firms in the financial sector are attractive targets to cybercriminals due to the value of the data they handle. According to a recent study, financial services firms are 300 times more likely to face a cyberattack than other companies.2

Email has become the most prevalent medium for the delivery of phishing attacks. Phishing was responsible for

target financial institutions. Globally, 70% of breaches in 2020 were caused by external actors leveraging botnets and other mechanism at their disposal.5

Botnets are networks of compromised computers and devices controlled by cyber criminals, which can be used to

Following the rise in value and popularity of crypto-currencies, cryptojacking saw a 30% increase in early 2020 and is expected rise further.6

Unauthorized use of victim’s computer to secretly mine cryptocurrency affects both businesses and individual users.

in the ransom demanded by hackers, which has increased by 60% since the start of the year to a global average of USD 178,000 per incident.4

Ransomware attacks continue to evolve and are very prominent on the cyberthreat landscape. 2020 saw a rise

rise in publicly disclosed cybersecurity incidents in Q2 2020 and 35% of all reported incidents globally were malware attacks.7

Malicious software are installed in unsuspecting user devices to conduct nefarious activities. There was a 22%

apps also rise. Attacks on web and mobile apps doubled from last year and are responsible for 43% of all external breaches worldwide.8

As organizations use more varied application stacks, the number of vulnerabilities in their web and mobile

Phishing Ransomware

TOP CYBERSECURITY THREATS IN ASEAN ECONOMIES

Global cost of cybercrime Average cost of breach in ASEAN20252015 2021

USD 3

trillion

USD 6

trillion

USD 10.5

trillion

2019 2020

USD 2.51

million

USD 2.71

million

Source: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ Source: https://www.ibm.com/sg-en/security/data-breach

The PayPal ASEAN FinTech Cybersecurity Study was commissioned to provide a snapshot of the ASEAN cybersecurity development and its impact on FinTechs in the region.

PAYPAL ASEAN FINTECH CYBERSECURITY SURVEY


This report draws from a survey that was conducted with ASEAN-based FinTech companies in late 2019 to get their views on cybersecurity-related challenges and opportunities as well as the rapidly evolving cybersecurity regulatory landscape in the region. The survey results reflect the diverse nature of FinTech firms in the region. These firms often have to make difficult choices regarding resource allocation – which is exacerbated by the fact that nearly one-third of them have experienced a cybersecurity incident in the past year.

While most have prioritized cybersecurity while making budgetary and personnel decisions, some face challenges. This is a cause for concern considering how expensive and detrimental potential data breaches can be – to the firms themselves as well as to their customers.

Have you experienced a cybersecurityincident in the past 12 months?

Figure 1:

Yes No Not Sure

Nearly one-thirdof the firms surveyed had experienced a cybersecurity incident in the past year.

Moreover, while these firms care deeply about cybersecurity, they are spending disproportionately on cybersecurity compliance – without necessarily receiving commensurate returns in terms of cyber resilience.

Figure 4:

Hiring and investments priority areas

Data Security& Loss Protection

72.7%63.6%

45.5%

36.4%

2.3%

13.6%15.9%18.2%

31.8%

RegulatoryCompliance

Authentication& Authorization

IncidentManagement

Network Security& End PointProtection

Third PartyManagement

ThreatIntelligence

SecurityAssurance

Others

Share of participants stating as priority

Share of cybersecurity professionalsin the organisation

Figure 2:

Less than 1 person

Between 3-5 person

More than 10 person

Between 6-10 person

2 person

1 person

Share of operating budget dedicatedto cybersecurity

Figure 3:

Less than 1%

More than 5%

Not Sure

3% - 5%

1% - 3%

56.8%31.8%

11.4%

13.6%

11.4%

22.7%15.9%

9.1%27.3%

27.3%

13.6%

15.9%

29.6%13.6%


Even as regulatory requirements drive increased investments in cybersecurity, FinTechs in the region are still facing significant challenges in ensuring compliance. The results show that FinTech companies may need assistance messaging the importance of cybersecurity from a management priority and budget perspective. Research has shown that corporate stakeholders often have a myopic view of cyber risk, thinking that investing in new technologies will suffice to combat or mitigate it.

Share of participants

Share of participants

Key driver for investments in cybersecurityFigure 5:

Challenges in complying with cybersecurity regulationFigure 6:

Resources (complianceand certifications are

expensive)

85.7%

60.7%53.6%

3.6%

Skillsets OthersManagementprioritization

Note: Other: Hacks; Fraud.

Cybersecurity effortsundertaken by peers

OthersCompliancerequirements

Demand fromcustomer

4.6%6.8%

18.2%

70.5%


PAYPAL ASEAN FINTECH CYBERSECURITY MATRIX

Based on the survey results and open-source research, we developed the PayPal ASEAN FinTech Cybersecurity Matrix (“the Matrix”) to assess and analyze the cybersecurity regulatory ecosystem in the region for FinTech companies in the ASEAN member states. The Matrix provides a snapshot of the landscape at the time of the writing of this report, as analyzed from publicly available information.

Brunei

Is there a cybersecurity law, regulation, or policy in place,either standalone or as part of a wider digital security frame-work?

Is there a national body/agency specifically responsible forcybersecurity (beyond the national CERT)?

Is there a regulatory sandbox for the FinTech sector runby the financial regulator/central bank?

Is there a government-run national framework/programspecifically devoted to developing cybersecurity skills(for SMEs, students, professionals, retirees, etc.)?

Is there a government-run national certification/accreditation framework for cybersecurity professionals?

Are there any government mechanisms to encourageskills and capacity-building in the field of cybersecurity– specifically for FinTech companies?

Is there a national budget specifically devoted tocybersecurity?

Are there government-run funding programs devoted to helping FinTech companies strengthen their cybersecurity capabilities?

Are there government-run public awareness campaignsdeveloped and implemented specifically for cybersecurity?

Are there any government-run campaigns specificallydevoted to strengthening consumers’ digital and financialliteracy?

Is there a government-led (semi-) formalizedcollaboration framework between the cybersecurityindustry and the FinTech sector?

Are there any intergovernmental bilateral ormultilateral agreements on growing, strengthening,or improving domestic FinTech sectors?

Absent / Information not publicly available

Present

In progress (includes instances where plans have been laid out but information aboutimplementation is not publicly available)

PayPal ASEAN FinTech CybersecurityMatrix 2020

STAKEHOLDER COMMUNICATION ANDCOLLABORATION

CYBER HYGIENE AND FINANCIAL LITERACY

INVESTMENT AND SPENDING

KNOWLEDGE AND SKILLS

LEGAL AND POLICY

Cambodia Indonesia



Present


Laos Myanmar


















LEGAL AND POLICY

Malaysia



Present


Philippines


















LEGAL AND POLICY

Singapore Thailand Vietnam

Develop principles-based cybersecurity regulations and frameworks driven by outcomes and evolving risks


Here are six key recommendations to strengthen the ASEAN FinTech ecosystem for sustainable and inclusivegrowth in the region

RECOMMENDATIONS

More than two-thirds of respondent firms in our survey reported that compliance requirements are the key drivers for their investments in cybersecurity. However, it is important to note that compliance does not always equal security. ASEAN needs to move away from a rigid box-ticking approach towards cybersecurity to one that incentivizes investments in cyber resilience. We recommend the adoption of risk-based requirements commensurate with the level of risk and complexity of the financial services offered.

Invest in developing a strong cybersecurity workforce to support a resilient ecosystem

Even as the cyberthreat landscape continues to expand, across the world, about 3.5 million cybersecurity positions are expected to go unfilled in 2021. In our survey, we found that more than a quarter of FinTech firms do not have a dedicated cybersecurity expert in their organization. We recommend ASEAN governments to work closely with the private sector to increase talent development and access in order to adequately service the needs of business.

Enable adoption of strong cyber hygiene through ASEAN-level compatibility as well as alignment with global security standards

The ASEAN FinTech sector has the opportunity to reap the benefits of regional economies of scale. However, this can only be done if cybersecurity regulations and norms across the region are standardized. Cyberthreats are cross-border in nature and defending against them requires a collaborative approach. ASEAN should create a regional cybersecurity framework that is aligned with global standards and practices. Such a framework would enable exchange of innovative cyber defense measures and expertise and ensure the retirement of legacy processes that hold back technology adoption.

Promote a multilateral regulatory sandbox for knowledge sharing and risk management in the FinTech ecosystem

formalized channels of collaboration and knowledge-sharing between national sandboxes in ASEAN to enable FinTech companies in the region to benefit from each other’s experiences and collaborate on innovations and risk mitigation. The long-term goal of these endeavors should be the creation of an ASEAN-wide sandbox – one that can help companies test their products designed with an ASEAN regional consumer base in mind.

An important first step towards planning for the future would be the introduction of cybercrime mitigation, data analytics, automation technologies and cybersecurity skills in the primary and secondary educations stages of the schooling systems in ASEAN, with educational pathways drawn through to university. We encourage the public and private sector to work together to encourage under-represented groups in the cybersecurity arena such as women and mid-career workers to consider a career in the sector. Additionally, ASEAN can see immense benefits from exploring innovative schemes like credential passporting across the region to enable easier movement of cybersecurity talent across Southeast Asia.

Sandboxes enable regulators to foster innovation in the FinTech ecosystem while also understanding potential risks of new products and the ways to protect their citizens and financial systems against such risks. Each ASEAN nation should host its own national sandbox in order to fully realize the benefits and the potential of the FinTech sector while also identifying country-specific risks and challenges. We recommend the establishment of

REFERENCES

Even the most sophisticated defense systems, the most advanced infrastructure, and the most rigorous cybersecurity laws cannot protect an ill-informed end-user. Newly digitalized consumers are especially vulnerable to cyberthreats and scams. As a result, there must be a concerted effort between governments, businesses, and academic institutions to educate the public about cyberthreats and the means to protect themselves against them. We recommend the establishment of a region-wide repository of cyber scams and threats for information

sharing. Furthermore, ASEAN governments can implement and encourage internationally recognized best practices on anti-virus, patching, and anti-phishing standards.

https://www.ifac.org/knowledge-gateway/contributing-global-economy/discussion/smes-backbone-southeast-asia-s-growing-economy https://www.bcg.com/d/press/20june2019-global-wealth-report-222692https://enterprise.verizon.com/en-sg/resources/reports/dbir/ https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report#1 https://enterprise.verizon.com/en-sg/resources/reports/dbir/ https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-cryptojacking McAfee’s Quarterly Threat Report November 2020 as quoted at https://www.infosecurity-magazine.com/news/covid-themed-attacks-surge/ https://enterprise.verizon.com/en-sg/resources/reports/dbir/

Encourage public-private partnerships in research, hiring and information sharing

Multi-stakeholder consultative processes must become the norm in the creation of new cybersecurity regulations and policies. We encourage the creation of public-private forums for stakeholders from a diverse range of institutions to consult on new regulations, manpower, training needs, and to share best practices, among others. Additionally, we encourage improved collaboration on research efforts that bring together experts across the public, private, and academic sectors to create innovative solutions in cyber defense.

Establish comprehensive programs for training and awareness on fraud and security bestpractices for general public and businesses


This [Highlights Document] should be read in conjunction with, and is qualified in its entirety by, the more detailed information contained in the Full Report (including, but not limited to, the Disclaimer Statement).

TO READ THE FULL REPORT, VISIT:

12345678

Steven Chan, Senior Director andRegional Head of GovernmentRelations, Asia-Pacific

Phoram Mehta,Chief Information SecurityOfficer, Asia-Pacific

FOR MORE INFORMATION, CONTACT:

DISCLAIMER:

fintech cybersecurity - paypal

Documents