Building back better: Cybersecurity considerations for Islamic financial institutions

This article was first published in IFN Volume 18 Issue 42 dated 20 October 2021.

Oliver Dowden, the UK secretary of state for digital, culture, media and sport, recently said that, following Brexit, UK data laws could be reformed to involve “less box-ticking”. Dowden did not give any indication of how the rules might change but, on the face of it, the prospect of withdrawing a number of consumer data privacy policies, such as cookie requests, is an appealing prospect to many. Zahir Nayani writes.

As we know, the General Data Protection Regulation (GDPR) was introduced by the EU in 2018, and became part of UK law as part of the Data Protection Act 2018 and established more stringent standards for how organizations use personal data than had previously been in force.

The “Brexit dividend” referred to by Dowden remains to be seen, with often-stretched operations and risk management teams of many of the UK's Islamic financial institutions having already expended  considerable resources in laying the groundwork for GDPR in 2018.

Augmented with challenges faced by senior management teams in the transition to a ‘blended’ working environment, one can see how the prospect of pivoting business data strategies to a new set of regulations might be overwhelming.

That said, it has arguably never been a better time for firms to accelerate their digital transformations given the impact of COVID-19 on cyber risk and the reputational, operational and legal implications of non-compliance — often exacerbated by many employees continuing to work flexibly and, in some instances, without 'cyber-safe' remote-working environments.

On a granular level, heavy reliance on videoconferencing platforms during the pandemic resulted in the personal data of 500,000 people being compromised between February 2020 and May 2020 alone, with 'credential stuffing' an increasingly common technique used by hackers to manipulate personal accounts across a myriad of platforms.

In the UK specifically, Islamic financial institutions whose parent companies are located outside of the EU, such as the GCC countries — as well as investment advisory firms which routinely share sensitive data with investors in those jurisdictions — ought to be particularly mindful of cybersecurity risks as, in general, the concept of data protection is relatively new to GCC countries.

The need to exercise continued caution when processing and storing personal data applies equally to those UK Islamic financial institutions which offer home purchase plans and other products to a wide range of retail customers, not least due to Principles 3, 6 and 7 of the FCA Handbook which, among other matters, require firms to organize and control their affairs responsibly and effectively, with adequate risk management systems.

The need for robust cybersecurity measures has never been more pressing, with the acceleration of the digital economy aided by COVID-19 thrusting many traditional firms to reassess their historic  approach to cybersecurity.

According to the US Commerce Department, e-commerce accounted for 16.1% of retail sales in the second quarter of 2020, up from 10.8% the year before. As the UK emerges from the COVID-19 pandemic, organizations might also consider what more they can do to manage cybersecurity risks in a ‘blended’ working environment.

According to the Cyber Security Breaches Survey 2021 released by the UK Department for Digital, culture, Media and Sport:

• Three in 10 businesses (31%) have a business continuity plan that covers cybersecurity.
• A quarter of businesses (23%) have cybersecurity policies that cover home working.
• A fifth of businesses (18%) have policies that cover the use of personal devices for work.
• Over four in 10 businesses (46%) are using smart (i.e. network-connected) devices in workplaces.

In conclusion, the importance of robust cybersecurity measures cannot be overstated. According to Mimecast, more than six in 10 companies suffered a ransomware attack last year with, on average, organizations experiencing six days of downtime as a result — double the amount of time as the year before.

As the global economy begins to return to some semblance of normality — and management teams of Islamic financial institutions focusing firmly on meeting financial targets for the year ahead — it would be easy for seemingly less exciting topics such as cybersecurity to be overlooked in the return to the office. However, if COVID-19 has taught us anything, it is that black swan events might be closer on the horizon than we think.