What are insider threats in cybersecurity?
This article explores the challenge of tackling the cybersecurity threats posed by people inside your organisation.
A new class of enabling technology known as RegTech is helping companies tackle spiralling compliance costs and dizzying data complexity.
234 daily regulatory updates and the sheer volume of new regulations that come into force each year - 22,000 in 2022 alone - are the main reasons RegTech exists. Digital tools that automate the processes associated with compliance are the only way to conform efficiently.
Beyond the need to stay abreast of evolving regulations, RegTech is allowing hard-pressed compliance professionals to get on the front foot. And they’ll be able to be even more enterprising when they can start using data and events to help their businesses proactively build trust with regulators and customers and not just react to investigations and the threat of financial penalties.
The challenge for RegTech developers and their users is solving this regulatory conundrum, without adding significant additional costs. And to do that whilst tackling the increasing complexity and volumes of the data and events involved.
In heavily regulated industries such as finance, banking, and healthcare, RegTech already plays a crucial role, helping businesses to enhance existing systems and processes in an effort to meet current requirements and handle new regulations as they emerge.
Fundamentally Regtech is about keeping business and client records compliant, safe, and secure. At the same time, providing evidence that compliance is happening and supporting investigations if things go wrong.
Regulated, multi-national businesses don’t exist as isolated islands with complete control over how data flows both internally and externally. They’re part of complex digital ecosystems with increasingly blurred boundaries between them and the outside world.
These ecosystems are not just complex, they’re busy and only partially managed. Huge amounts of data flow across the ecosystem, and innumerable events are associated with that data, such as how it is queried or shared. This happens in a myriad of ways that are both highly controlled (for example, how data about people is stored) and almost entirely unmanaged (for example, Whatsapp messages about deals sent between people).
At the same time, people’s expectations for how data is used are changing. Regulators, shareholders, customers and partners want access to data that concerns them. They want to know what’s happened with that data. They want detail, and they want it fast.
The challenge businesses have? To get enough control over this messy ecosystem so they can embrace digital innovations, like automation. And to do that without losing the trust of regulators and customers.
RegTech tackles these challenges head-on. It employs automation as its weapon of choice to handle reporting, risk management, compliance monitoring, and data privacy.
By introducing self-operating workflows into manual compliance processes, RegTech aspires to free leaders from the torment of keeping up with regulatory updates. They can then start dreaming up plans for getting into safer waters and have fewer nightmares about being sucked into a dark whirlpool of regulatory woe.
RegTech emerged as a post-financial crisis response to increasing data volumes, escalating regulatory demands and process complexity. Early RegTech solutions focused on improving efficiency and accuracy by automating manual compliance processes, such as data collection, reporting, and record-keeping.
Over time, RegTech began branching out into industry-specific tools and functions. More sophisticated techniques emerged as the demand for comprehensive and agile compliance solutions grew. Automation of complex compliance tasks, real-time monitoring of regulatory changes, and enhanced risk assessment capabilities entered the RegTech arena as multi-faceted solutions to various business and compliance problems.
Risk management, trend identification, predictive analytics and real-time data monitoring are all now part of RegTech’s capabilities.
Should everyone get on board the RegTech train? Probably. Are there downsides? Yes, there are. The RegTech industry has yet to resolve significant cost, data complexity and authenticity issues.
The cost of compliance is eye-watering. In highly regulated sectors like finance, compliance is estimated to cost around $10,000 per employee per year, with an average spend of $200 million per annum. According to Deloitte, that’s an increase of 60% since the financial crisis of 2008.
This is where RegTech can run into problems. Replicating, storing and connecting large datasets can be prohibitively expensive. It’s estimated that an average US bank holds around 1 exabyte of data. That’s 1m terabytes. At the time of writing, the cost to replicate just 5TB of that data over to a cloud-based monitoring platform can be as much as £11,000 per day.
Not every piece of data needs monitoring or duplicating. But the limitations are clear - you need all your data if you want to have a complete picture and to be able to analyse and monitor everything, but that isn’t financially viable. These costs can be reduced, but that’s at the expense of being able to conduct a full analysis. And ignores the additional costs of connecting data, along with compliance solutions and archiving costs.
The complexity of data ecosystems also presents challenges to RegTech.
Geographic location is one example of this complexity - crucial to consider when capturing or archiving data for compliance purposes. Archived data often needs to remain within compliant regions. Customers and vendors must be able to accommodate this requirement, which requires a complex data architecture. Additionally, data must often be backed up in a different location within the same region to enhance data security and meet compliance rules.
Regulated customers must be able to adapt quickly to the rapid rate of change in data regulation. However, managing the multiple compliance solutions and vendors needed to keep up with change can be challenging and costly.
As the amount of data generated by regulated businesses increases each year, IT and compliance teams face the challenge of distinguishing between relevant data for compliance purposes and data that can be discarded. The required data is often part of a larger dataset, making it impossible to extract a single data item or event. Often the only option is to extract an entire dataset. RegTech will have to improve the efficiency of data filtering as it develops.
The retention of only essential data for compliance will also become crucial as this will minimise complexity, facilitate investigation processes, and reduce the overall cost of archiving.
Authenticity is the final challenge for RegTech. To ensure the authenticity of data and evidence for compliance requests, organisations need to be able to prove their validity when challenged. However, event logs and data can be tampered with.
Without an immutable and defensible audit log, it becomes easy to doubt the evidence, rendering it of little value in a legal response.
This is where Blockchain comes in. It presents an opportunity for businesses who want to strengthen their compliance capabilities - by reducing costs, tackling complexity and improving the defensibility of data sources.
A key principle of blockchain systems is providing a transparent, shareable and immutable record of data and transactions.
RegTech, backed by Blockchain-powered, enterprise-ready systems such as FALKOR, therefore offers the potential for trustworthy visibility into every nook and cranny of a company’s data ecosystem.
This kind of system would observe and record every move by participating parties. Thereby providing an advanced layer of protection and recording at no extra storage cost. This layer has a key output - an Immutable Audit Log.
An Immutable Audit Log is a secure record of how a system has been used, including how data arrives, changes, departs, and is used. It is tamper-resistant. Even users with high-level system privileges cannot alter recorded events.
Accountability and deterrence are what make Immutable Audit Logs valuable.
There are three main use cases for Immutable Audit Logs:
The solution we envisage focuses on capturing specific events and logging them immutably using a blockchain platform. This can be done either on-chain or off-chain.
The solution will enable increased granularity by capturing logs and event data, reducing costs through efficient search and storage, and promoting transparency and trust. The distributed ledger approach also enhances data redundancy, making it more secure and less prone to corruption or loss.
This article explores the challenge of tackling the cybersecurity threats posed by people inside your organisation.
By improving communication and ensuring data consistency across multiple entities, blockchain can enhance the efficiency of compliance investigations.
In this article, ByzGen’s CTO, Terry Leonard, explores blockchain's role in supplementing and boosting existing security tactics.