Macquarie Bank hiring those with fine arts degrees to help thwart cybercrime
While Macquarie Bank is a relatively small player in the Australian retail banking market, its MD and CEO Mary Reemst has said her organisation is still investing heavily into technology to improve client experience and interaction.
Speaking at the Australian Securities and Investments Commission’s (ASIC) Annual Forum 2019 in Sydney on Thursday, Reemst said Macquarie has been focused on cybersecurity as one specific area of technology investment that needs attention and constant development.
“We work in an environment where adversaries are harnessing new technologies and adapting their strategies with motivation varying from criminal intent to cyber espionage or hacktivism,” she said to the room of financial regulation-focused individuals.
“To counter this, cybersecurity must keep pace with this innovation and continuously evolve to address changes in risk, compliance, business, and technology.”
She said Macquarie has found cultural diversity to be highly important when it comes to cybersecurity.
“It enables us to think outside the box and think about challenges in different ways, from hiring fine arts graduates to returners — that is, people that have been out of the workforce for extended periods,” she explained. “We have had anecdotal success in approaching cyber risks through the diversity prism.”
To Reemst, it isn’t just the efforts made by Macquarie that protects it against the threat of cyber, as a successful approach requires other financial institutions, alongside regulators and the government, to work with one another to share information.
She said the real threat in the cyber landscape is the proficiency and patience of bad actors that are perhaps more well-resourced.
Using JP Morgan as an example, as Sally Auld — JP Morgan managing director, chief economist, and head of Australia and New Zealand fixed income and FX strategy — was also on the panel, Reemst said a collaborative approach is the best way forward.
“I think that we all have a combined interest in pooling together resources,” she said, in order to combat the threat. “There is no competitive advantage in having the best cybersecurity, because if JP Morgan gets hacked, that’s not good for me — it just happened to be JP Morgan,” Reemst said.
“The best thing is sharing resources, bringing together law enforcement agencies, bringing together regulators, bringing together government — and we’re starting to do this in Australia, but we also have a lot of examples of where this is happening overseas — and what it actually brings is not only prevention but near real-time information about threats that are being perpetrated … I think that is the essential enabler.”
She said that a “bad step” would be to not work together.
“The industry needs to be open to sharing data and information on solutions between each other and the other agencies,” Reemst continued. “By doing so, we can leverage our collective knowledge and resources to deliver better outcomes for all financial services clients and better tackle the criminals.
“It doesn’t matter which institution it is, if someone gets hit by a cybersecurity attack that’s significant, then the entire ecosystem will suffer,” Reemst added.
Agreeing with Reemst and sharing her organisation’s approach to cybersecurity, Auld said globally, JP Morgan has around 3,000 cyber security staff.
“As a firm globally, I think we employ around 3,000 people who purely work on cybersecurity for us, nothing else except that. And from a budget perspective, I think we spend close to $600 million a year on this particular issue,” she explained.
“It’s interesting, often the people that we pull across to run some of these cybersecurity initiatives for us come from the US military, so there seems to be drawing on the expertise of the defence forces bringing that into the bank.”
Sharing an anecdote of when he appears in front of parliamentary committees in the United Kingdom, UK Financial Conduct Authority chief executive Andrew Bailey said that when asked if he could assure incidents won’t happen again, he replied with “No”.
“On cyber I say, ‘Not only can I not assure you it won’t happen again, it’s probably happened while we’ve been talking’ and that’s the reality of the way we have to think about this risk,” he said.
“It knows no borders, and while we all have to address it in our domestic systems, the more we can do to collaborate on this, absolutely the better.”