Latest Products

Cyber Risk and Digital Identity

Tuesday 25 April 2017

When it comes to digital identity and cyber risk, the discussion can sometimes seem endless. At the recent ASIC Annual Forum 2017, it therefore came as little surprise that the focus was on technology and its impact on regulators and industry alike. And according to ASIC Chairman, Greg Medcraft, cyber technology could well be the next ‘black swan’.

One thing is clear, however: technological infrastructure has long was to go before it can truly be global.

“Digital Identity,” Medcraft told attendees, “is a ‘work-in-progress’ area.”

Digital identity first?
The success of an interconnected fintech framework depends on global digital identities for users. However, how do these digital identities remain stable as new risks emerge in the digital space? Is such a thing even possible?

Sopnendu Mohanty, Chief Fintech Officer at the Monetary Authority of Singapore (MAS), suggested that one way to tackle the issue is to develop a state-of-the-art infrastructure with a strong policy around digital identity.

“Once you have a strong understanding around that, and the infrastructure is built, then you start talking about all the applications around that infrastructure,” he explained.

Mohanty went on to say that the second building block focusses on open architecture. ”How you build an interconnected, open architecture that maintains a certain standard?”

The third building block is cloud computing. There, Mohanty believes there would be cyber security ‘by design’.

The vulnerability of digital identity

When it comes to the vulnerabilities inherent in digital identities, however, Medcraft argued the question of a solid or fixed digital identity is transient. What may be a strong digital identity today will not, necessarily, be one tomorrow. According to Medcraft, the emphasis instead needs to be on being dynamic and on cyber resilience.

Maureen Jensen, Chair and CEO, Ontario Securities Commission (OSC), said that one of the challenges is that many jurisdictions do not yet have digital identities. Until their innovation reaches that point, therefore, resilience must remain the starting point.

“I think digital ID is the bottom-line entry point for all nations to actually reach the stage where we can have open data, and cloud access, and all of that,” Jensen said.

Paul Mautaura, Chief Executive of the Kenyan regulator, Capital Markets Authority (CMA), illustrated this transience and vulnerability of the present digital identity. Mautaura said one the challenges with M-Pesa, the Kenyan mobile app, is that it is evolving quickly, but that this, in itself, causes issues when it comes to digital identity.

“We’ve had situations where individuals are saying, ‘I am being reported to the Credit Reference Bureau because 15 active credit accounts have opened in my name that I have no idea about,’” Mautaura said. “So, it’s about that centrality—how do you identify someone; how do you go through the validation that this is, in fact, the right person? I think this is biggest challenge. And this is at the most simple level.”

Future focus, it seems, remains blurry on the best way to tackle digital identities, and cyber resilience, or even who is liable if there is a breach.

  • Is it the incumbent? The fintech? Is it all of the above?
  • What kind of compliance frameworks should incumbents be considering, especially if it turns out they could potentially be held liable for a breach that may not even have happened at their end?
  • Will this level of interconnectedness obfuscate where the breach has actually occurred?

It looks likely the discussion will be ongoing for some time.