An Interview with Ashutosh Kapse, Head of Information Security, Technology Risk & Audit, IOOF


Disrupters and start-ups have challenges incorporating cyber-resilience with the speed of innovation. Although the paradigms may be different, each will have cyber-resilience challenges that need to be negotiated.”

For more than two decades, Ashutosh Kapse has dedicated himself to defending the integrity of Australia’s corporate cyber defences. He has long been a champion of organisational resilience and compliance, offering sage guidance to business leaders and corporate boards on matters of security and audit.

Kapse currently heads the information security, technology risk and audit division at IOOF Holdings Ltd, one of the oldest wealth management organisations in Australia.

FST Media spoke with Kapse to discuss the evolution of the threatscape over 2017 and beyond, and the growing importance of biometrics as a critical line of defence for consumers.

FST Media: Where do you see traditional financial services institutions (FSIs) in five years?

Kapse: Right now, as a general rule, I consider ‘customer focus’ more of a marketing term; organisations usually only pay lip service to it. In order for FSIs to survive the onslaught of technology-based disrupters, they need to be genuine and authentic in their customer focus. The whole organisation needs to be customer-focused, and the customer needs to be centre of the FSI universe.

I believe the future of this industry will be enhanced through human interaction, personalised service, and advice. The traditional FSI business will evolve into a ‘trusted advisor’ for clients. FSIs will use cognitive and AI technologies to deliver personalised and real-time advice tailored to individual customer needs and requirements. FSIs will need to provide personalised, tailored, and digitalised service, whilst maintaining a human rapport and touch. They will need to evolve and work closely with business partners and vendors to provide seamless financial experiences to their customer base.

FST Media: What cybersecurity threat looms large over FSIs/wealth management organisations at present?

Kapse: Cyber threats are a clear and present danger for financial organisations, irrespective of their size, business models, and whether the organisation is traditional or a disrupter. I see the following cyber threat actors looming large over FSIs/Wealth management:

a) Cybercriminals who are increasingly finding that cybercrime pays well and that people (both end-user customers as well as fintech employees) can be easily targeted by exploiting their naivety and gullible nature. It helps immensely that the cybercriminal can commit the crime remotely and does not need to be physically present in the vicinity of the target to commit the crime. Cybercriminals have realised that FSI/wealth management organisations have good cybersecurity posture and are increasingly gravitating towards breaching customers and end-users. People are the ‘softest’ targets for cybercriminals.

b) Third parties who have access to an organisation’s data/information, but do not have appropriate protection, thus unwittingly becoming accessories to cybercrime or causal factors in cyber breach.

c) Internal threats:
Accidental – internal employees through accident or negligence can cause cyber breach.
Malicious – internal employee acting out of malicious intent to either ‘get even’ or tempted to steal money.

FST Media: How important is in-house strategising for mitigating cyber security risks within the financial services sector? 

Kapse: It’s critical. Cyber security is about the continuous improvement of cyber-culture within the organisation. Business context is the starting point of any risk management effort. The FSI/wealth management sector is seeing rapid evolution. The shift to digitisation, personalisation, and the onset of technology disruption through blockchain, AI, data analytics, plus the move to cloud, means that security needs to be baked-in to all solutions; it can never be an afterthought.

Although implementation, management and, to some extent, responsibility for security can be outsourced, overall accountability for cybersecurity still lies with the organisation. The ‘big picture’ of cyber security is important so that security is not diluted by individual solutions and offerings. This makes cyber strategy a critical aspect of security; this can only be developed in-house. After all, no one knows your business context and business processes better than you do.

FST Media: What key challenges do FSIs face in developing resilience technology versus fintech disruptors?

Kapse: In terms of cybersecurity, both FSIs and fintech disrupters have similar challenges in developing cyber-resilience. As they move to faster adoption of newer technologies, both have an obligation to their customers to provide secure and risk-reduced offerings. Traditional FSIs have legacy applications that need to be made cyber-resilient; this can be challenge depending on the limitations of the legacy technology being used. 

Disrupters and start-ups have challenges incorporating cyber-resilience with the speed of innovation. Although the paradigms may be different, each will have cyber-resilience challenges that need to be negotiated.

FST Media: How do you see the ‘threatscape’ evolving in latter half of 2017?

Kapse: Through the remainder of 2017 and to 2018 cybercriminals will continue to try to exploit human weaknesses. This is considered ‘low-hanging fruit’ for cybercriminals, delivering maximum return on investment.

Although we currently face this threat, I believe we will see a marked increase in ‘impersonation’ fraud, where a cybercriminal impersonates a customer to divert funds from FSI/wealth management companies into their accounts. 

We will also see a big increase in what is termed as ‘credential-stuffing’ attacks. In this type of attack, the cybercriminal relies on users using the same password on multiple sites. The criminal buys leaked username/password combinations from the darkweb and then uses this combination on various sites. The success rate is estimated at about 0.2-0.4 per cent, which is quite large. For example, the Yahoo breach from last year yielded more than 200,000 successful attacks of this type on other sites. Implementing two-factor authentication throughout FSI applications will be a key deterrent against this type of attack. 

Although currently not common (being limited to nation-state actors), in the future we will see an increase in cybercriminals placing their operatives in key positions within the organisation, with the sole purpose of initiating cyber breach from the inside.

FST Media: How are developments in biometrics shaping the wealth management sector and FSI in general?

Kapse: A new security feature or solution only works if the solution itself is easier than the existing non-secure solution. Biometrics can make identity and authentication very easy and has the potential to integrate security seamlessly into all FSI business processes. A good example is the iPhone using fingerprint scans to authenticate users. This one feature has provided multi-fold enhancement to the security of mobile devices due to its simplicity and ease of use. 

There is considerable R&D in the multimodal and adaptive biometrics area, and such solutions will soon become mainstream. It is only a matter of time before the combination of a device camera, microphone, and touch sensors will be used to verify the identity of a person based on biometric identifiers such as face recognition, iris scanning, unique heart, and brain patterns etc. With impersonation attacks and identity theft increasing day by day, I believe biometrics has a huge part to play in securing our financial transaction systems into the future.

FST Media: How do you see blockchain changing FSIs over the next 18 months?

Kapse: To put it very simply, blockchain is a way to move and store blocks of cryptographically validated data that users can’t change. In other words, it creates a transparent and auditable digital trail that anyone can access, but no one can alter. Daniel Newman a technology author puts it very nicely: “Blockchain is a secure way of sharing, validating, or otherwise endorsing almost any kind of value point, be it money, titles, deeds, music, art, scientific discoveries, intellectual property, and even votes.”

Over the next 18 months, blockchain will start becoming more mainstream as vendors provide an easy way to implement it. I believe cloud-based blockchain will gather momentum and provide very easy implementation paths for FSIs.

FST Media: How will insight from analytics change risk management by 2018?

Kapse: FSIs have been using analytics in risk management for some time now; it isn’t something totally new. At the same time, advancements in AI and behaviour analytics will give risk management more strength. The advancements will offer opportunities for risk management to reduce time, effort, and costs involved in compliance management, as well as offering pre-emptive fraud mitigation techniques.

FST Media: What would you like to see develop from IT innovation over the next five years?

Kapse: Personally, I would like to see faster evolution in biometric technologies. Biometrics is the key to reducing cyber security risks and preventing fraud. Cybercriminals are targeting individuals as they are considered ‘soft’ targets. Biometrics will be able to thwart impersonation attacks and provide assurance to customers ensuring that only legitimate transactions are authorised.

FST Media: What do you most enjoying doing in your spare time?

Kapse: It gives me immense satisfaction to be able to give back to society and add help the needy people within the sphere of my influence. I am currently a board member and chairman of the Risk & Compliance Committee at SCCVic, the largest not-for-profit aged care organisation in Victoria. I am also a board member of the Melbourne chapter of ISACA, a body of professionals working the security, audit, and risk domains.

I also play club cricket and take great pride in mentoring youngsters on the team.