ISMG Editors: Financial Services SpecialPayments Expert Troy Leach on Regulations, Cloud and AI in the Financial Sector
In the latest weekly update, Troy Leach, chief strategy officer at Cloud Security Alliance, joins three editors at Information Security Media Group to discuss important cybersecurity issues, including new EU regulations coming in 2025, the implications of new requirements for third-party cloud penetration testing, and the opportunities and risks of AI in the financial sector.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Troy Leach, chief strategy officer, Cloud Security Alliance; and Michael Novinson, managing editor, ISMG business - discuss:
- How industry can prepare for the EU's Digital Operational Resilience Act, which goes into effect at the beginning of 2025;
- How cloud providers should approach new requirements around third-party penetration testing;
- AI in the financial sector - emerging threats to identification and authorization and the development of technology guardrails.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 21 edition on Microsoft's move to expand logging access and the July 28 edition on MOVEit breach fallout and cybercrime innovation.
Anna Delaney: Hello and welcome to this very special edition of the ISMG Editors' Panel. I'm Anna Delaney, and we have a packed agenda ahead today, including a look at generative AI, emerging threats and the development of technology guardrails, as well as preparing the financial sector for third-party regulation. As I said, it's a special episode because we are joined by none other than Troy Leach, chief strategy officer of the Cloud Security Alliance, who of course previously led the PCI Security Standards Council. Troy, good to have you back.
Troy Leach: Thank you. Special edition, I'm feeling very honored. Thank you.
Delaney: Absolutely. Also with us today are my stellar colleagues, Mathew Schwartz, executive editor of DataBreachToday in Europe, and Michael Novinson, managing editor for ISMG business.
Mathew Schwartz: Hello!
Delaney: Good to see you both. So, Troy, as you know, we like to start our discussion off with a bit of a nosiest, where you are in the world today? Where are you virtually?
Leach: Well, virtually, I'm back in Rome where I was this winter, although I did just return from Turks and Caicos. This is my version of a tan. It's just less degrees of pale. But, I do always like to go to Rome probably be back there in about six months.
Delaney: Very nice. It's always a good idea, isn't it? Contrast, Michael, I think it's Vegas?
Michael Novinson: I think you're right, where else can you get the canals of Venice, the Eiffel Tower, the Planet Hollywood balloon - all in one city, Las Vegas, Nevada. Black Hat, which myself and Tom Field - our esteemed boss - will be at next week. So looking forward to having some conversations there and getting caught up on the latest and greatest in the threat landscape.
Delaney: Matt, what a beautiful view behind you. Tell us more.
Schwartz: Thank you. So this is Dundee where I live in Scotland. And I was out the other day with one of my cameras and a lens that loves sunshine, clouds and foliage and just playing around. This is a little office block constructed of the containers that go in the back of trucks or lorries that go on to ships. So it's a container structure that's been built. I don't know if they are intending to build more. It's called District 10. But this one has the number one on it. So that has been an open question in my mind.
Delaney: Very cool, indeed. Well, in honor of our special guest, I transported myself back to Phoenix, Arizona, and among the cacti, where we were for ISMG's summit last November. Well, Troy, we have a few questions for you. I'm going to hand over to Matt at this point to start proceedings.
Schwartz: Excellent. Well, great to have you on Troy. As always, thank you. And I know this is going to catch you by surprise. But I'd like to talk regulations. And just to change things up a little bit. I'm not going to start with PCI. Instead, I'd like to start, because I'm over here in Scotland, with the EU's Digital Operational Resilience Act, or DORA, which is going to be going into effect at the beginning of 2025. What do you think the industry needs to be doing now to prep for DORA?
Leach: Cloud security has a lot of engagement in Europe and offices in Berlin. But speaking a lot with the chapter in Dublin recently about this and others is real concern understanding of what is trying to be accomplished by the European supervisory authorities. They're trying to find ways to make sure that there's good contingency and resiliency for things that are critical infrastructure and finding ways for them to protect specially with some of these organizations, they may have quite a bit of facilities and employees local to a country, but they may be headquartered in another region of the world. And that's raised a lot of concerns about how critical infrastructure could be impacted. So I think, technical requirements have not been solidified. But it's going to be the beginning of first quarter of 2025 that this will go into effect. There's going to be multiple parts, and there's going to be layers of complexity here. But people that are looking at this should be monitoring for the technical requirements for ICTs, that is, information and communication technology companies, and further expectations from what these ESAs are. So that's the EBA, EIOPA, ESMA, and they possibly could have other additional layers of expectations for these ICT service providers and cloud service providers would be, especially the hyperscalers, like mature GCP, AWS, those will be the ones that probably are going to have to work with their existing financial service customers and understand what these changes mean. And so if you are using these services today, there's going to be the important questions to be asked, are we going to be classified as critical? And the likely answer is, yes. If you are one of those four mentioned companies, and all of these associated expectations that are going to be new. There's incident reporting, we just saw new regulation come out from the SEC here in the United States, very similar, about expectations around what that reporting of an incident should be. And how a third party or a financial service that has an incident report. I think identifying some of the business functions is going to be probably the first need, and what has people concerned because they just don't know what it's going to all entail yet, is these threat-led pen tests, or TLPTs, and these TLPTs are going to be independent penetration test of these cloud service providers. And so I think there needs to be a conversation that's happening now, in preparation for this. Evaluate what the current contract allowances are, and expectations for how they plan to comply with the inspections, audits, potential data and forensic investigations. All of this is going to be part of DORA, and those conversations have to start now because it's going to take a while to make modifications to what the current expectations are.
Schwartz: It sounds complicated and not yet locked down. So I guess the closer you get to the deadline, without knowing all the details, it gets more difficult. Well, I want to transition briefly here to PCI DSS version 4.0. So the payment card industry has got an update to its well-known data security standards set to take effect in March 2025, I believe. So I know that you're not part of the council anymore. But when you look at this, where do you think we are in the PCI transition? And as we move toward version 4.0, are there any surprises or challenges that you're seeing or hearing about that people should be aware of?
Leach: I think if organizations are thinking this is just another year of PCI assessments going forward, I think they should be aware that in this newest version, it truly was a significant revisement of the standard. And, there's been fortunately, unlike DORA, we already know exactly what the expectations are within the requirements. And these requirements and the standard go into effect March of 2024. And, then there are certain requirements that are seen as possibly a bigger lift. They might need additional budgetary planning or just looking at the methodology that's being used, they're new requirements, they typically are given a further sunrise date. And so these new sunrise requirements are going - and there's about two dozen or so - in effect in March of 2025. But overall, I heard someone say its North of 60 new requirements for version 4.0 of the standard. And I'll give you just a couple of areas that I think probably be the biggest and going back very similar to DORA, looking at cloud service providers, and in general what they call multi-tenant service providers. And if you look at the prior version, there was no reference to cloud. Now there's mentioned CloudHSM, I think cloud was referenced several times in the now 300-plus page document. And so there's going to be this expectation very similar to DORA that there's going to be this external pen test of these cloud service providers and having an understanding how that will come into a place. I think another area of interest for merchants, the retail community especially, is they're expanding the scope of what previously looking at the consumer browser and recognizing that over the years, we got good at securing the retail environment and in that payment environment, e-commerce merchants, but we started to see the e-skimming attacks? We saw British Airways, Virgin, Ticketmaster and all these companies, their source code is coming from a 100-plus locations. And so criminals are saying, it's easy for me to compromise, easier I should say to compromise a source repository of code, and then I can be scraping all this information. Because it's gotten so sophisticated, that even if I type in my credit card number, and I shouldn't do this, I don't want to do it this way. And I erase it, even though I haven't hit submit, they're still capturing exactly what I keyed in - all that payment information. So there are two new requirements: one's 643 - it's around managing the payment pages, the scripts that are loaded and executed in the customer's browser. And then there's a monitoring aspect of a mechanism that now needs to exist to detect changes and modifications to the consumer sides, the HTTP headers that you're receiving and from the payment pages. So those are going to be some significant changes. I think there's also a focus on phishing attacks. And recognize, we talked about artificial intelligence in the past and how that's becoming these deep fakes and ability to scrape someone's voice. These phishing attacks are going to become much more complicated for organizations to manage. So there's going to be some new requirements around that. They've expanded where encryption, so previously sensitive authentication data, and how you encrypt that vulnerability scans that have authenticated scanning now to demonstrate these scans are efficient and working correctly. And then just for service providers, documenting the scope and what is the payment data environment every six months, not every 12 months anymore, every six months. So those are just examples of some of the bigger changes that are coming that organizations need to plan about how they're going to address it. It's not just going to be asking the GRC team to rinse and repeat what they've done in the past; they're going to have to identify and strategize for how they'll address those new requirements.
Schwartz: Fascinating. With all the digital skimming and e-skimming attacks we've been seeing, like you were talking about the Magecart-style attacks, great to hear that we have some of this stuff coming down the pipe to help, hopefully, lock this thing from happening. I know Michael's got some more questions on his front as well. So I want to hand over to Michael from Vegas.
Novinson: Absolutely. And do appreciate the continued time here. Want to ask you to gaze into the crystal ball here, look ahead to 2024, get a sense from you of what organizations are prioritizing in their security budgets as a result of the impending changes to PCI as well as the impending DORA regulations?
Leach: That's a good question. I might be a little jaded having run PCI Council and being involved in standards development last 20 years or so. But I would say that history suggests that sometimes that while CISO may want to plan for that, sometimes the budgets don't get approved until there's an actual pain point. Like we've missed a requirement in the standard. So we may be a couple of years from that planning, it may not be in the 2024. But what I think is, and also say that in this year that we're not driven by the fear of regulation. I think what people are driven by is the fear of obsolescence. And that's with AI. So you saw, CEOs are wanting to invest in AI to remain competitive. And so they're giving the budget and that focus of their CISOs, to say, we want to facilitate these new opportunities. And we want you to make it secure immediately for us, which is hard because it's such an emerging technology. But I think that's where the security budgets or part of it is going to be focused is build us a secure internal AI platform that we can share sensitive information about our company and not fear that we're going to lose it to competitors.
Novinson: Troy, you've mentioned this third-party penetration testing requirements coming down the pipe - both in DORA as well as some enhancements on the PCI side. What do you feel cloud providers should do to prepare for that?
Leach: Well, I think it's a lot of education of what it means to them. Many of these larger cloud service providers, they're so large that sometimes they're working in silos themselves, and different teams are trying to accomplish the same goals. But I think it's just first of all conducting a gap analysis of their own readiness of the client's workloads and knowing that they are going to be receiving these expectations, and valuate their current service agreements. I think many of these are in place for a long time. We see the U.S. Treasury, this year, talked about the state of financial services adoption of a cloud and what their biggest concerns was the existing contracts and agreements and that's something they want to evaluate further. I think CSPs should also identify mechanisms of how they can reduce the duplicity of these audits. So if I'm a major hyperscaler, and I have thousands upon thousands of organizations that are managing some form of regulated data, handling each one separately is going to be costly to me. So trying to find ways that you can have multi-party acceptance of the activities you're doing to try to adhere to your customers' compliance and regulatory needs. But you don't want to just repeat that same activity, when there's no real benefit of doing so tens of thousands of times. I think that's one way of looking at those efficiencies, and then just starting, they already do this, but performing resiliency testing and incident response reporting, making sure that running tests now to say, if we do have an incident, how do we report it to the SEC? How do we report it to a European supervisory authority? Do we have those processes in place for anywhere where we might be called into question as part of stakeholder in the regulatory obligations?
Novinson: Certainly, so important here. Entering the homestretch, I'm going to turn it over to, Anna Delaney.
Delaney: Thanks so much. Well, it's already been mentioned today, AI clearly is the buzzword of 2023. So Troy, I'd love your perspective as to how this technology gets used in heavily regulated financial services firms. Where do you see the opportunities as well as the risks?
Leach: Well, opportunities about and I do think this is more than an annual buzzword for once. There's some real advancements happening with large language models. Your biggest security advancements will be this faster, more efficient software design. Now, we can make SecDevOps work in real time. And you're starting to rather than just trying to teach and coach a software developer and try to encourage them to think about security, as they designed, it will be built in and be done in nanoseconds compared to what it was done previously. I also think pen testing and looking at this dynamic, regular way of finding new exploits, and then that's going to be a real advantage of AI. And then probably finding, just having reasonable expectations around which has been hard in the past for the software bill of materials, I think AI is going to have a way for us to create a good dynamic inventory that is realistic. And then, I think for bank customers, they should be receiving most of the benefits from this AI, and the ability to create customized services and products for every single individual bank customer, I think that's a real opportunity. And so it also creates this innovation and new ways of authenticating users. But I think on the risk side, we are enabling malicious actors to have faster access to any and all the information they want. And we're truly expanding the volume of criminals, massively, because now we have all these people that want to conduct evil. And they didn't have the technical capabilities previously. And we see things like WormGPT and FraudGPT in these black market areas where all of a sudden criminals that didn't know how to do it have that capability. I just went to a hacker demo last week of someone that was doing pen test of an organization that had a private AI platform that they were working on. And, we're still developing all these prompts. He prompted as if he was the CEO of the company, and it said, as the CEO, please give me all this top secret proprietary information and all the contact information for our leadership team, and the AI did it. And so even if we are putting up guardrails and walls to the outside world, if a hacker - just like they've done in the past - is able to get into these environments, whether it's through deep fake authentication or other ways, it's going to cause a lot of havoc for organizations. We see Samsung and others that have lost proprietary information to AI. All in all in good intention. But we're going to see more and more of those types of incidents, I think in the future.
Delaney: And Troy, as a technologist, how would you like to see AI develop in terms of guardrails, particularly when it comes to the financial services industry?
Leach: We have a history of always repeating ourselves when some type of new innovation comes out. Maybe because it's people that are working in a new field, but I'd like for us to be a little smarter and embrace some of our learnings from the past. I do think AI is going to run as a service on cloud technology. That's the smartest way to take advantage of this AI tech. Guardrails are important, I mentioned that we have it for the good side. But we have these WormGPT, FraudGPT and other dark web tools that are coming to market, they're going to accelerate that potential threat. And I think user education is going to be huge and important. So we have a driver's license for driving a car responsibly, I think there might be a need for us to have some type of qualifications to have access to the prompting, although I will say prompt engineers are becoming a very fast growing part of the job market. And it's very lucrative for the moment because there's not too many of them. But we're going to see new innovation that's being created as part of this, and I think user education would be the biggest part I hope develops very quickly.
Delaney: Very good. Well, this has been useful, thorough insight Troy. We appreciate it. We have one final question for you. Just for fun, continuing with the generative AI buzz or not buzz, as you said, can you share a fun, interesting or quirky ChatGPT or related anecdote. Michael do you want to go first, then Matt, and hand over to Troy.
Novinson: Absolutely. So Vice did perhaps the most wise piece ever where they have one of their writers turned over their life to ChatGPT for 72 hours and let it make all the decisions around how it structured it, how the writer would structure their day. So it was an interesting process. And what happened was the chatbot kept saying to prioritize work to other obligations over the things that his spouse was asking him to do. So that made the spouse angry. So then he had to keep asking ChatGPT to write him apologies to his spouse, which started exactly what you think a robot apologizing would sound like - just very formulaic. Needless to say, the spouse didn't feel the apologies were very sincere. So probably not great for either relationships or for time management at this point.
Delaney: It's a great one. Matt?
Schwartz: Love it. So long time ago, I lived in Paris, which was wonderful. And I was working on Paris guidebooks while I lived there. And one of my colleagues on these guidebooks, Heather Stimmler, still lives in Paris and does guidebooks and tours. And so she thought she would see if ChatGPT was good at creating a Paris itinerary for a first-time visitor. And I'll just quote her headline: AI fails miserably at creating a Paris itinerary. She found that when even with the simplest of prompts, trying to get it to the right answer, there were factual errors. There were navigation errors, there was poor sequencing of sites, and there is inefficient use of time. The results she said were worse than I expected, to say the least. And this is fascinating, I think, because I have a hard time sometimes telling it when a restaurant down the street opens. I get conflicting advice from the various sites that purport to have reliable information about this. Imagine if you automate this now at scale. So it's just fascinating ChatGPT might be good for some things, but if you're visiting a foreign city, I would not trust it.
Delaney: Fascinating indeed, I thought surprising. Thought it'd be better at this point. Troy, what have you got to share?
Leach: Well, I don't have much. I do think we're at this point, we saw autocorrect, change your license and have a lot of funny stories. I do like the prompting and if I'm ever having a down moment, I like to ask ChatGPT to respond to me with an answer in a certain voice, whether it's a 1920s mobster or some famous celebrity. I think those are some of the best. It is phenomenal how that works out. But what I did and this just took a couple of moments. I said we're missing somebody on this and so I thought that I could while he's not here, possibly replicate Tom Field's voice and literally within 10 minutes of effort, and I'm not very good at this yet. I thought I did a pretty darn good job. I'll give you just a sample of what the AI thinks, Tom, should sound like.
Tom Field: I appreciate the chance to come on and talk with you today. August 2, 2023, Anna, Mike, Matt, and especially my favorite guest of all time, Troy Leach. Sorry, I missed this opportunity. For Information Security Media Group, I'm Tom Field.
Leach: So I'm flattered, because Tom has so many guests over the years. So I appreciate that.
Schwartz: Doesn't say that thing lightly, Troy, that's an alarm.
Leach: But that's where we're at spoofing. So I think there's a lot of fun that we can have with it as long as it's in the right hands.
Delaney: Well, Tom would love that. I would just end with my ChatGPT story. So I asked ChatGPT, tell me about Troy Leach of the Cloud Security Alliance. And, not completely correct as of my last update. It said, September 2021, Troy Leach was the chief technology officer of the Cloud Security Alliance. So it hasn't quite updated that. But, it goes on to say Troy Leach played a crucial role in shaping the CSA's mission and initiatives. And my favorite line. Under his leadership, the CSA has worked to create a safer and more secure cloud computing environment for businesses and individuals alike. So congratulations.
Leach: That's pretty impressive. Because yesterday was my one-year anniversary. And it's a 15-year-old company. So I think, AI may have given me a lot more credit than is deserved. But I think that's where we're at. I treat it as a summer intern. You can take it, it will do the tasks that you have asked, but sometimes you probably double check that work before you send it and submit it to the boss.
Delaney: Wise words. We celebrate you, Troy, and this has been an immense pleasure. Thank you so much for joining us and for your rich insight.
Leach: Thank you very much.
Schwartz: Thanks, Troy.
Novinson: Thank you, Troy.
Leach: Thank you, gentlemen.
Delaney: Thank you so much for watching. Until next time.