Better safe than sorry
Data is a sensitive asset. The protection and security of data is a top priority for SIX. Thomas Koch (Chief Security Officer), Jochen Dürr (Chief Risk Officer) and Thomas Aregger (Head Compliance) tell us in an interview how SIX can enhance its data protection in a changing technological environment and protect itself against cyber-attacks.
How important are data protection and security at SIX?
Thomas Koch (TK): They are very important. I like to describe this importance by using the term data integrity. The data we store must be protected against unwanted modification, with access being prevented. This data must, of course, be available at all times, and confidentiality has to be ensured.
Jochen Dürr (JD): When assessing risks, the subject of data security plays a crucial role. We continuously analyze which solutions help us to lower our risks regarding data security.
Thomas Aregger (TA): Besides purely technical security requirements for the protection of data, there are also legal standards that we must adhere to. Internal rules and regulations set out how employees must handle data and information. We are also constantly automating processes to ensure that the daily actions of employees comply with statutory requirements – and of course also with the contractual agreements with our business partners.
Some of the services rendered by SIX are systemically relevant. How vulnerable is SIX today?
TK: We are exposed to the risk of external attacks. That is one of the reasons why we have entered into a partnership with IBM. Together we are building a Security Operations Center (SOC). The SOC uses IBM’s “Watson” artificial intelligence and serves more than just our security. We also aim to partner with IBM to offer the SOC centrally to smaller and medium-sized banks that cannot afford the high cost of defensive systems. By doing so we could boost the overall security for the financial center. We also provide intensive support for teaching and research in the field of information security. Our partnership with the Zurich Information Security and Privacy Center (ZISC) at ETH Zurich focuses in particular on cybersecurity and innovation in the cloud.
How important are cyber risks for an organization such as SIX?
JD: In my view, the importance of cyber risks will grow significantly over the next one to three years. Security, stability, and availability are core elements of the mandate at SIX. That is precisely why recognizing and managing IT and cyber risks is such a high priority, and one of the main reasons behind our decision to bring closer together our risk and safety functions and to place them under common management in order to strengthen Group-wide cooperation.
Everyone is talking about the cloud. Is a cloud an option for SIX? And if so, how will SIX ensure data security?
TK: The use of a cloud must always be reviewed on a case-by-case basis. Depending on the individual circumstances, a secure and well-managed cloud offers clear benefits for SIX and is therefore a realistic option to enable the processing of data in a more flexible manner (e.g. Office Suite). Stringent and automated data classification and higher protection mechanisms in the cloud would allow us to improve data availability and thus achieve greater flexibility for users. This would make it possible, for example, to speed up the connection of international subsidiaries to SIX.
What requirements must be met to do that?
TA: Several legal questions must first be clarified before it is possible to even consider the use of a cloud solution for certain types of data processing. It is important to emphasize that we must always check carefully which data is in fact eligible for processing in the cloud. Certain data, such as those of supervised Group companies as well as customer data, must never leave our company boundaries. That is why it would remain on our systems. In addition, the use of a cloud must be approved by the competent supervisory authorities. SIX has contacted the supervisory authorities in Switzerland, as well as those in other countries in which SIX operates, to clarify these questions.
TK: One of our requirements is that our data is encrypted and stored separately from other data in the cloud. Only employees of SIX may have access to our data, and only servers in Europe can be used to host data. There are, of course, a number of further security requirements. If these were met, a cloud-based solution would meet our strict compliance and security requirements.
JD: The public’s perception of the cloud often leads to false conclusions. The cloud is not a diffuse, uncontrollable entity. On the contrary, the way we would use the cloud would boost security, because large and specialized providers of cloud solutions are able to spend much more for the daily protection of data and security-relevant improvements than an individual company such as SIX. Overall, a cloud solution would therefore allow us to lower our security risks.