As Brazilian regulators push to create an open banking system to help drive competition and convenience, some market experts are raising red flags on the cybersecurity challenges it will create for a financial industry already under siege.

In April, Banco Central do Brasil laid out guidelines that effectively require financial institutions to share key client data with certain third parties, including financial technology startups, product aggregators and some nonfinancial companies such as Uber and Google. The hope, the central bank said, is that open banking will improve efficiency in the financial system "by promoting a more inclusive and competitive business environment," as third parties will be able to build applications and services around data to provide price comparison and other tools to consumers.

But it also requires that key information move beyond banks' well-guarded firewalls, which some believe creates weak spots that can be exploited by cybercriminals. And while the regulation is meant to complement Brazil's new data protection law, which mirrors some of Europe's strict privacy standards, that legislation does not come into force until next year.

In a recent report, S&P Global Ratings said it expects the open-banking rules to spur a dramatic increase in the sharing of customer information between financial institutions and third-party providers, and as a result to create "substantial risks" for the Brazilian banking industry from potential data leaks and fraud.

"It's a new way of doing business which will bring new risks because information will be widely shared," Marta Helena Schuh, head of cyber insurance for Brazil at Marsh, said in an interview. She noted that while banks are well prepared to control threats within their own systems, many new third-party providers who will now receive some of their data are not.

"Third parties are a big issue in Brazil ... They do not have minimum security standards," she said. "This is very serious."

In releasing its guidelines, Banco Central do Brasil said that its open-banking plan would preserve data "security and the protection of consumers." But some argue that is easier said than done.

"The banking perimeter no longer exists," said Flavio Gaspar, the Brazil-based head of products and innovation at Diebold Nixdorf. "[Open banking] widens the attack surface for cybercriminals and forces the industry to be much more alert and resilient."

Among the issues is that open banking entails disaggregation of services, which gives banks a more "limited view of the overall activities of their customers, making it harder to identify unusual or suspicious behaviors," according to a report from Deloitte.

The new potential vulnerabilities come as Brazilian financial institutions are already bombarded by cyberthreats. Diebold Nixdorf's Gaspar estimates that on a daily basis, the country's financial system fends off some 15,500 cyberattacks and 500 new malware threats.

"Brazilian banks are still fighting against very sophisticated attacks," he said, but "the financial sector is losing this war."

When contacted by S&P Global Market Intelligence, Febraban, the Brazilian banking association, stressed that the open-banking initiative is still in the early stages and that the legal and technical framework is still being refined. Any open-banking participants, it added, will have to be "authorized and regulated in order to establish rules, standards, the capture of client consent, and adequate use of shared information."

But while the framework in Brazil continues to take shape, some parts of the open-banking concept are already on the rise. So-called superapps, which aim to coalesce the vast majority of a user's financial and nonfinancial services into a single mobile interface, are quickly gaining popularity with online banks, while Banco Bradesco SA, one of Brazil's largest banks, is currently building its own platform.

Rethinking cybersecurity

As open banking in Brazil further expands, both Schuh and Gaspar said banks should re-evaluate how they allocate their technology resources. Brazilian banks spent about 19.6 billion reais on technology in 2018, including some 2 billion reais on cybersecurity-related IT, according to a Febraban study.

While substantial, some experts note that the bulk of that spending is focused on internal systems and not on the types of attacks that open banking could create. More than 90% of broad-sector Brazilian enterprises allocated cybersecurity resources to firewall and antivirus tools in 2018, according to a survey by Marsh, while only about 36% invested in intrusion tests and monitoring.

Diebold Nixdorf's Gaspar advocated for "a new approach" to combating cyberthreats, focused on both prevention and peer-to-peer cooperation among institutions. Schuh, meanwhile, said banks should focus more on shielding apps and interfaces that operate outside of their firewall. "That is where they don't have any control," she noted.

The insurance executive also pointed out that even if data is breached outside of a bank's purview, they could still be on the hook.

"Most banks think they are covered by including unlimited liability clauses within the [insurance] contract," she said. But that's not always the case, and banks still may be forced to "take on the resulting cost even if they are not the ones responsible for the leak."

As of July 17, US$1 was equivalent to 3.76 Brazilian reais.