Why UnionDigital Bank invests in an AI-driven approach to cybersecurity

The data-reliance of digital banking means an AI-driven approach to cybersecurity and risk management is integral to success, UnionDigital Bank CISO Dominic Grunden tells CSO. For him and his team, this took on greater significance given the speed at which UnionDigital Bank was created to empower the Philippines’ digital economy. The bank enables the Filipino people, communities, businesses, problem solvers, and regulators to leverage digital banking, fintech, blockchain, and open-finance technologies. It was established in just five months, a timescale unheard of in the banking industry, Grunden says.

From the get-go, Grunden recognized the need to adopt an AI-first security policy to keep pace with both the unprecedented growth of the company and the complexities of the digital banking sphere. Key to achieving this has been a seamless relationship with the firm’s Chief Data Officer (CDO), Dr. David R. Hardoon. Working together, the two used autonomous technology to instill a “truly holistic” AI-enhanced security and risk management strategy.

How AI-driven cybersecurity enables UnionDigital’s banking needs

The proliferation of digital financial technology is big in the Philippines, as is a growing demand for and reliance upon cryptocurrencies and other payment methods, Grunden says. “This presents digital banking with an unprecedented opportunity, but at the same time it heralds a new age of digital crime. I say that because it’s one characterized by a complex interconnectivity and undefined geographies. It’s not like a traditional bricks and mortar bank; we don’t technically have borders.”

The biggest challenge in the digital banking space is that the threat landscape changes quickly, and criminals are constantly evolving, using more electronics, and getting more sophisticated, Grunden adds. “They’re impersonal, they’re complex, they’re interrelated, and they’re leveraging data and advanced techniques that humans cannot keep up with.”

That’s what drives UnionDigital Bank’s AI-first security focus, Grunden says. “We need to be able to keep up – to be both defensive and offensive at the same time by innovating to protect our customers and their data. AI has given us that mechanism to feel like we are keeping up with the pace of the industry, where we can also understand the behaviors and motivations of individuals, consumers, detect criminal activity quicker, and advance our collective capacity to fight and repel financial crime, because ultimately, that’s what it comes down to in the digital banking space. I have a firm belief that digital banking is going to be more than just finance; we’re going to be the custodians of customers’ data. There is going to be a need for faster risk decisions such as real time blockage of payments and detection of fraud, and we’re going to have to detect breaches quicker and respond to breaches faster,” while also meeting higher expectations around consumer experience as digital banking becomes more pervasive.

AI’s potential for data transparency its key security, risk management quality

Data transparency is key to achieving this, and AI’s capability to deliver vast, accurate data pattern analyses is its chief security benefit for UnionDigital Bank, according to Hardoon. “AI is fundamentally about identifying patterns and/or irregularities in patterns, and through that the ability to offer a hyper-personalized service that can recognize abnormalities. To me, the premise of security, governance, compliance, and crime prevention is part and parcel of serving the customer. That’s the goal and embedding anything and everything from a defensive line point of view that necessitates data implants a dynamic understanding of behavior that helps to better manage risk,” he says.

Grunden concurs, adding that this transparency of data also offers diverse viewpoints around threat patterns that can be understood and used to identify potential new risks based on trends within the digital banking perspective, lowering the cost and time to detect and respond.

Hardoon cites an example of when he was asked to use AI-powered data analyses to help predict non-compliance before it occurred. “Again, this was all about establishing if there was a pattern and asking if we can learn from it. Sometimes the answer is no, but in this case, we were able to predict the likelihood of non-compliance some two or three months ahead of time.” He admits the term “likelihood” is important here because there is no way to 100% guarantee risk, but if you can say that there’s an 85% chance of non-compliance, it allows you to shift from only being able to react once it occurs to taking preventative measures ahead of time. “In a way, it lets you create a capability that you want to eventually be proved wrong because it allows you to put every control and measure in place to make something much less likely to happen. That’s a real shift in risk operation – using data and leveraging on AI to find something that might happen, so you can put in place preventative measures to make sure it doesn’t.”

This allows UnionDigital Bank to enhance its attack and threat prevention capabilities, moving from merely “catching the idiots” that fall into simple traps to implementing a more sophisticated way to stop attackers that are using their own autonomous technology to carry out malicious campaigns. “Attackers are getting far more sophisticated than we may want to acknowledge,” Hardoon says. “The systems we put in place go beyond that, and we think in terms of better service for customers and more relevant and heightened defense. Ultimately, I think this needs to be an industry-wide approach.”

Grunden reflects on plans to go one step further. “We’re definitely pushing the envelope, and a lot of that comes down to the maturity of the security function, despite the fact that we’re a new bank.”

Excitement and alignment integral to AI security success

Grunden says he and his team are motivated by an excitement about AI’s potential to enhance their cybersecurity strategy, something that plays a key role in their collaboration with Hardoon’s department. “We look at what AI solutions David’s team either currently has in place or what can be built to enhance things, because we might be buying a product that’s ‘out of the box’ but not good enough for us. We want to go above and beyond, so we leverage AI to create enhanced capabilities and push the envelope on the products, services, and platforms that we buy.”

Grunden’s team works in close collaboration with Hardoon’s especially in areas where AI plays in and how it can make things better, he notes. “I’ve never had that same level of excitement and engagement in previous organizations I’ve worked for,” Grunden adds. “It’s also about keeping that excitement for an AI-first policy there so that we can use the technology to make security our own, and my staff fully embrace that.”

Both Grunden and Hardoon believe that true AI-driven cybersecurity must be holistic, a concept they are passionate about ensuring is in place at UnionDigital Bank. This means operationalizing end-to-end application of AI with regards to cybersecurity and risk management.

AI is still evolving with challenges to consider

This strategy does not come without challenges – or at least important factors that must be considered – Grunden and Hardoon agree. “One of those is a higher call for talent in relation to AI and cybersecurity,” Grunden says. “Currently AI technology is still in the early stages, and so the cost of creating a talent pool that is very good with both AI and cybersecurity is high.”

There’s also the fact that AI can benefit attackers in certain ways if it’s not well understood, implemented, and used, he adds. “Then there’s the old cliché that more data creates more problems, and while I don’t suffer from this at UnionDigital Bank due to the way our CDO has structured data, it’s generally an issue in that you are required to entrust data to third parties. That would be more of a challenge if we were based in Europe with the GDPR to consider, for example. Lastly, if there’s room for human error in how AI is deployed, you can still be vulnerable to mistakes.”

From Hardoon’s perspective, the main point of consideration in applying AI to security and risk management centers around establishing a definition of what “good risk” is. “Of course, there is always risk, but AI makes the questions a lot more acute – i.e., how much risk is okay? It can tell you up front your risk levels, which is very different from an operational perspective whereby you, in hindsight, detect that you’ve missed something, because x, y or z happened downstream. So, if you decide you don’t want to accept the level of risk presented to you, it can impact the businesses operationally moving forward, so there does need to be careful consideration about how to best leverage on the output.”

Ultimately though, the benefits of AI in cybersecurity far outweigh the negatives or the challenges for UnionDigital Bank, Grunden says.

AI will be more critical to cybersecurity than many think

Looking forward, Grunden thinks the need for an AI-driven approach to cybersecurity is only going to increase for the digital banking sector and beyond. “It’s going to be more critical than many experts think,” he says. “In my opinion, AI will be pulled into some type of security standard in the next five to ten years, whether that be an ISO standard or something else. For digital banking specifically, I also believe there’s a very solid chance that it may become illegal or a form of regulatory non-compliance if an organization is not using AI in their cybersecurity. I think AI will be a catalyst for determining whether the digital banking industry can keep up with the threat actor community, and I can see a time when we’ll have ‘good AI threat hunting bots’ working against ‘bad bots’ changing on the fly depending on the threat landscape.”

Hardoon concurs. “AI simply needs to be a staple component of cybersecurity defense. If not, you’re just going to get clobbered – maybe not now, but someday.”