Banking system faces cyber threat

August 2014  |  FEATURE  |  RISK MANAGEMENT

Financier Worldwide Magazine

The dawning of the digital age has had a transformative effect on many facets of life. One landscape on which the impact has been most notable is that of the business world, and the banking sector in particular. Virtually every facet of the banking sector has been transformed in some way thanks to the genuine and lasting impact of the digital age. From every day retail transactions involving the general public to enormous market operations, the worldwide banking system has been revolutionised.

Financial institutions increasingly rely on third parties and digital solutions to carry out their business. A number of significant changes have occurred in recent years, from customers and staff conducting a multitude of transactions on their own internet connected devices, to banks utilising third party cloud services. By embracing these and other innovations, banks have transformed many aspects of their business for the better.

Yet despite all of the positives, there are also many negatives arising from the pervasive nature of digital technology in the banking industry. Most notably, cyber crime is not only rising, it is currently thriving. Reports suggest cyber criminals have illegally accessed more than half of the world’s top 50 banking websites over the course of the last decade and are responsible for around $1bn worth of losses per year from the banking industry. Criminals, hacktivists and some nation states are now exploiting the speed and scope of the internet and are employing it as a powerful and damaging tool, with the banking sector a key target for many. To that end, the US Director of National Intelligence ranked cyber crime as the country’s top national security threat, placing it above terrorism, espionage and weapons of mass destruction.

No matter the sector, cyber crime can have a damaging effect on business. For financial institutions it can be particularly destructive. In late June it was announced a new Trojan campaign resulted in the theft of over €500,000 from one European banking group in a little over a week. The attack, which took place in January, stole deposits ranging from €1700 to €39,000 from customers based predominantly in Turkey and Italy. The attack, according to cyber security firm Kaspersky Labs, utilised an entirely new piece of malware, known as Luuuk.

As demonstrated by the Luuuk attack, the financial implications of cyber crime are obvious. However, losses from attacks are not always restricted to financial assets and intellectual property. Following a cyber attack, it is not uncommon for the market and customers to quickly lose confidence in a bank’s entire operations. Indeed, reputational risk is often one of the most detrimental consequences of a cyber security failure. According to Japanese IT firm Fujitsu, cyber security has the potential to become a genuine competitive differentiator for UK banks. Customers are generally unforgiving when it comes to mistakes that jeopardise their money, with one in four claiming they would switch banks following a failure of their bank’s IT systems. Furthermore, a security breach which leads to the loss of personal information could result in seven in 10 customers opting to switch banks. The importance of getting cyber security defences right is clear.

The elevated status of cyber crime in the global consciousness has been borne out of necessity. Cyber criminals are constantly developing new and increasingly sophisticated tactics, and deploying them quickly throughout their networks. As the mechanisms of cyber crime become more refined and nuanced, more needs to be done to combat their effect. Governments have attempted to introduce new legislation and guidelines. Companies have enhanced their internal compliance programs to check and mitigate the rise of cyber threats. Yet the particular methods of fighting cyber crime remain up for debate.

In the financial sector, cyber crime is being tackled at board level. Eighty-six percent of banking and capital market chief executives identify technological advances as the trend that will have the greatest impact on their businesses, according to a February 2014 report from PwC. As the level of threat has intensified, some companies have responded by redoubling their internal security efforts. Existing employees are being retrained and re-educated in technology security. It is imperative that banking employees understand cyber issues and are prepared to deal with them.

According to a recent report released by the British Banking Association (BBA) and PwC, ‘The cyber threat to banking; A global industry challenge’, nearly 60 percent of companies have identified the speed of technological change as being a major threat to their growth prospects in the coming years. Yet the response from many companies is still lacking. Firms are generally unprepared for the threats that they face, and their cyber security capabilities fail to rival the persistence and technological skills of the criminal groups targeting them.

Countering the rise of cyber crime is easier said than done, although steps are being taken to protect financial institutions. In June, the Bank of England (BoE) launched a new cyber security strategy for financial institutions operating in the UK. The new regulatory framework, which the BoE has named CBEST, is based on penetration tests that mimic the techniques and procedures utilised by cyber criminals when attacking large financial organisations.

The CBEST framework is voluntary and has been in operation in the financial services industry since May. It has been designed to help board executives, IT providers and regulators gain a healthier understanding of the types of cyber attacks that could undermine financial stability in the UK. The framework is also intended to help determine the extent to which the UK financial sector is vulnerable to cyber attacks and the effectiveness of its detection and recovery processes.

The new strategy differs from other security testing programs currently employed by UK banks. The CBEST strategy draws on intelligence gathered through monitoring thousands of online sources linked to illegal activity. Hacker forums, blogs and chat rooms will all be trawled for data relating to potential attacks on a specific financial institution. One ongoing facet of the new framework will see regulators, the banking industry and the BoE develop better lines of communications. Continual dialogue between the parties will be used to clarify expectations about the framework.

However, despite such efforts, the nature of digital attacks makes it hard for companies and regulators to combat. Richard Horne, a partner at PwC who deals with cyber security, noted in the report that “digital attacks can target multiple systems or processes in parallel causing widespread harm. An individual online banking or credit card fraud may be small but their collective impact can be vast – companies face death by a thousand cuts in this new digital age.”

Fighting the effects of cyber crime can be expensive and arduous. Almost £700m was spent on cyber security by the UK financial sector in 2013; however, much of that money was invested unsuccessfully. PwC’s report notes that 93 percent of large organisations suffered some form of security breach in 2013. Many attempts to shore up defences revolve around the types of attack financial institutions come under. Unfortunately, security breaches are occurring more frequently and growing more sophisticated. As a result of the interconnected nature of the global financial sector, attacks on smaller firms or third party suppliers can have a huge impact on the wider market.

So how can companies and governments check the progress of cyber criminals? One argument calls for greater collaboration between the public and private sectors. Responding to large scale, synchronised cyber threats is beyond the abilities of a single organisation. Working in unison to fight cyber crime and gain intelligence about potential security threats and how to respond to them should help private and public organisations to advance cyber security practices. By pooling resources and efforts, and by mimicking the interconnected structures adopted by cyber criminals, companies have a better chance of counteracting potential attacks. PwC’s report calls upon banking groups to cooperate with one another and form an international, industry wide front against cyber criminals. It also outlines the benefits of creating a “centre of cyber information” which could maintain surveillance of key developments at the UK and international level, and coordinate an organised, wide ranging response.

Furthermore, in November 2013 the BoE launched an exercise aimed at testing the resilience of UK banks’ cyber defences. The exercise, ‘Operation Waking Shark II’, highlighted concerns within the banking industry about information-sharing during cyber attacks. In its recommendations following the operation, the BoE proposed that the industry establish a single coordinating body charged with coordinating and managing communications during an incident. The BoE recommended that the BBA take up the position.

Importantly there is evidence that a cross jurisdictional response can bear fruit. In May 2014, the FBI, the UK’s National Crime Agency, and a number of other international law enforcement agencies significantly disrupted two of the world’s most dangerous financial fraud operations: the Gameover Zeus botnet and the Cryptolocker ransomware network. The operation was made possible by the formation of a partnership with a number of private sector partners, including US security and storage firm Symantec. The successful operation allowed the FBI to seize a significant amount of the infrastructure used by both criminal groups. By forming similar partnerships, financial institutions could reduce significant cyber security threats. It is the hope of the BoE that the introduction of the CBEST framework in the UK will also improve international cooperation.

There has been a shift in attitudes among bank leaders, as cyber security and data protection are now the third highest priority in UK boardrooms, according to KPMG. Increasingly, the C-suite is taking cyber security seriously. Since tone at the top tends to define a company’s approach to cyber security, there is still more work to be done.

In recent years there has also been a marked shift in legislative responses to cyber crime. Political attention has led international bodies such as the United Nations to consider the most effective means of combating the problem, including new legal instruments. PwC’s report notes that the European Union Network and Information Security Directive has set out mandatory data breach reporting regulations for the financial sector and a Financial Action Task Force meeting convened recently indicated that it will provide guidance on virtual currencies later in 2014.

Financial institutions must not be afraid to innovate when it comes to tackling the threats posed by cyber criminals. As PwC notes, they must “harness new technology to enable more efficient and effective services” where they can. Organised cyber criminals are agile and sophisticated. In a matter of years they have taken nascent growth areas such as online and mobile banking and exploited them for their own means. In this rapidly evolving area, individuals, companies and regulators must try to keep pace with criminal groups. Financial institutions need to remain vigilant and partner with other companies in the sector. If they can do this successfully, financial institutions have a better chance of thwarting cyber criminals and protecting their assets.

© Financier Worldwide

BY

Richard Summerfield