Financial institutions need to manage cybersecurity risk from all sides. Theft of customer passwords and assets, through to centralized theft of assets – such as the recent SWIFT attacks – which can result in $80m+ plus being stolen.
Along the way there are phishing attacks, ATM theft, credit card fraud … financial institutions can never rest. And of course the loss of money – on average around $2m to $4m – is just the tip of the iceberg. The loss to customer confidence, brand integrity, data privacy fines and share value can far exceed what the criminals get away with.
It’s a growing risk management problem. Sergio Loureiro, CEO of SecludIT, says that his company adds an average of 120 vulnerabilities a week to the threats that their Elastic Detector scans for. “Our system now scans corporate networks for over 60,000 threats,” says Sergio, “up from 30,000 just two years ago. Every day, banks wake up to a new set of threats. Dealing with those vulnerabilities is a race with no finish line.”
Cyber is not an event. It is a conduit for events to occur. That makes the cyber threat broad in nature from minor cases of fraud targeting individuals to sophisticated attempts to destabilise whole firms and economies. To make it actionable, it is therefore important to categorise the different threats and consequences to help pin-point different responses. Cyber risk can be defined as “any risk of financial loss, disruption or damage to reputation from some form of failure of information technology systems.” This includes accidents as well as attacks.
10-point cyber security checklist for banks.
In the white paper ‘Cyber & the City’ (link below), Mark Weil – CEO of Marsh Ltd and Chair of TheCityUK Cyber Taskforce – lists a ten point cyber security risk management plan for the C-Suite of banks and other financial institutions:
- Identify and size the main threats to the business.
- Develop an action plan for those threats and improve defenses.
- Map all data assets and take action to secure them.
- Manage the supplier, customer, employee and infrastructure chain.
- Carry out independent testing of your assets and security measures.
- Ensure the ‘risk appetite’ statement gives control of the cyber security risk.
- Check the organization’s insurance policies give adequate cyber-theft and third-party cover.
- Have a ‘what if’ for how to deal with the technical and reputational aspect of cyber theft.
- Create processes so that cyber security insights are sought and shared.
- Program regular board level reviews to ensure the cyber security program is up-to-date.
The Cyber & The City risk management report estimates that an “estimated 95% of attacks succeed as a result of basic human error,” and that the independent tests recommended in point 5 above result in “an 80% reduction in breaches…”
Sergio of SecludIT agrees with those figures. “We’ve carried out over 1,000,000 network vulnerability scans in the past five years and I can count the number of scans which showed zero threats on the fingers of one hand. Anything from malware through to mis-configured servers and out-of-date multimedia software can give hackers a point of entry to the network.”
Increase the number of cyber security specialists.
London’s ‘Cyber & The City’ report says that the financial services industry should invest more in training and recruiting of cyber specialists.
Across the Atlantic, MIT is one of the many educational establishments around the world who have specific courses for cyber security.
MIT is studying the broader aspects of cyber security. Funded by a $15 million grant from the Hewlett Foundation, the MIT Cybersecurity Policy Initiative will pool the expertise of researchers from technology, political science and economics disciplines to better understand the security dynamics of large networked systems, with the aim of guiding policymakers.
Back in London, the UK Government (link below) recently announced a National Cyber Security Centre. Describing its mission, the government webpage says: “The UK faces a growing threat of cyber-attacks from states, serious crime gangs, hacking groups as well as terrorists. The NCSC will help ensure that the people, public and private sector organisations and the critical national infrastructure of the UK are safer online.”
Sergio agrees that companies should invest more in cyber security specialists, but adds that the company’s Elastic Detector vulnerability scan can ease the workload of specialist and non-specialist IT teams alike. “Our daily vulnerability analysis doesn’t just highlight weaknesses,” Sergio says, “but also provides remediation tips. These remediation tips help a bank’s IT team to create a prioritized action plan for dealing with vulnerabilities.”
Cyber And The City. Read the report from Marsh and TheCityUK.
With an introduction by John McFarlane – Chairman, TheCityUK and Chairman, Barclays – the report ‘Cyber & The City‘ is recommended reading for management at banks and other financial services organizations around the world.
In six key sections, the report covers the major topics for cyber security and banks:
– Summary & Recommendations
– The Cyber Threat
– Firm Response
– Sector Response
– Action plan
Sergio of SecludIT says that the sophistication of cyber theft is increasing alarmingly. “Whereas the threat a few years back was the ‘lone wolf’ opportunistic hacker, the potential rewards of cyber theft nowadays mean that professional businesses and even, allegedly, governments are engaged in cyber theft and cyber warfare.”
“For example,” Sergio continues, “following the recent SWIFT attacks on the Bank of Vietnam and others, security specialists found malware code which previously had been identified in other attacks as coming from North Korea. Similarly, as the Cyber & The City report highlights, Estonia’s Hansabank had to go offline due to cyber attacks following a diplomatic altercation between the governments of Estonia and Russia.”
If you’re involved in risk management or cyber security for the banking and financial services sector, the comprehensive report ‘Cyber & The City’ is available as a PDF.