Protecting the banks’ crown jewels – money and personal data – may have become more difficult than ever, but financial institutions have fortified their defences with a little help from their fintech friends.

Cyber security: making banking safer

Cybercrime is the greatest existential threat banks face today. According to The Depository Trust & Clearing Corporation’s latest Systemic Risk Barometer Survey, cyber risk remained the number one concern globally among financial service professionals, with 70% of all respondents citing it as a top five risk.

This anxiety is well founded. Verizon’s 2015 Data Breach Investigations Report found that the financial services sector experienced 277 confirmed breaches in 2014, second in number only to the public sector.

An example of a cyber attack uncovered in early 2015, dubbed Carbanak, saw a criminal gang employ an advanced persistent threat-styled attack to successfully steal £650m ($980m) from more than 100 financial intuitions worldwide over a two-year period. One firm had $10m stolen via its online platform, according to reports.

While money is an obvious enticement, cybercriminals also look to steal valuable customer data held by banks. Simon Hales, chief information security risk officer at HSBC, says: “The current reality is that threats realised through digital channels can also target the information financial institutions hold. It depends on the motivations of those committing cyber attacks, which are increasingly global and diverse. Furthermore, the exposure also extends to the financial institution’s partners and external parties.”

The 2014 attack on JPMorgan Chase illustrates the potential magnitude of a cyber breach: hackers compromised 76 million personal accounts and more than 7 million small business accounts. Public confidence in the security of banks was shaken by this attack, considered to be one of the biggest breaches in history.

As Troels Oerting, group chief information security officer at Barclays and former head of the European Cybercrime Centre, points out: “The bank is all about trust and keeping their customers’ sensitive information safe.” A significant breach may prove costly in terms of stolen money or large regulatory fines, but it can also destroy the client relationship beyond repair.

Systemic importance

Cybercriminals also target financial institutions because of the critical role they play in a functioning economy. Governments and regulatory authorities have become acutely aware of the impact a major threat cybercrime might pose to the resilience of the financial system as a whole.

David Navetta, partner at law firm Norton Rose Fulbright (NRF), says: “Governments have a special interest in ensuring that the financial industry is secure because the global economy depends on the movement of money and open access to capital. This encourages much more cross-jurisdictional co-operation, as well as careful scrutiny of banks and financial institutions’ security practices.”

For example, on November 12, 2015, the US and UK conducted joint offline ‘war games’, dubbed Operation Resilient Shield, with global financial firms. The exercise focused on sharing information, incident response handling and public communication.

The European Parliament and European Council are in final negotiations over the Network and Information Security Directive (NISD) aimed at ensuring critical infrastructure in Europe is adequately protected against cyber attacks. Marcus Evans, a partner at NRF, says: “The real development [in the directive] is the formalised sharing of information between EU member states, as well as in due course with third-party countries such as the US.”

Governments and regulators are also paving the way for increased information sharing within national borders. For example, the US Senate passed the Cybersecurity Information Sharing Act of 2015 on October 27, 2015, encouraging sharing among private entities and between private entities and the federal government.

Bank-to-bank intelligence

While some banks remain reticent about sharing information among peers, Mr Oerting dismisses the idea that security is a competitive differentiator. “Catching crooks is something that we should all be united around,” he says, adding that if Barclays is hacked, then it is likely another bank will face the same attack. “We should share information so that the other bank can increase its security before being attacked,” he adds.

Orion Hindawi, co-founder and chief technology officer at cyber security start-up Tanium, agrees. “We know of hundreds of cases where customers were alerted by their peers which allowed them to fortify their defences,” he says.

“Criminals collaborate, learn from each other, leverage each other’s code and share system access. Yet on the flip side, we shy away and don’t want to talk about it,” adds Greg Day, vice-president and regional chief security officer, Europe, Middle East and Africa, at network and enterprise security company Palo Alto Networks.

In order to address this disjunction, 16 months ago Palo Alto Networks teamed up with Fortinet, Intel Security and Symantec to create the Cyber Threat Alliance. The security vendors participate in a technical collaboration forum to share information in real time. “With hundreds of thousands of customers, we have a huge crowdsourcing ability to see cyber attack trends,” says Mr Day. “We can leverage that data to provide better insight into what will hit our clients next.”

There are myriad industry alliances facilitating intelligence sharing and co-operation between governments, law enforcement and the financial services industry, including in the National Crime Agency’s National Cyber Crime Unit, the Cyber Defence Alliance, the Financial Services Information Sharing and Analysis Centre and the City of London’s Police National Fraud Intelligence Bureau, to name just a few. The next step must be to join up these separate initiatives, argues Don Randall, the Bank of England’s former head of security and chief information security officer.

Mr Randall also believes that suspicions and attempts should be included in the scope of shared information. “The main industry alliances are predominantly focused on actualities. But if a group of hackers unsuccessfully attempted to breach five major banks at the same time yesterday morning with the same methodology, we don’t have that data at the moment,” he says. “We have to get into the position of sharing this information because invariably the attempts will turn into real attacks.”

Raising the complexity bar

A number of developments have combined to boost the difficulty banks face in defending themselves and their customers against cybercrime. Overall, the modernisation and mobilisation of financial services is a fundamental shift that has seen the majority of financial transactions now conducted via cyber means, i.e. mobile phones, tablets, watches, cloud, etc.

Banks are constantly worried about whether their online customers are secure, using out-dated software or vulnerable to fraud. As oft bemoaned, the customer is the weakest link. Employees are also more mobile: working from home or a coffee shop, at a conference, satellite office or customer site, which all bypass perimeter or network-based security that a bank has already invested in.

Laurance Dine, managing principal for the Verizon Investigative Response Unit, highlights how end-user behaviour is changing due to the ‘Internet of Things’ (IoT). “The new generation wants to have access to everything, so trying to secure every single device is a difficult task,” he says. “Ongoing employee training and security awareness programmes are critical to maintain within every business.”

In addition, the financial industry has seen a lot of merger and acquisition (M&A) activity and global expansion. “Most banks face great difficulty in tying together different infrastructures, data bases and computer assets across multiple jurisdictions,” says Ben Johnson, chief security strategist at next-generation end-point security company Bit9 + Carbon Black. “Trying to defend their digital landscape in a cohesive, all-inclusive way is a huge challenge for them.”

Differentiating the motive and actors behind cyber attacks can help determine the proper level of response, resilience and budget. These range from organised crime syndicates, state-sponsored groups and militaries, hacktavists trying to make a point and insiders attempting to steal information for personal gain. “If the intention is to steal through organised crime or nation-state espionage, then the sophistication level will most likely be higher,” says Mr Randall. “But if the objective is to take down, disable or irritate, then simple old-fashioned methodologies can do the job.”

These categories are showing signs of blurring. “Some use hacktavism as a façade for a nation state attack. We also see co-operation between nation-states and organised crime,” says James Chappell, chief technology officer and co-founder at Digital Shadows, a UK-based cyber intelligence start-up. “Attributions are more difficult now because it is not easy to unpick who the culprits are. Luckily forensics is also developing at pace to help with that.”

Growing sophistication

Most experts report greater sophistication in cyber attacks. For example, cybercriminals are hitting banks with advanced distributed denial-of-service (DDoS) attacks, threatening to shut down their websites unless they pay a ransom. On November 30, the Financial Times reported that a group of hackers targeted three Greek banks and demanded 20,000 Bitcoin ($8.1m) from each institution.

DDoS attacks are also being used as smokescreens for other crimes. “As a bank automatically reacts against this very loud attack, criminals might be doing something around the back,” says Mr Oerting. “We need to have adaptive and flexible defences, so we aren’t just looking at where we hear noise but also our back doors.”

Mr Navetta recounts a client experiencing a cyber fraud in which an email referencing a secret M&A deal was sent to a person in accounting, purportedly from the CEO. The email convinced the accountant to wire transfer millions of dollars to a Hong Kong bank, which NRF has been trying to recover for its client; while Mr Chappell reports instances of hackers proactively seeking out digital developers to obtain pre-released versions of a bank’s website code.

Adam Ely, co-founder of San Francisco-based start-up Bluebox Security, has witnessed a rapid growth in malware targeting banks’ mobile apps. “We are at a tipping point where the banks are starting to invest more heavily in mobile technology and related security because the hackers are following them into this space,” he says.

In addition, cybercriminals are continually refining their tools. Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, says that the new bots being developed today are smaller and more targeted. “We are seeing a rise in Trojan downloaders, which drop other malware. One example is the Shylock banking Trojan, which primarily targeted UK financials. We have to adjust our strategy both legally and technically to adapt to the different things they are doing,” he says.

A losing battle?

In many ways banks appear to be fighting a losing battle, particularly when it comes to organised crime or state-sponsored adversaries. As Mr Dine says: “We are facing ‘hackers for hire’: people that are paid to hack all day specifically targeting financial institutions.”

“An underground economy has cropped up – crime as a service is a reality,” adds Mr Chappell. He reports that the more advance techniques, which usually begin in the realms of the nation state, are now appearing in exploit kits and software that can be bought online.

Launching attacks has become much easier, adds Alex van Someren, managing partner of early-stage funds at Amadeus Capital Partners. “The tools for directing various forms of attacks against organisations are becoming increasingly automated, so it is easier for people who do not know much about hacking to nevertheless be successful in building attacks against enterprises,” he says.

But while attackers are stepping up their game, the industry is responding with new and innovative defences, Mr Chappell emphasises. “Together as an industry we have become much better at sharing information on attackers and how these crimes are carried out. The types of tools and services available to defend us are also progressing – there is great innovation in this space. We are part of an ecosystem of security companies that are helping banks with these problems,” he says.

Cyber security start-ups

As an investor that focuses on cyber security start-ups, Mr van Someren believes that this space presents impressive growth opportunities. In January 2015 he founded a start-up accelerator, Cyber London, to foster a more robust cyber security ecosystem in the UK. The programme helps start-ups grow their businesses faster by connecting them with customers that might help trial their products.

He is convinced that working with start-ups is the way forward for banks. “If a bank builds something in house, only they pay for it and only they get the benefit. If a start-up builds a solution externally, other banks help pay for it and it benefits the industry more generally,” he says.

Like many other banks, HSBC has an innovation investment programme that looks for organisations with innovative technology that it can help fund as well as internalise. “This engagement helps to evolve our capabilities to thwart our adversaries,” says Mr Hales. “It informs us what is possible and allows us to test out new ideas.”

At Barclays, Mr Oerting has a particular interest in start-ups exploring blockchain use cases and intelligent authentication technology. “We need to be engaged in order to build in security that is convenient and trustworthy. This will be a differentiator in the future,” he says.

Diverse solutions

Threat intelligence and next-generation data loss prevention products are areas that Mr van Someren sees attracting interest. Amadeus Capital currently invests in Exonar, a firm that identifies and controls sensitive information flows.

A few examples of the diversity of cyber security start-ups include Tanium and Bit9 + Carbon Black, whose solutions target end-points, for example, ATMs, point-of-sale terminals, servers, desktops, laptops and cloud. According to Mr Hindawi, banks can roll out Tanium’s software for monitoring and changing end-point activity. Deployed on just one server, it can scale to millions of end-points.

Mr Johnson likens Bit9 + Carbon Black’s software to a surveillance camera. “A client can install the software on each computer in the environment and it monitors end-point activity. The client can detect suspicious behaviour, respond faster to that behaviour and remediate it,” he says.

Digital Shadows, on the other hand, provides a complete view of a customer’s digital footprint, identifying defence weaknesses and data loss. It also tracks attackers by looking at their tactics, techniques and procedures. By monitoring malware, how it is being used, the relative prevalence of different malware types and criminal techniques, clients can better align their defences to defend from those attacks, explains Mr Chappell.

And Bluebox Security focuses on securing mobile apps. The technology allows organisations to produce self-defending applications, according to Mr Ely. “If another app tries to modify the Bluebox-secured banking app, the latter can defend itself. It can respond by either shutting down and notifying the user of the problem, or preventing the attack to keep malware at bay,” he explains.

Much more than IT

In order to combat cyber threats and engage with innovative security technology, over the past two years many banks have elevated the chief information security officer to a more strategic role.

The financial sector has the highest percentage (88%) of chief information security officers, followed closely by IT/telecom (86%), according to the Governance of Cybersecurity: 2015 Report by Georgia Tech Information Security Centre. In addition, the sector increased the percentage of chief information security officers/chief security officers reporting to the CEO/chief operating officer.

“The chief information security officer role has been elevated to a truly C-level position in banks,” says Mr Hindawi. “They are being moved out of IT and placed either under the chief operating officer or report directly to the board. Even if they don’t have direct access to the board, they are often invited to give a cyber update and educate on the new existential risk.”

The chief information security officer’s remit should include policy and standards, education and awareness, intelligence and investigations, and forensics, providing the bank with a threat landscape, according to Mr Randall. He also recommends including a geopolitical analyst in the cyber team, a suggestion that may have raised eyebrows a few years ago but is more accepted today.

Barclays, for one, has adopted this management structure. Mr Oerting, who took up the chief information security officer role at Barclays in February 2015, reports directly to Michael Harte, Barclays’ chief operations and technology officer.

He drafted the bank’s first security strategy focused solely on cyber rather than an overall technology strategy. It includes four key priorities: protect the ‘data estate’, regardless of whether they are on premise or in the cloud; enable the bank to go to market in a fast but safe manner; innovate, including partnerships with accelerators and start-ups; and educate.

“Education is aimed at the whole staff, regardless of whether they work in communication, IT, a branch or HR – every employee must know that security is in our DNA,” says Mr Oerting. “I believe that culture eats strategy for breakfast. Any management can send out new strategies but if it is not in the cultural of an organisation, then employees won’t implement them.”

Barclays has three cyber centres: a security operations centre; a solutions and innovation centre, with an internal ‘white hat’ hacking team; and a security control centre, which includes third-party vendors that report to Mr Oerting. “We now have a global security system that applies to the whole bank,” he says.

HSBC has taken a different approach and drives information security risk management through the chief information security officer, which reports into the chief information officer, and a chief information security risk officer, which reports into the chief risk officer. This decision was taken following the application of an Operational Risk Management Three Lines of Defence framework.

As chief information security risk officer, Mr Hales is responsible for setting policy and strategy, and aligning both to an organisation’s risk appetite around information security incidents. He also ensures that the businesses receive independent advice and guidance regarding operational risks. The chief information security officer, on the other hand, is responsible for day-to-day operational controls and development of technical controls.

Mr Hales continually challenges existing controls, not only to see if they are working effectively, but also to ascertain if they are fit for purpose. “We research current threats, not just the ones that impact us directly but those that are materialising in other business areas that may impact us,” he says. “This includes geopolitical concerns and other non-technical areas where threats materialise.”

The interplay between the lines of defence provides HSBC with greater assurance that it is getting security right. Mr Hales says: “The design, supported by audit as the third line of defence, ensures we are better positioned to manage the risk holistically, and provides management and regulators with a greater level of assurance.”

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter