Share the article
twitter-iconcopy-link-iconprint-icon
share-icon

Cyber security: locking out the bad guys

Cyberspace is a dangerous place for banks, with the risk of payments fraud, data theft, denial-of-service attacks and other crimes high. So what are banks and the regulators doing to improve cyber security in the sector?
Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
Cyber security: locking out the bad guys

The ubiquity of the cyber threat to financial services was demonstrated to this writer during the course of writing this article. I received an email from the chief executive of the Chartered Institute for Securities and Investment (CISI), of which I am an affiliate, alerting me and 40,000 other members to a data security breach in which everyone’s name, email address and membership level had been divulged to a fraudster. 

Fortunately, it was not a breach of the institute’s IT system, but by what is described as a “devious confidence trick” on an unsuspecting member of staff. “Our main concern is that as we do not know the motive of the fraudster, it is quite possible that you may be contacted via email by a fraudulent party, who may pretend to be from the CISI and so attempt to gain your confidence to encourage you to impart further information, most likely financial,” said the CISI’s warning email. 

So, although this event did not start as a cyber attack, it could at any time escalate into one, in the form of a simple but potentially costly email scam on CISI members. 

But what if the 'CISI alert' was itself a scam? It seemed unlikely, as it did not ask the reader to divulge any information or log on to a dodgy website; nor did it contain any spelling or grammatical errors that such emails often contain. Nevertheless, I felt it necessary to log on to the CISI website to investigate further, where it became clear that the alert was indeed genuine, and that the breach had happened.

CBEST practice 

Banks are essential to the functioning of the modern state, and so must have robust measures in place to deal with cyber threats. Thirty-six banks and financial market infrastructures (such as Chaps, BACS, Faster Payments and Euroclear) in the UK are currently using CBEST, a Bank of England-led initiative launched in 2014 to test and improve their cyber resilience. The CBEST test is provided by a small number of accredited firms, and the Bank of England will soon report on the results of the first tests. The Bank of England is also involved in a joint cyber testing programme to be carried out by the UK and US governments and supervisory authorities later this year. 

“There are groups out there that are motivated to attack the sector,” said Andrew Gracie, an executive director at the Bank of England, in a recent speech. “For most, the motivation is economic; that accounts for the rise in fraud. But there are actors out there, sometimes state-sponsored, who may be motivated to bring systems down and cause harm to the sector. 

“Their capabilities vary, but it is in the nature of cyber that attack types are constantly evolving and readily scalable. And the threat is international. Attacks can originate anywhere around the globe.” 

The EBF and Europol

The European Banking Federation (EBF) is co-operating with Europol’s European Cybercrime Centre, known as EC3. The two organisations exchange information, expertise and statistics to protect banks. They are, for example, reporting new instances of malware and evolving means of payment fraud to help police investigate and arrest the perpetrators. 

“Our members [banking associations throughout Europe] already co-operate intensely with their own, national police authorities in order to fight financial cybercrime,” says Wim Mijs, the EBF’s chief executive. “Our partnership with Europol now adds a European dimension to this important work. International co-operation between banks and law enforcement bodies is essential because it is clear that criminals know no borders.” 

“Cyber crime is the number one threat for banks,” says Fanny Derouck, policy advisor, cyber security and financial crime, at the EBF. “With the digitisation of services and platforms the risk of cyber attacks on payment systems is very high, although it is a risk that banks manage very well.” 

The EBF has a cyber security working group made up of experts from national banking associations and banks. “Every week we exchange information about attacks and trends,” says Ms Derouck. “Together with one of our members, banks and law enforcement agencies we have put forward a proposal and funding request to [the directorate-general for justice] in the European Commission for the setting up of a cross-border cyber security information sharing platform. The name of this platform is the European Online Fraud Cyber Centre and Expert Network. 

“We have an agreement with Europol’s EC3 unit to work together. One example is the joint work on a document on the latest trends and threats and effective counter measures. We also share information with [EC3] on attacks such as the ones using the Carbanak malware.” 

Europol was one of the organisations, along with Interpol and Kaspersky Lab, that discovered the theft of $1bn from banks worldwide, including Europe, by the Carbanak criminal gang over the past two years. 

The US dimension

“The threat to our banks is serious, and the attacks are becoming more ‘blended’,” says Doug Johnson, senior vice-president for payments and cyber security policy at the American Bankers Association. By 'blended' he means operating on two or more levels at once, though this may not be obvious to the victim. 

Mr Johnson adds: “The objective of a distributed denial-of-service [DDoS] attack used to be to disrupt traffic. Now, more criminals are using a DDoS as a diversion to commit a second crime to make money. They create a DDoS attack, the bank focuses its attention on dealing with that, and while its attention is diverted they target customer accounts.” 

Mr Johnson is also vice-chairman of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC). It works closely with the Financial Services – Information Sharing Analysis Centre (FS-ISAC), the body that shares information on cyber threats between financial institutions so they can better protect themselves. 

“The banking industry runs cyber security exercises which are co-ordinated by the FSSCC. We also share information on actual incidents, such as the recent Carbanak attacks on banks and bank systems. The gang was able to manipulate systems so that individuals could go to certain ATMs at specified times and withdraw large amounts of cash,” he says. 

An escalating risk

“Cyber incidents against all industries are on the increase, and 25.3% of incidents are occurring in financial services, which makes it one of the top three industries most targeted,” says Nick Coleman, global head of the cyber security intelligence service at IBM. That statistic is derived from the operational data IBM collects from the managed security services it provides to its clients. 

“As for the costs of data breaches, that is rising too. According to a report published by the Ponemon Institute in May, which IBM sponsored, the average total cost of a data breach, in all industries, has risen by 23% since 2013, to $3.79m. That equates to an average of $154 for each record stolen.” 

Mr Coleman believes that the number of cyber incidents will continue to increase in the next few years. Although banks and other organisations will get better at identifying and stopping many of them, the ingenuity of the hackers means the number of breaches will continue to increase as well. 

One of the biggest threats to online transactions for consumers and small businesses is financial trojans, says Sian John, the chief security strategist for Europe, the Middle East and Africa at Symantec, a provider of cyber security protection software. 

“A trojan is a piece of software that bank customers are fooled into downloading,” says Ms John. It sits quietly on the customer’s system until they do a bank transaction. It will try to view the transaction, and attempt to make a fraudulent payments to the person who sent the trojan.” 

The software would probably be detected if the criminal tried to install it on a bank or a large corporation’s system, but consumers and small businesses are less likely to have the right security in place. 

Legislators and regulators

As part of the European Commission’s Cyber Security Strategy, its Network and Information Security (NIS) Directive is in the final stages of negotiations between the European Parliament and the Council of the European Union. It will require 'critical infrastructure' companies such as banks to ensure that their digital environments throughout Europe are secure. They will also need to adopt robust risk management practices and report major security incidents to the authorities and customers. 

Around the same time, the European Commission’s data protection regulation will replace the existing Data Protection Directive. It will establish one law for data protection across Europe, replacing a patchwork of national laws. It will require banks and other organisations to report any data breaches to the relevant authorities, thus complementing similar requirements in the NIS Directive. 

The Joint Committee of the European Supervisory Authorities – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities Market Authority (ESMA) – published its fifth report on 'Risks and Vulnerabilities in the EU Financial System' in May. Cyber risk was one of the four main risks highlighted, and in the previous six months all these risks had intensified. 

“IT operational risk and cyber risk remain of great concern and pose challenges to the safety and integrity of financial institutions,” said the report. “IT risk increased due to cost pressures, outsourcing, the need for additional capacities and a mounting number of cyber attacks. The adequate integration of IT risk into overall risk management is a key policy for mitigation.” 

To reduce cyber risk in the payments system, the EBA has published guidelines for national supervisors across Europe on what banks and other payments providers must do to improve the security of their retail internet payments. The guidelines come into effect on August 1, 2015. They are based on the recommendations of SecuRe Pay, a voluntary co-operative chaired by the European Central Bank and the EBA and made up of relevant authorities in the European Economic Area.  

“This work will ensure increased confidence in internet payments for consumers and firms in the EU, and is aimed at allowing this sector of the payments market to continue to grow,” says Dirk Haubrich, head of the EBA's consumer protection, financial innovation and payments unit. 

Official assistance to banks

One of the roles of the European Union Agency for Network and Information Security (Enisa) is to help corporations in all sectors, including banking, to understand the cyber threat, how to counter it, and how to comply with relevant EU laws, such as the NIS Directive, and regulatory actions, such as the EBA guidelines. 

A recent report from Enisa, Network and Information Security in the Finance Sector, made four key recommendations:

1. The EBA and Enisa should consolidate scattered obligations in the field of NIS into one set of supervisory guidelines.

2. Enisa should establish guidelines on how NIS supervision practices in the finance sector apply 
to its supply chain, including cloud providers that operate financial services.

3. Enisa should establish guidelines summarising the main conditions adopting 
cloud-based applications or services in the finance sector.

4. Enisa should help the European Central Bank and the three European supervisory authorities (the EBA, ESMA, EIOPA) to organise regular but 
voluntary NIS stress tests in the finance sector, the purpose being “to identify possible black swan risks and uncover to the greatest extent possible unknown unknowns”. 

Global action

The Committee on Payments and Market Infrastructures (CPMI) at the Bank of International Settlements not long ago issued a report entitled Cyber Resilience in Financial Market Infrastructures. The financial market infrastructures (FMIs) studied were systemically important payment systems, central counterparties, central securities depositories, securities settlement systems and trade repositories. 

“The report notes that cyber resilience is increasingly becoming a top priority within FMIs, although the CPMI's analysis, which was supported by industry interviews, shows that there are differences as to the form and maturity of FMIs' approaches to cyber resilience,” says Benoît Cœuré, the chairman of the committee. 

It also found that “extreme events” may challenge the ability of FMIs to recover within two hours following the detection of a cyber attack and to complete settlement by the end of the day of the disruption – a key element of the operational risk management requirements laid out in the CPMI-International Organisation of Securities Commissions principles for FMIs. 

“The report concludes that one of the distinctive features of FMIs is their interconnectedness,” says Mr Cœuré. “Disruptions in one FMI may spread to a multitude of other connected entities. Furthermore, cyber threats tend to be cross-jurisdictional in nature, posing challenges for risk mitigation efforts conducted solely at national or single-institution level.” 

Banks, FMIs and other firms in the financial sector will never win the cyber war outright. But at the moment they are containing the threat at manageable levels, albeit at significant operational effort and cost.

Was this article helpful?

Thank you for your feedback!