The recent $81m cyber heist at Bangladesh's central bank was a wake-up call for financial institutions to improve their basic cyber security hygiene. But it also had profound implications for the soundness of the banking system as a whole. Joy Macknight reports.

Cyber crime

The successful cyber attack on the Bangladesh central bank that netted hackers $81m has significance well beyond the financial loss incurred. The criminals’ ability to exploit the trusted Swift network to send fraudulent transaction messages prompted the consortium’s chief executive, Gottfried Leibbrandt, to describe this as a “watershed event” for the banking industry.

“There will be a ‘before’ and an ‘after Bangladesh’,” he said at the European Financial Services Conference in Brussels on May 24. Since the Bangladesh Bank breach in February, additional attacks using a similar methodology have come to light involving banks in Vietnam, Ecuador and the Philippines.

Fast and efficient

Importantly, these incidents indicate a wider and “highly adaptive” campaign by cyber criminals, according to Swift. In a letter to members, it said: “The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.”

In the case of the Bangladesh heist, not only did the hackers steal valid Swift user credentials to initiate fraudulent transactions, they also reportedly installed custom malicious software (malware) on compromised machines to cover their tracks, effectively giving them a head start in dispersing their ill-gotten gains across the globe.

The ability to quickly launder such a large sum of money was a real step change, says William Dixon, deputy director of intelligence, global information security at Barclays. Speaking on a panel at the Financial Times Festival of Finance (FoF) on July 1, he said: “The technical elements of the Bangladesh Bank attack – APT [advanced persistent threat] – are not unique. However, many of us were surprised at the money-laundering element, where an adversary had the capability to steal so much money and move it through the banking system.”

Rizal Commercial Banking Corporation, the Manila-based bank on the receiving end of the $81m transfer, has since been fined $21.3m by the Philippines central bank and is taking steps to strengthen its anti-money laundering (AML) processes.

Swift’s response

While rebuffing any suggestion that its network, software or services were compromised, Swift has responded to the Bangladesh heist by taking a lead in coordinating efforts to increase security across its member network. As a central messaging hub connecting more than 11,000 financial institutions, Swift is uniquely placed to see across the global banking industry in a way that individual market participants cannot.

On May 27, Swift announced a five-part customer security programme to:

  • Improve information sharing among the global financial community;
  • Augment Swift-related security tools for customers;
  • Enhance security and operational standards and develop audit standards;
  • Support increased transaction pattern detection to identify suspicious behaviour; and
  • Introduce certification requirements and partnership programmes for third-party providers.

“Our diagnosis is that the best way to solve this issue is not through a single measure or silver bullet, but multiple lines of defence, effectively shoring up the security inside banks and across the network,” Mr Leibbrandt told the audience at the FoF.

Setting standards is certainly a job Swift feels comfortable with, and Mr Leibbrandt believes the consortium could follow the Committee on Payments and Market Infrastructures’ guidance on cyber resilience for financial market infrastructures, published in June, with a similar framework for banks.

Nevertheless, the expressed aim of defining minimum operational and security standards has created controversy: what happens if members do not meet the criteria? Swift has indicated that they could be suspended from the network. Despite facing criticism that this might increase risk in the financial system by driving banks into unsafe channels, Mr Leibbrandt maintained that “nothing is off the table” but stated clearly that cutting off members would not be Swift’s first course of action.

Marc Dautlich, a partner and head of the information law team at international law firm Pinsent Masons, agrees that removing banks from the Swift network should be viewed as a last resort. “There are a number of other things that are important mitigation steps along the way and the most important of those is intelligence sharing,” he says.

Opening up

Mr Dautlich believes that one of the most practical ways to combat cyber threats is through sharing threat information, especially if a new customised piece of malware appears.

The Bangladesh Bank hack is a case in point: the incidents in Vietnam and the Philippines that surfaced after Bangladesh actually occurred before, in late 2015. Knowing the hackers’ modus operandi when they were first thwarted could have helped the global banking industry to better defend itself.

Intelligence sharing is a central tenet of Swift’s customer security programme. In a letter to members in May, it pledged to send alerts of any cases of malware or other indicators of compromise as soon as possible. It also plans to centralise all new and existing security information in its knowledge base in the restricted customer section of its website. Banks’ IT security teams are encouraged to review this information on an ongoing basis.

Additionally, the consortium strongly reminded members of their duty to immediately report suspected fraudulent use of their institution’s Swift connectivity. In return, it will provide related intelligence (in anonymised form) back to the wider Swift community.

During the FoF panel discussion, Mr Leibbrandt argued that the current events could actually encourage a move to greater information sharing. “Banks can now see that cyber attacks are common and that they aren’t the only ones. Because Swift publishes the modus operandi of the attacks on an anonymous basis, banks are much more willing than even a year ago to come forward,” he said.

Breaking down barriers

Breaking down the traditional barriers between competitors has been a critical obstacle for the financial industry, according to Mr Dixon, especially as cyber criminals are undoubtedly sharing their knowledge and tools. “If Barclays is attacked, then other banks will be too. We have to share that data in real time and break down the barriers that have existed culturally and technically,” he concluded.

Barclays is a sponsor of the Cyber Defence Alliance, which launched at the end of 2015. Known as the 'Nato of banks', the alliance aims to bring the institutions together in an operational environment to share information, and also identify and track major adversaries in association with law enforcement agencies.

A similar banking alliance has emerged in the US, comprising the top banks including JPMorgan Chase, Bank of America and Goldman Sachs. The group aims to share threat information as well as jointly prepare and 'conduct war games' to test cyber defences, according to the Wall Street Journal. The Financial Services Information Sharing and Analysis Centre will have oversight of the new group.

Mr Dixon stressed the sharing of information in real time as a critical issue, which many believe is essential to get ahead of the cyber criminals. While Swift’s programme is not yet operating on this basis, the European Central Bank (ECB) is currently piloting a real-time cyber incidents database, due to be rolled out to the 130 banks it regulates next year, according to the Financial Times. The ECB plans to share the data it collects with other central banks, such as the Bank of England and the US Federal Reserve.

Teaming up

New regulations specifying obligations to report cyber incidents to the authorities, including as the Network and Information Security Directive and General Data Protection Regulation in Europe and the Cybersecurity Information Sharing Act in the US, demonstrate the importance of threat intelligence gathering for governments and authorities.

Cross-collaboration is also increasing at a country level. For example, the UK and the US conducted joint offline ‘war games’ with global financial firms at the end of 2015. More recently, the US and Singapore signed a memorandum of understanding in August covering information and best practice sharing, as well as joint cyber security exercises.

“Ultimately, cyber security is a team sport. No one agency, or even government, can deal with the challenge of cyber security by itself,” says Chin Hock Teo, deputy chief executive of the Cyber Security Agency of Singapore.

“Given that banks and financial institutions will remain an attractive target for cyber criminals, it is imperative that the financial community comes together to work towards greater information sharing and knowledge exchange, to better manage and respond to cyber security incidents.”

Self defence

In addition to its efforts to improve cyber security across the global banking industry, Swift has sent out a clear message that each bank is responsible for its own defences. The consortium pressed its members to “urgently” review controls in their messaging, payments and electronic banking channels. It also recommended that customers conduct third-party reviews.

Similarly, the Federal Financial Institutions Examination Council, a group of US banking regulators, issued a statement in June encouraging banks to check the security of their links with interbank messaging and payment systems. The council said that following recent attacks, banks should “actively manage the risks associated with interbank messaging and wholesale payment networks”.

Basic cyber security hygiene – such as using a firewall, patching, running security scans, changing passwords and backing up data – can go a long way in keeping out cyber criminals. Testing cyber defences is also critical in this threat environment.

John Proctor, ‎the vice-president, global cybersecurity, at IT services firm CGI, is surprised that more banks do not conduct data breach exercises, especially when other safety exercises such as fire drills are commonplace.

“Which one will kill the bank? The breach,” he says. “If a bank hasn’t done an impact assessment and a breach exercise, then it can’t understand the challenge it faces.” Mr Proctor also advises banks to create “hunt teams” made up of security experts that go into the network and understand how criminals operate.

The human touch

While cyber crime and security can be seen as a highly technical subject matter, managing cyber risks is as much a human issue as it is a technology issue. Most attackers attempt to get into a bank’s network by sending an email link to click on – that is, through social engineering rather than brute hacking force.

Therefore banks would be well advised to provide education on cyber security hygiene throughout the organisation. Barclays, for example, runs programmes to constantly raise the bar on cyber security practices, in addition to end-point protection, message gateways and perimeter defence.

During the FoF panel discussion, Jonathan Luff, co-founder of Cyber London, a start-up accelerator to foster a more robust cyber security ecosystem in the UK, questioned the effectiveness of many such programmes. “If you send out a sample message to your workforce, even directly after a training exercise, it doesn’t take much time for click rates and infection rates to go back up to where they were,” he said.

Hook, a start-up participating in the Cyber London programme, is addressing this issue. The company has flipped the problem on its head and instead gets the workforce to target each other with phishing attacks. “As staff try to infect each others’ computers, the exercise quickly raises their awareness of what a malicious email looks like,” Mr Luff explained.

Improving employees’ reporting behaviour is another area to target, according to Mr Leibbrandt. “Once a company has good reports then it can follow up, which in turn greatly enhances its monitoring capability, especially for network breaches,” he said.

Tim Brew, director, financial services, at CGI, returns to Mr Dixon’s observation about the role that money laundering played in the Bangladesh hack and the need to tighten up know your customer (KYC) and AML processes. “In order to extract funds from the banking world, criminals need to have a valid account that they can send money to. That account has to be set up and configured and, theoretically, goes through AML and KYC checks,” he says.

In May, CGI launched its ‘Protect the bank’ architecture, which integrates alerts into a single command and control centre from sanctions screening, KYC, suspicious activity monitoring and fraud prevention, and employs intelligent self-learning based on big data and works across traditional bank information silos.

Covering the business

Cyber insurance is additional protection for banks, but it cannot replace the basic defence layers. In fact, insurers specifically look at cyber security hygiene across the three pillars of people, processes and technology.

According to Sarah Stephens, head of cyber, media and errors and omissions at insurance agency Jardine Lloyd Thompson Group, a major part of underwriting is examining an organisation’s security culture, as it prevents and mitigates cyber attacks. Insurers also look at the organisation’s reliance on third-party service providers because that is a big source of claims – a recent analysis of one year of cyber insurance claims shows that 25% of them occur because something happened at a vendor or outsourced service provider.

Today, insurers will be asking specific questions around electronic communication protocols and threat intelligence reports. “These reports identify the particular type of threat actor [that] is targeting banks, and insurers will be interested in a bank’s awareness of who is targeting it, as well as what it is doing to not only prevent a breach but also to detect that particular attack signature,” says Ms Stephens.

While cyber insurance has historically seen greater uptake in the US, there is growing interest from financial institutions in Europe and Asia, driven by incidents such as the Bangladesh hack as well as a massive increase in social engineering fraud, she adds.

The insurance gap

However, there is still some confusion over coverage. According to a recent survey by insurance broker Marsh, 50% of CEOs believe they have insurance cover for cyber attack, whereas policy analysis suggests that only 10% do. “That gap is likely a result of the ambiguity in many policies over whether cyber is covered or not, both in general and for the scenarios of most concern to the firm,” according to the report Cyber and the City, published in May.

“There is a lot of crossover between cyber and crime insurance coverage,” says Ms Stephens. “If an attack involves being tricked with a computer, many think it falls under cyber. But in many cases the actual loss of funds, for example the Bangladesh cyber theft, would – or could – already be covered under crime insurance policies.”

She believes, though, that the insurance market is changing to reflect the heightened threat level. “A sophisticated hack, which impersonates executives, penetrates defences, or if an insider was involved in collusion, isn’t necessarily the focus of a crime insurance underwriter – and yet potentially they are going to have to pay out for big losses,” she says.

As a result, the more traditional insurance underwriting community is now including more questions about cyber security defences or adding stronger cyber-related exclusions in traditional insurance policies.

Ms Stephens says: “Crime insurers will either look to understand how a cyber attack could happen and underwrite it, or push it into the cyber insurance market where they know how to underwrite it. It is a difficult challenge for insurers in a soft market such as today, because no one wants to be the first one to ask more questions and make it difficult for a client, or impose a new exclusion and potentially lose a renewal.”

A persistent problem

Banks are well advised to improve their cyber defences today, not just under threat of being kicked off the Swift network but because the financial services landscape is set to become ever more complicated as a result of new technology and fintech entrants.

Francesco Burelli, managing director of payments strategy at consultancy Accenture Payment Services, says: “Banking technology is becoming more complex as more participants and points of access become part of the network. As complexity increases so does the number of potential points of compromise.”

According to a global survey of 300 managers by Accenture Payment Services, the majority of top bankers (76%) “strongly agree” that they are open to more risks than they can manage as a result of digital developments.

However, technology will also serve to help banks solve the cyber security problem. “New technology such as artificial intelligence, big data analytics and behavioural biometrics are the new arsenal for the cyber arms race,” says Mr Teo.

During his speech at the European Financial Services Conference, Mr Leibbrandt voiced a similar sentiment. “Technology is essential to our cyber security. Bring on the next generation of pattern recognition, monitoring, anomaly detection, authentication, biometrics – and a host of innovations we have yet to develop that will improve and preserve the security of our industry,” he said.

Sibos, Swift’s user conference taking place this year in Geneva on September 26 to 29, is expected to have a strong cyber flavour. Innotribe, the conference’s innovation stream, will dedicate almost half of its sessions to cyber issues because “there is a wave of innovation going on in this area,” according to Mr Leibbrandt. Swift also plans to provide a detailed update on the five customer security programme initiatives at the conference.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter