Banks turn to increasingly sophisticated technology to fend off hackers

Such is the state of cyber security that insurance policies related to these risks have been skyrocketing in cost, along with a proliferation of much tougher clauses. Banks spend nearly 11% of their budgets on defending themselves against cyber crime, according to Deloitte.  For very large banks, that can mean spending more than a billion dollars a year.

Indeed, Deloitte estimates banks are attacked 300 times more than other industries. Hackers, on the other hand, especially if they are based beyond the reach of Western law enforcement, can attack banks with impunity at no personal risk. Plus they can download hacking tools at very low cost from the dark web.

“It’s very easy to procure the types of skills required to conduct cyber attacks,” says Steve Bishop, research and information director at the Operational Riskdata eXchange (ORX) Association. These tools can help hackers work their way around well-known cyber security solutions.

However, banks could not hold back this growing horde without automation, artificial intelligence (AI) and machine learning (ML). Increasingly, these are the weapons of choice given the sheer volume and complexity of attacks.

Digital guardians 

“The advantage that AI has is that it can manage massive volumes of data because it’s not hamstrung by a central processing unit,” says AJ Thompson, chief commercial officer at IT consultancy Northdoor. “Machine learning can view patterns within massive amounts of data and track it and then learn from these patterns and adapt its own model.”

Mr Thompson explains that ML has the ability to assess events and self-manage, meaning it cuts through 98% of the noise. “It is the day-to-day stuff that it has seen before that it automatically filters out. It is incredibly fast and incredibly efficient,” he says. 

Kerem Tomak, chief analytics officer at ING, adds: “By just mining transaction data, which is the richest data source for a bank, we can see these outliers of which payments are fraudulent, which kind of payment processors are fraudulent and pointing to patterns that we see that are not really falling into the common bucket of transactions.” 

He explains that ING sets some ground rules for these algorithms, configures them to detect existing suspicious patterns and then lets them hone their effectiveness on the job through ML. “As transactions get added, the algorithm starts monitoring,” he says. “So whenever there is an outlier that pops up that is outside this bucket of training data, that algorithm picks it up, which is mostly done on a real-time basis and can raise a flag.” He explains that much of this task used to be done manually. “We are sifting through billions of transactions over a 10-year history. We use 250 data dimensions to detect suspicious activity,” he says. That data is sourced from the bank, but also from third-party providers such as FactSet and Dun & Bradstreet. 

Mr Tomak explains that when an algorithm is first put through its paces, it is about 75% to 80% accurate, but this should reach 90% to 95% once it is up to speed. This also means a lot fewer ‘false positives’ are generated. 

“The banking industry was an early player in exploring how AI can be used in security management — notably in the identification of potential fraud and suspicious [phishing] emails,” says Bill Trent, managing director, cyber strategy at Accenture UK. 

He explains that AI has been used to identify suspicious transactions, such as fraud, for some time, and is now an established business tool. 

“These types of high-volume, less sophisticated crimes lend themselves to the use of AI quite naturally, given AI’s strength in spotting patterns in large datasets,” he says. “For the scale that banks and payment businesses operate on, it’s an effective means to tackle low-level crime quickly and efficiently.” 

However, he warns that AI has its limitations in that it is less effective for countering sophisticated cyber threats posed by organised crime and nation states. 

“They remain potentially vulnerable to a range of direct attacks, such as the exploitation of misconfigured cloud environments,” Mr Trent says. He explains that these more sophisticated actors evolve their techniques quickly and in unpredictable ways, which can trip up AI applications. 

Lorenzo Grillo, a managing director at Alvarez & Marsal, a professional services firm, adds: “You can’t have a 100% automation security solution. But they are going in that direction.” 

Pay or else…

The biggest form of attack banks face at the moment “is undoubtedly ransomware”, says Mr Thompson. “People are by nature trusting.” He points out that all too often ransomware ends up on a company’s IT system because people click a link in an email from someone they think they know.  

Ransomware can be a particularly scary form of attack, according to Jano Bermudes, head of cyber risk consulting, UK & Ireland, consulting solutions at Marsh Advisory, an insurance broker. 

Typically a hacker will threaten to permanently delete or encrypt all a company’s data or in some way severely disrupt its IT systems if a ransom is not paid. 

“There’s this big trend that they’ve been in your network for six weeks to three months and by the time you get a ransomware attack, they’ve already stolen all your data,” he says, explaining that the attacker may have already run half a dozen payroll scams and maybe even some CEO fraud. The latter involves sending false permissions from the CEO to make a payment to an outside party. “They’re just burning the house down on the way out and seeing what they can extort you with,” says Mr Bermudes. 

“Yes, that is a big issue,” says Mr Grillo. Firms are responding with tools, such as multi-layer and multi-factor authentication processes to clamp down on the problem. “All those things are not enough if you don’t have an overall cyber resilience strategy for the business,” he says. 

This includes having processes for information-sharing, third-party risk management, operational resilience, stress testing and cyber crisis preparedness and management in place. 

Regulatory interest 

Regulators are also becoming increasingly interested in the risks and benefits posed by technology. The EU has put together the Digital Operational Resilience Act (Dora), which the industry says is driving considerable investment in cyber resilience in its own right. It is considered one of the world’s most far-reaching cyber security regulations. 

“I think that is a very good regulation in that particular aspect [digital resilience],” says Mr Grillo, adding that it is forcing banks to raise their game on cyber security. 

Pre-Dora, most IT-related rules focused on data and privacy issues. The act aims to ensure that financial firms have the proper safeguards in place to mitigate and defend themselves against cyber risks and deal with other IT operational issues. It also consolidates and upgrades existing IT requirements for banks in a bid to promote consistency. Dora is expected to come into force across the EU around 2024. 

In the UK, regulators published a discussion paper on October 11 specifically on AI and ML, showing that they are taking a greater interest in the topic. They recognise that these technologies can help fight fraud and money-laundering, and also reinforce risk management and controls. However, there are some legal issues to consider, particularly around the use of data, which could hinder the effectiveness of cyber defences. 

“One of the key questions in this area is: how far can an organisation go in relation to identifying and responding to patterns of attack without falling foul of criminal statutes, specifically the Computer Misuse Act 1990,” says Malcom Dowden, a partner at law firm Squire Patton Boggs. “Campaign groups such as CyberUp have been calling for reform of the Computer Misuse Act to provide a statutory defence in relation to some active intelligence-gathering measures, but acknowledge that there is a line that ought not to be crossed.”

Mr Dowden explains that it would be a step too far to permit ‘reverse hacking’ or ‘defensive’ denial of service attacks to take down a threat actor’s site. “In practice, that drives attention towards purely defensive steps that might be taken. AI/ML can, for example, spot patterns typical of particular types of attack and dynamically alter/increase the level of security/access control or trigger measures to slow or prevent the spread of malicious code,” he says.

An area of cyber security that was overlooked is the resilience of service providers to financial institutions. Dora, for example, mandates financial institutions to pay close attention to their suppliers. That means the act will echo out beyond the EU to jurisdictions such as the US and India where many tech suppliers are based. 

Mr Bishop notes that there is some concern around smaller suppliers, whether they have the appropriate controls in place, but also around some of the bigger ones, which often only allow limited access to their security arrangements. 

“People are looking far more now at the due diligence stage of appointing a supplier to see what they can enforce in the contract from an oversight perspective,” says Melanie Lavallin, senior research manager at ORX. 

Industry sources indicate that some banks are having to rely more on third-party providers because they have been struggling to recruit cyber security experts due to fierce competition for their skills in recruitment markets.  

Insurance shock

A signal of how challenging cyber security is can be seen in the cyber insurance market. In short, it is a market insurers increasingly want to avoid as the threat environment is so complex and fluid.  

“For anyone who wants to get cyber insurance these days, we get them to tell us about the controls that they’re operating,” says Marsh’s Mr Bermudes. “It’s about 250 questions based on where insurers are seeing claims and it is based around 12 controls.” He explains that some years back firms only had to answer 30 basic questions around their cyber security. Go back further and it used to be rolled in with general building insurance. 

Mr Bishop mentions that discussions he has had with the industry suggest that firms have to jump through an extraordinary number of hoops to get their policies and are potentially dealing with very detailed exclusions, answering very detailed questionnaires. Premiums can be expensive. 

“It’s a difficult risk to underwrite because unlike say, natural disasters, cyber attacks can hit everybody they insure at the same time,” he says, making it a risk that is hard to model, reserve against and price. 

Mr Bermudes says he sees an average of 100 claims per quarter and that the number has been rising by at around 2.4% annually since 2017. Meanwhile, he says cyber insurance premiums now cost 100% more than two years ago.  

He says that the costs of insurance are considerably higher when taking into account the number of controls banks now have to put in place to get cover. 

“Now they want to know that you’re actually running these controls and these controls are mature, so you have to invest in mitigation … Insurers won’t touch you unless you have these key controls, and they’re not cheap,” he says. 

On a more positive note: “From the dialogue that we have with our members and the data that we see, we don’t see huge volumes of actual cyber losses among banks,” says Mr Bishop. ORX has a service that allows subscribers to exchange information on cyber events. “Quite often, however, the really significant events are happening outside financial services,” he says.

Mr Bermudes believes that the cyber insurance market is simply going through a period of correction, reflecting that industry participants have underestimated threat levels. As banks become more digitised, the threat window continues to widen. 

“And I think the single biggest issue has been the fact that cyber insurance is too cheap … It hasn’t gone up nearly enough,” says Northdoor’s Mr Thompson, remarking that many insurers saw cyber cover as easy money. “There’s a lot of change now around the security comfort of a cyber insurance policy. You have lots of flux.” 

Both Mr Bishop and Mr Bermudes believe that this segment of the insurance market will become more challenging. Banks are managing to stay ahead of the hackers, but at increasingly great expense. 

Could Web 3.0 be the solution?

Banks operating legacy IT systems with some modern technologies layered on top are vulnerable to cyber attacks. Neo-banks, however, might be better protected by design. 

“We are most probably the only bank that is not using any servers. We are using blockchain to record client data. Hacking into the blockchain is more difficult for hackers, especially when our [smart] contracts are not very complex,” says Yang Lan, co-founder of Fiat24, a bank built around Web 3.0 technologies and regulated by the Swiss Financial Market Supervisory Authority (Finma).

“We build our smart contracts as simple as possible on purpose, because the simpler they are, the more difficult they are to hack,” says the former UBS banker. 

Fiat24 has taken advantage of Switzerland’s regulatory environment to build innovative approaches to managing client relationships. 

Last year Finma allowed banks to use facial recognition technology for people to open and access their bank accounts. That involves matching their passport photo with a picture taken from their smartphone. 

“Clients are asked to match their passport photos with their ‘selfies’ once a year. If there is any abnormal activity, then it will trigger an immediate re-verification,” says Mr Lan. “It definitely reduces the chance of client accounts getting hacked.” 

Finma also permits the use of geolocation information to help verify an account holder’s proof of address. “This dramatically reduces the workload of onboarding,” he says.

In general, Fiat24 does not email its clients and instead communicates with them via a secure app on their phone. This greatly reduces the opportunity for phishing attacks, for example. “I think the next step will be to even use biometric information stored in the passport, but this increases difficulty for the IT system,” says Mr Lan.

This article first appeared in Global Risk Regulator, a service from The Banker.