As cyber crime proliferates and becomes ever more sophisticated, banks are increasingly turning to the – arguably essential – services of ethical hackers to test just how secure bank data is.

Cyber security is top of mind for most bank CEOs, as the financial, reputational and legal fallout can have a punishing impact on an institution’s bottom line and customer numbers. For example, Capital One suffered one of the latest cyber-attacks, exposing the data records of almost 106 million people in the US and Canada.

The breach happened in March 2019, but was not discovered until July. In a statement, the US bank said it was expecting the incident to cost $100m to $150m, driven by customer notifications, credit monitoring, technology costs and legal support.

It is becoming painfully clear that banks need to engage in cyber warfare to stay ahead of the bad actors, which have become increasingly sophisticated, persistent and well resourced. Therefore, it is unsurprising that some are turning to the ‘white hat’, or ethical, hacker community to test their defences. Ethical hacking is mainly focused on penetration tests, whereby a white hat hacker will try to break into a financial institution’s systems, gaining administration privileges and running either whole systems or individual workstations.

Most banks won’t admit to having hackers on their payroll, even if they are on the side of the angels. However, the European Central Bank has openly promoted white hat methods. Its Threat Intelligence-based Ethical Red Teaming (Tiber-EU) testing framework, launched in May 2018, facilitates a “harmonised European approach towards intelligence-led tests that mimic the tactics, techniques and procedures of real hackers”. It aims to complement the cyber security programmes of banks, financial market infrastructures and other types of financial entities.

Harnessing the power of the global hacking community is a powerful way to create a safe environment. Many organisations take a ‘hybrid’ approach and use a combination of internal and external ethical hackers. To attract and engage external hackers, experts suggest running a ‘bug bounty’ programme, which involves challenging external hackers to find system vulnerabilities in exchange for prize money. While it may be hard to imagine a teenager in Indonesia or Nigeria protecting a multinational bank, this is happening across the world.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter