Banks are under attack from cyber threats coming at them from all directions, but are fighting back with a range of countermeasures, writes Michael Imeson.

Cyber threat

Banks are facing more frequent and serious cyber attacks, which are hitting the headlines with depressing regulatory. The Petya ransomware offensive that struck some of the world’s largest companies, including banks, in more than 60 countries in June was just one of many recent incidents that have sounded alarm bells at bank headquarters.

In August, the UK’s National Crime Agency announced that a British man had been extradited from Germany to face charges of launching cyber attacks against Barclays and Lloyds Banking Group in January. While Barclays had fended off the assault, Lloyds succumbed to the 'denial of service' that brought down its digital services for more than two days.

The largest known cyber heist to date remains the $81m theft in 2016 from the central bank of Bangladesh’s account at the Federal Reserve Bank of New York, where funds were transferred to accounts in the Philippines, Sri Lanka and other parts of Asia.

Felonious motives

“Cyber threats to banks are very real,” says Rich Baich, chief information security officer (CISO) for US banking giant Wells Fargo. “Why? It’s obvious. When a notorious bank robber in the 1920s was asked by a reporter why he robbed banks, he replied: ‘Because that’s where the money is’.”

But today there are many other motives as well, says Mr Baich, such as one country wanting to disrupt another’s financial system for political reasons, or criminal gangs seeking to steal intellectual property or customer data.

Effective cyber security is therefore essential – but technology on its own is not enough. “You have to instil the right culture in the bank,” says Mr Baich, who is also chairman of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, a public-private partnership between more than 70 financial institutions and the US Treasury Department.

“Cyber security can no longer be an afterthought,” he adds. “You must build security into your corporate culture, team members and employees, as well as into your technology. You must make sure all those things are operating together to mitigate the threats. Every single person in our company is a risk manager.”

Ensuring the CEO and board of directors are up to speed is essential. That is why two years ago Wells Fargo appointed to its board Suzanne Vautrinot, a former US Air Force major general who worked in cyber operations and for US Cyber Command.

Wieland Alge, general manager, Europe, Middle East and Africa, at information security provider Barracuda Networks, says banks’ executive and supervisory boards tend to be too hierarchical, which inhibits their ability to really understand cyber threats. It also makes them particularly prone to CEO e-mail fraud, also known as 'business e-mail compromise', where an imposter impersonating the CEO directs the finance department to wire large sums to a fraudster’s account, usually abroad.

“There is a separate elevator for the board and they don’t greet anyone,” says Mr Alge. “So impersonating them on e-mail is easy.”

Sophisticated attack tools

Troels Oerting, group CISO of Barclays, says: “In the old days we had physical bank robberies; now they are virtual. [Banks] also possess other things of value to cyber attackers, such as credit card information, personal information and our intellectual property and strategic intent.

“We see low-level attacks, sophisticated attacks, and even more sophisticated advanced persistent threats, or APTs. We are also seeing an increase in the number of blackmail cases. When I first started at the bank, distributed denial-of-service [DDoS] attacks came out of the blue. Now we might first get a blackmail letter saying, ‘If you don’t pay X amount of Bitcoin to this wallet in 24 hours, we will start DDoSing you’.”

Mr Oerting, who was previously director of Europol’s European Cyber Crime Centre, says some of the advanced tools used by criminals are stolen from national intelligence agencies and repurposed, such as the US National Security Agency’s Eternal Blue that was used by the Wannacry attackers earlier in 2017.

But simpler tools can be just as effective, such as the PDF malware used in the Bank of Bangladesh fraud. In this case the malware adulterated the targeted bank’s PDF reader, thereby altering its PDF statements in order to obfuscate the traces of the fraudulent messages which had previously been sent over the Swift financial messaging network to request and authorise payments. “It is important to mention that Swift network was not compromised,” says Mr Oerting. “It was the bank that was compromised in the way it communicated via Swift.”

In the wake of the Bangladesh incident, Swift set up a customer security programme. “It helps banks defend themselves,” says Swift CISO Marc Hofmann. One aspect of the programme is the customer security control framework, under which we define security controls, especially for banks’ payment processes and local environments, establishing a community-wide baseline for basic security.”

Some of the controls are mandatory, and some advisory. By the end of 2017, all Swift members will have to self-attest themselves against the mandatory security controls. Swift has spent much of this year organising hundreds of roadshows, explaining the security controls and the attestation process. 

Countermeasures

What, therefore, should banks be doing to improve security? “Risk mitigation strategies need to shift from being compliance driven to threat driven, with the speed of detection and response aligning with the speed and sophistication of threat actors,” says Brendan Goode, regional CISO for UK and Ireland, and global head of information security operations, at Deutsche Bank. “A good cyber security strategy acknowledges that not all threats can be blocked, and aligns preventive and detective controls with business priorities and risk appetite.”

Fannie Mae, the US government-sponsored enterprise that securitises mortgages, has a security policy it characterises as ‘Get Right, Get Small, See Big’. “Get Right is a continuous improvement programme of identifying and fixing all the problems, so we get the fundamentals of security right,” says Chris Porter, CISO at Fannie Mae.

“Get Small means shrinking the attack surface, the data, access management entitlements – keeping the attack surface as small as possible. See Big is about visibility over our network and third parties – putting the right cyber intelligence components in place to identify, respond to and recover from attacks quickly.”

MasterCard’s approach is to protect the overall payments ecosystem. “We use a simple four-layer strategy to protect [the ecosystem] and all our stakeholders,” says Ajay Bhalla, president, global enterprise risk and security, at MasterCard. “The first layer is prevention, such as the EMV [Europay, MasterCard and Visa] chip embedded in our cards and now mobile phones. The second is detection. We have sophisticated fraud detection technology using artificial intelligence.

“The third is expedience: moving away from complex security to ensure that the customer experience of using our security solutions is seamless. Last is identity solutions to verify the identity of a consumer and the validity of a transaction.”

The European Financial Services Round Table, members of which are chairmen and chief executives of international banks and insurers with headquarters in Europe, will publish a paper on cyber security later in 2017. “As businesses and the rest of society become increasingly digitally dependent, cyber security is moving to the top of management’s agenda in every organisation,” says Theo Timmermans, secretary-general of the organisation.

Government intelligence

“Two things worry me,” says Robert Hannigan, who was director of GCHQ, the UK security and intelligence organisation, until April this year. “One is the rising sophistication of attacks. There are more sophisticated tools available, some of them stolen, of course, and out there on the dark web.

“The second is that the finance sector has always worked on the basis that rational people are not going to damage a system on which they rely. But that doesn’t apply to North Korea and one or two other actors. They don’t have a stake in the international financial system and therefore probably don’t care if they cause disproportionate damage to it.”

Mr Hannigan says banks need to recruit and train talent, but there is a shortage of people with the right skills, a shortage that may last for 10 to 20 years. “[Banks] are struggling to find people and hang on to them, even with the resources they have and their ability to pay high salaries. One answer is to do more in-house training for those that have the aptitude – aptitude is more important than qualifications – and bring them into the cyber area.”

He is on the advisory board of the Digital Cyber Academy, the non-commercial, pro-bono arm of Immersive Labs, which sells cyber security training to banks and other companies. The academy provides a free service to students in academic institutions in the UK, US, Australia and Singapore to develop real hands-on cyber skills and gain employer recognition for cyber security jobs. “The academy uses a new way of learning through gaming and discovery, which the new generation finds easy, rather than instruction manuals,” says Mr Hannigan.

The regulatory dimension

Legislators around the world have been enacting laws to require banks and others to improve security. In the EU, for example, the Network Information Security Directive (NIS) will force companies to secure their computer networks and the General Data Protection Regulation (GDPR) has strict guidelines around data protection – both come into effect in 2018.

“Cybercrime is growing fast and banks are in the front line,” says Sir Julian King, the European Commissioner for the Security Union. “In the UK, the Netherlands and Germany there are some innovative partnerships between banks and law enforcement agencies that could serve as a model for wider public-private co-operation. [This] is one of the themes that we pursue in our EU cyber security review [due to be published in September], which updates the 2013 EU Cyber Security Strategy.”

Enhancements to the NIS, GDPR, Payment Services Directive 2, EU Agency for Network and Information Security, among other regulations, feature in the review. “We are trying to catch up,” says Mr King. “The 2013 strategy was fine, but that was four years ago. We want measures looking at how to strengthen human, technical, legal and international responses to the shifting threat.”

In the US, the Office of the Comptroller of the Currency (OCC) is one of several regulators responsible for ensuring banks’ information security is up to scratch. It is a member of the Federal Financial Institutions Examination Council (FFIEC) and it uses the FFIEC’s IT handbook and cyber security assessment tool when inspecting banks. The tool, introduced in 2015, is used by examiners and institutions to help identify risks and cyber security preparedness.

“Although we do not require institutions to use the tool, it is a good way to thoroughly review an institution’s cyber security posture and the level of controls they should have, depending on their activities and what their threat landscape looks like,” says Beth Dugan, deputy comptroller for operational risk at the OCC. “A minor update a few months ago gives more flexibility when answering questions in the tool. They may be boring and mundane, but basic internal controls are invaluable.”

Regulatory fragmentation

Taking a global approach, the Institute of International Finance (IIF), a trade association, is focusing on three areas: the impact of cyber incidents on the stability of the financial system, regulatory fragmentation and the increased use of cyber risk insurance.

“IBM noted in 2016 that the financial sector was attacked 65% more than any other sector,” says Martin Boer, the IIF’s director of regulatory affairs. “The flip side is that most banks do have relatively more sophisticated IT control systems in place.

Addressing the area of regulatory fragmentation, he says: “Policy-makers around the world have been introducing measures and standards to boost cyber resilience in financial institutions, but given the substantial differences in these regulations, there is too much fragmentation. This can lead to duplication and inconsistencies for internationally active firms and it is an issue we have been working on. We welcome the fact that the G20 has asked the Financial Stability Board [FSB] to review all cyber security regulation with a view to developing recommended practices.”

The FSB has consulted on the matter and will report to the G20 in October. The IIF has responded with examples of where it feels increased coordination by international standard setters will help address regulatory fragmentation and support financial stability.

Jenny Menna, senior vice-president for security intelligence, engagement and awareness at US Bank, says there also needs to be greater regulatory harmonisation in the US, at both federal and state level. “We recognise the importance of securing our systems and our customers’ information, but when you have a mosaic of different regulations it becomes an extremely burdensome drill rather than something that supports security. So we’d like to see harmonisation between regulators at the federal level,” she says.

“We are also seeing more state cyber security regulation. The State of New York’s Department of Financial Services has set out regulations on cyber security, and there has been talk about other states doing the same,” she adds. “We could have a situation where every state has a slightly different set of requirements, which would become too unwieldy.”

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter