Cybersecurity for financial services organizations – Time for action

While all industries face the growing threat of cyber attacks, the issue is particularly acute for the financial industry due to the interconnected nature of global markets and the potential for a cyber attack to spread quickly through the global financial marketplace.

Financial data is very appealing to criminals as it can be quickly monetized, especially in an array of regional underground criminal marketplaces. These venues offer platforms to sell stolen merchandise to customers that in some cases has been vetted. Given that cyber crime is projected to cost the global economy an astounding USD 445 billion, the ability to quickly acquire and turnover stolen data can maximize profits substantially. CNBC points out that the projected USD 445 billion loss is more than the market cap of Microsoft (USD 411 billion), Facebook (USD 314 billion), or ExxonMobil (USD 332 billion), according to an estimate from the World Economic Forum’s 2016 Global Risks Report.

The annual 2016 Verizon Data Breach Investigations Report (DBIR) differentiates their industry target analysis between the number of incidents and the number of actual breaches with confirmed data loss. In terms of incidents, the financial services industry ranked third behind Public and Entertainment.

However, it was clearly the industry with the greatest number of actual breaches, nearly tripling the nearest other industry, Accommodation. The IBM Cyber Security Intelligence Index adds that while companies across all industries averaged 52,885,311 security events in 2016, the financial services industry averaged 82,898,784, over 36% more.

2016 Cybersecurity Scorecard

The SecurityScorecard 2016 Financial Industry Cybersecurity Report provides some startling insights into the condition of cyber security in the financial sector showing, for example, that the bank with the weakest security posture of all surveyed is one of the top 10 largest financial service organizations in the US measured by revenue.

SecurityScorecard identifies potential vulnerabilities in network security by identifying open ports and examining whether or not an organization uses best practices, such as staying up-to-date with current protocols, or securing network endpoints to ensure external access to internal systems is minimized.

Among the top 20 US commercial banks, 19 have a network security grade of ‘C’ or below.

The SecurityScorecard 2016

Financial Industry Cybersecurity Report concludes, “Our data shows that the financial industry still needs to improve basic security hygiene, such as keeping a consistent patching cadence, supporting proper SSL security, and improving their overall network and application security. Not only do these issues not adhere to security standards, they present a real increase in potential breach risk when hackers become aware of their vulnerabilities.”

However, tracking reports, such as the Verizon DBIR and the SecurityScorecard Cybersecurity Report across several years, shows that the variety of exploits changes with each year, as does the target attack community. Financial services institutions simply cannot focus on information security tactically. Instead, financial services institutions must incorporate network security and information privacy into their overarching risk-mitigation strategies.

In 2016, banks around the world disclosed losses in millions from cyber heists. According to one recent study, the average annualized cost of cyber crimes for companies in financial services was USD 16.5 million – the highest among the 17 industries analyzed in the study.

As the industry continues to adopt FinTech innovations, like blockchain and cloud solutions, firms must continually assess their cyber defenses to ensure they are adequate to counter existing and future threats.

The industry has seen an increased regulatory focus with regards to cyber. There is a cost associated with mapping to different regulatory frameworks. A lack of harmonization results in firms having to allocate resources to pull together these dissimilar requirements. Further, it takes resources away from areas that could be used to strengthen the technology environment.

Many financial firms continue to be challenged with meeting the demands and costs of complying with new regulations resulting from the financial crisis of 2008. A recent report by Oliver Wyman estimates that between 2.5 and 3.5 percent of North American, European, and Australian financial institutions’ total costs come from meeting new regulatory guidelines. That equates to USD 0.7–1.5 billion in compliance costs per annum for the coming 2 to 3 years for large financial firms. Those numbers would likely increase further if and when new cyber rules are implemented.

There is no denying that the financial services industry faces a severe cyber security problem– especially when you look at some of the most recent attacks on the industry. Three major cyber security incidents of 2016 include the Central Bank of Bangladesh heist, the HSBC DDoS attack, and the breach of Bitfinex.

Understanding SWIFT and the Central Bank of Bangladesh heist. In February 2016, a cyber bank heist involving the Central Bank of Bangladesh was discovered. While the attackers made off with USD 81 million, reports say that if it were not for a typo on the part of the hackers, the value could have reached USD 1 billion.

The attackers compromised the Central Bank of Bangladesh and used their foothold to compromise their Society for Worldwide Interbank Financial Telecommunication (SWIFT) account. The SWIFT network processes 25 million financial communications per day, making it a prime target for attackers looking to turn a profit.

Unfortunately, the Central Bank of Bangladesh is not the only bank that gave attackers an opening to compromise the SWIFT network (though it was certainly the prime example). This attack has proven that vulnerabilities in cyber security for financial services threaten more than just a bank’s reputation – they can compromise an entire global trading network.

The HSBC attacks showcase the dangers of DDoS attacks. Cyber attacks do not always have to involve breached customer records or stolen money to prove dangerous. While HSBC, the UK’s largest financial lender, says that it successfully defended itself against attackers in January 2016, a DDoS attack still took its systems down for nearly 24 hours.

Incapsula research from 2014 indicates that DDoS attacks can cost companies an average of USD 40,000 per hour of downtime – and that figure has likely grown over the last 2 years as online and mobile banking has grown.

While HSBC has the financial stability to survive such an attack (twice), many smaller financial services companies would be forced to shut down should they experience this kind of incident.

The Bitfinix breach highlights the vulnerability of digital financial services. Bitfinix is one of the world’s largest Bitcoin exchange companies; and in August 2016, the company was attacked and it lost approximately USD 70 million worth of bitcoins. As digital banking and financial services become increasingly prevalent, this attack sets a dangerous example.

Details are scarce at this time, but researchers believe that the Bitfinix vulnerability stemmed from their blockchain approach to digital wallets. In conjunction with BitGo, the company has created multi-signature Bitcoin wallets where users have separate sets of keys on the platform – a 2-of-3 key arrangement where Bitfinix has two keys and BitGo co-signs transactions with the third.

According to PwC Global, phishing was the number one vector of cyber attacks in 2016, with 43 percent of financial service employees in a recent survey citing phishing attacks.

One of the growing dangers arising out of phishing and other activities is the threat of ransomware, in which a company’s data is held hostage or stolen. The company is then offered the opportunity to retrieve their data by paying a substantial ransom. Of course there is no reason to believe the attacker will return the data, or not strike again. The main perpetrators of  phishing attacks against financial services organizations are organized crime syndicates and state-affiliated actors. In 2016, India was ranked fourth globally among the countries most affected by ransomware.

Here are the top five risk-mitigation and cyber security considerations financial services companies will want to heed in 2017:

• Integrate cyber security, anti-fraud, and anti-money laundering efforts.
• You will improve your ability to ward off threats by combining analytics from pooled data, strengthening your risk-management environment, and implementing controls more effectively.
• Find the regulatory balance in the guidance. Focus first on building a robust risk-based cyber security program. This can help you achieve your broad strategic objectives while also complying with regulatory requirements.
• Establish an independent, second line of defense. Keep your security governance and oversight capabilities separate from cyber security design, implementation, and operations. Also, your second line of defense should engage the board and its risk committee on cyber topics.
• Anticipate risks from third parties. Recognize the potential for increased risks when out sourcing. Collaborate with third-party vendors to make sure they take the right measures to protect your data.
• Speed up innovation by focusing on cyber security up front. When designing and developing new digital products and services, you should integrate cyber security and privacy in the beginning stages. Failure to maintain full regulatory compliance may result in very heavy fines and penalties, including possible imprisonment for involved individuals. Failure to maintain superior security for your information and the networks it travels upon may prove fatal to your business, or at least to your career. A comprehensive digital risk-mitigation strategy is beyond a good idea; it is now a survival strategy.

As the industry continues to evolve, and leverages the increasing computing power available to consumers through smartphones and laptops, cyber security specialists are revisiting conventional security models. Security architectures at organizations need to be redesigned while taking into account these trends, as there are implications for FinTech as well as other industries and device manufacturers. From the consumer’s point of view, security is an integral part of FinTech solutions, the onus for which lies with the provider.

Security and data privacy are going to play a key role in winning consumer confidence and catalyzing the adoption of FinTech. The time for action is now!