On the line
As technology has advanced, so too has the threat of cyberattack, and if financial services firms put a foot wrong, they stand to lose more than money
Are all financial institutions now digital companies by definition? What are the implications of this from a security point of view?
Margaret Harwood-Jones: The simple answer is yes, institutions today are digitised, albeit to different extents. There’s no doubt that technology is changing the way the business operates, and that brings new challenges and threats.
For me, cybercrime is a part of that new world order and it’s something that all institutions need to think about and make sure they have an adequate response to.
In terms of implications, there are a couple of things that add to the challenge of finding the right response to the risk.
Finance is very much a connected and global business, and the internet is a borderless tool for all of us, including attackers. The ecosystem in which we’re operating is very complex and highly international, so that gives us a different perimeter to think about.
You can’t just think about your own institution. You need to think about the end-to-end service chain, including market counterparties and other third parties.
When you’re faced with that industry environment, coupled with something that’s developing at such a pace, the reality is a lack of harmonisation; no coherence in providing a global deterrent at scale.
In addition, and without a common legal standard of care that firms have to operate towards, the complexity is further magnified, especially for the many international firms, Standard Chartered included, that are operating across a huge number of different markets around the world.
Patrick Wheeler: To say a company today is ‘digital’ is a bit like saying we are air-breathing mammals.
Even if our own companies rely upon older tech, our supply chains, our customers and even our refrigerators are heavily dependant upon the digital ecosystem.
I grew up in a remote self-sufficiency farm in Northern California. We had a question for all newcomers: “Who made your axe?” We are all in this together, and we are all digital in this modern era.
Jerry Norton: The answer to the first part of the question is yes, in my opinion, but it depends on one’s definition of digital.
A lot of banks now have very little physical presence or physical contact with their customers; face-to-face operations, cash, and paper documents are disappearing gradually; and more and more banks are starting up with little or no physical presence at all.
Banks are on a journey to that digital and virtual space. Some banks are further along that journey than others.
This means they’re totally reliant on proper cyber protection, and they have to be aware of that protection.
That’s part of the journey, and I think most banks are cognisant of the fact that they have to do this in order to protect their clients, but also to protect their reputations.
Stephen Scharf: Increasingly, financial institutions are developing a digital core. In some areas such as trading this is fairly advanced, while in other areas such as wealth management, digital capabilities are evolving at a slower pace. Any organisation that has a digital capability can be vulnerable to a cyber attack and therefore must have a strategic cybersecurity programme in place to protect it from this threat.
Rohan Amin: Financial institutions that want to remain competitive and innovative must be digital companies. The implications from a security point of view are vast, but focus on the core notion that security must more deeply integrate into the product development process.
Automation and self-service are key for scalability in a digital business. Anything that was done manually from a security standpoint, including security controls, must be automated and made easy to consume by technologists and product developers. This is key to keeping pace with the business and to ensure security is an enabler, not an inhibitor.
Do new technologies such as blockchain help to bolster security, or do they bring new threats?
Norton: New technology doesn’t necessarily improve security, and it could potentially bring its own set of problems. That’s not to say that blockchain is unsecure, just that, as soon as you introduce anything new, whatever it is, it brings new potential vulnerabilities.
Historically, we haven’t built security into our IT systems, and there is a possibility that additions to an existing technology estate could introduce issues that we hadn’t previously spotted or considered. So, the introduction of new technologies doesn’t necessarily make it worse, but it doesn’t make it better either. You have to consider the overall security and overall processes, including historical processes.
Blockchain will have its own security-type credentials and attributes applied to it, but that doesn’t necessarily make the whole operation better. Equally, security processes and policies have nothing to do with any specific technology, per se.
Banks just have to stay one step ahead of the fraudsters, and there’s a broader picture too, to introduce two- or three-factor authentication, mandate strong passwords, and so on. Does blockchain itself improve security? Not really. It has secure aspects built in, but it depends how you utilise that. There will be a tipping point. Applications built 20 years ago weren’t built with cyber attacks in mind, and there wouldn’t have been any encryption or strong password management. We have evolved a long way already, and if we were starting from scratch we would build that in as a matter of course, but at the moment we have a lot of old systems and we have to continue on the evolution. That’s one of the key issues.
Amin: It’s still early days for Blockchain, but it has great promise for the financial services industry and we’re very excited about the innovation it will hopefully bring.
From a data integrity and resiliency perspective, many believe blockchain can reduce risk in these areas. That said, criminals and other threat actors will focus on exploiting all technology; the same principles of secure application development and strong data protection must be applied.
Scharf: The potential of blockchain technology in some areas of market structure look promising, however we are still at the very early stages of its adoption and therefore the security element of distributed ledger technology (DLT) has yet to be fully evaluated and potentially improved.
Overall, DLT has the potential to be used to improve cyber security if implemented according to certain standards. Having the appropriate resiliency and backup of systems is one of the main challenges firms face. DLT has the potential to enable firms to store data in multiple places, greatly improving system resilience and data recoverability. This aspect of DLT is very exciting from a security perspective.
But, while it is too early to tell exactly what the cyber implications of wider adoption of DLT would be, the potential targeting of the endpoints of the blockchain network could be a risk factor that must be closely assessed and monitored.
Furthermore, a number of new cyber security solutions are emerging to help firms counter this growing risk. Many of these solutions are interesting and could significantly add to the arsenal of tools firms can use to improve their cyber resilience. But, while new defence technologies are becoming increasingly intuitive and innovative, there are prevention techniques that have existed for many years that should remain as fundamental components of any modern security programme.
For example, the importance of a strong identity and access management programme, ensuring appropriate patch and vulnerability management, and proper segmentation cannot be overstated. These approaches have been around for a long time and actually can provide greater cyber security to an organisation than some of the new and emerging technologies.
Wheeler: Both. But, the new threats are same as the old threats. The promise of blockchain technology currently is being held back by many poor implementations. As is often the case with new technologies, it is not the technology core that is at fault, but poor implementation and the ever-problematic human-technology interface, coupled with simple greed and fraud with flawed business models.
Having been invited to ‘meet Satoshi’ as part of an attempted scam being perpetrated in the financial sector, and having been asked to look after security during some not-so-small attempts, I have some rather sceptical comments for the blockchain community.
Blockchain is a very valuable addition to our technical solutions, and I remain excited by its advent and adoption, and plan to keep helping institutions to onboard it, but they really need to step up their own security game. Here, there is some very interesting work being done.
Harwood-Jones: All institutions, almost without exception, want to improve efficiency and ensure that their proposition and their performance to their underlying clients is deemed best in class. These are the drivers causing all of us to look at how we’re processing our business and find better ways to do that. That’s encouraging service providers to embrace new and disruptive technologies, whether that’s around blockchain, artificial intelligence or machine learning.
We have all experimented and some of us are now deploying those technologies in earnest. However, our experience of how they operate is still new and developing. While the industry is testing them, they operate in very contained environments, which is wholly different from being live, at which time firms become exposed to a cyber security risk.
Understanding the technology, so the risks of those technologies are also understood, is critical before rollout on a broad, potentially worldwide, basis if the risk is to be managed. New technologies bring new threats until the users are better accustomed to any new environment they create.
What’s also clear, and this adds to the difficulty, is that technological innovation and the pace of that innovation is out-pacing developments in managing the cybersecurity risk. The challenge we face day-by-day in this regard is getting harder rather than easier.
What has to happen in the back office to ensure security throughout an organisation? Should firms be collaborating on this more?
Wheeler: It’s about culture, not awareness. As we are all digital, we all need to become engaged in security and cyber. It is not a bastion for IT, techies or the ‘cyber team’. This means that the tools, techniques and knowledge must be placed in the hands of the group that existing cyber teams have been taught is one of the largest ‘problems’—the users.
There is a drumbeat for boards to adopt cyber practices, and this is correct. But, boards only become engaged when they have the tools and knowledge to make informed decisions. Recently, I was excited to see a woman appointed as CEO of a major financial services institution who I knew had previously been overseeing the cyber teams. This level of competency is a basic must-have for all CEOs of today.
Norton: There are two aspects to this. First, a firm has to put its own house in order, with properly enforced processes and procedures, and the technology supporting that.
Secondly, it has to make sure its partners—either those it’s doing business with or those that are providing a technology or a service—are clean and have their own houses in order. You’re only as good as your weakest link, and a lot of people are worried about their supply chain.
Does the supplier have the same processes that I do? If not, malware could come in through that route. The supply-chain problem is a real problem for really mission-critical, highly-secure systems.
With regards to industry collaboration, there are two or three potential solutions. One is the ‘high watermark’ idea of trying to raise standards, and there are a lot of banking bodies that are working on this on the regulatory or pseudo-regulatory side. On the supplier side, the same thing is true. The procurement processes are demanding a lot more attention, and suppliers need to do more in the way of checks in order to prove that they are reputable.
Amin: Despite competitive pressures, there is robust collaboration across firms—within and across industries—on cybersecurity. There are multiple industry and government forums allowing firms to collaborate. It is imperative that firms are working with peers, actively sharing threat information and best practices.
Harwood-Jones: Every institution and every corporate should start by getting the basics right in their own legacy environment. That’s often a challenge for large organisations where the internal structural technology is fairly complex. Managing cybersecurity risk is a business problem, not an IT problem. It is an enterprise-wide risk, so management of it should come from the top and involve all personnel throughout the organisation.
There are a lot of things to focus on, and I don’t think anyone has an all-encompassing list. Start with the simple things such as making sure firewalls are up to date, making sure there are regular anti-virus checks throughout the organisation, that there are strong rules on password protection, that email communications are properly encrypted when they need to be, and that there is segregation of personal and work devices. There is no doubt that the sharing of best practices across the industry can result in greater levels of protection from cyber criminals.
Collaboration between financial institutions as a principle is not something that’s new, but a specific, stronger collaboration here, including sharing information on attacks, is another means by which we can all help each other to improve, as we improve ourselves.
There is definitely a need for cooperation at industry and regulatory levels. There must be more cooperation than we have seen up until now. There should be a full end-to-end response to the risk the industry is facing. We’re seeing some encouraging signs, but we certainly need to get much better at stopping the fraudsters and the attacks without getting into an environment of over-regulation.
Scharf: Cyber-threat information sharing is a cornerstone of a robust cyber defence program. What one firm learns from its peers can be used to strengthen its defenses before an attack hits. Over the past five years, we’ve seen a substantial shift with regards to how information sharing is perceived amongst financial firms. In the past, firms would focus on individual efforts to improve cybersecurity efforts. Today, it has become far more collaborative.
DTCC is actively involved in a number of groups including the Financial Services Analysis and Resiliency Centre (FSARC), a not-for-profit organisation formed last year, dedicated to identifying, analysing, assessing and coordinating activities to mitigate the threats and risks of cyber attacks, which is open to entities that have been classified as critical infrastructures in the financial services sector by the US government.
The group falls under the auspices of the Financial Services Information Sharing and Analysis Centre (FS-ISAC), designed and developed by its member institutions to share timely, relevant and actionable physical and cyber security threat and incident information. Membership in FS-ISAC is open to all financial services firms.
We are also a member of Sheltered Harbour, an initiative also under the FS-ISAC umbrella developed to enhance resiliency and provide enhanced protections for financial institutions’ customer accounts and data, as well as to prevent contagion that could be associated with a cyber attack on a retail banking institution.
It enables financial institutions to securely store and quickly reconstitute account information, making it available to customers, whether through a service provider or another financial institution, if an organisation is unable to recover from a cyber incident in a timely fashion. I am a member of the board at both FSARC and Sheltered Harbour.
How catastrophic could a cyberattack be for an organisation, and for the industry as a whole? Could cyber crime be the cause of the next crisis?
Amin: While certain events are low probability, they certainly could have catastrophic impact for an organisation and the industry. A destructive malware attack at any organisation could have ramifications beyond that organisation’s boundaries. The focus shouldn’t be on a single attack—it’s really about confidence in the system. A series of lower-impact events could shake confidence in the financial system itself.
Scharf: The ever-growing threat of cyber attacks is particularly acute in the case of the financial services industry, due to the interconnected nature of global markets. Advances in technology and globalisation have increased the complexity of today’s network. While these connections have created unprecedented levels of efficiency and risk diversification as well as other advantages, they also have the potential to amplify contagion across marketplaces globally, increasing the likelihood for a cyber attack to spread quickly through the global financial marketplace.
According to DTCC’s most recent Systemic Risk Barometer, a survey that evaluates risk trends among financial institutions globally, cyber is considered as the top overall systemic risk, with 34 percent of survey respondents citing it as the single biggest risk to the global financial system and 71 percent ranking it within the top five risks. Cyber risk has been consistently cited as one of the top systemic risks by the survey respondents since the inception of the survey in 2013.
Harwood-Jones: It depends on your definition of catastrophic. In 2015 the global cost of cybercrime was around $3 trillion, and the suggestion is that this will be in excess of $6 trillion by 2021. That could be considered a catastrophe in itself, given the resources directed at cyber security.
The consequences of an attack can be immense and far-reaching, so you need to think about the costs resulting from damage or destruction of data; the actual theft of money and the ability, or not, to recover that; the loss of productivity, during the event itself and in the immediate aftermath; theft of intellectual property; theft of personal and financial data; and the restitution period of forensic investigation. The reputational harm to the institution could be considerable, and the interactive ecosystem that sits around banking means there could be harm to the whole industry.
Wheeler: Cyber attacks run the gamut from ‘game over’ and catastrophic earthquakes to a shrug and ho-hum, depending on the individual company.
When we examine the hundreds of million, or even billions, lost in the financial sector due to sanctions and bad business decisions, there is a tendency to discount the impact of cyber attacks.
One of my favorite quotes from a large piece on the financial sector, was describing as company as Company1.0 pre-attack, and Company2.0 post-attack.
So, firms are definitely segmenting into categories: those who have suffered a major breach and those who will.
But, with a system built upon trust and with fault lines being inherent, a cyber attack could certainly trigger the next systemic crash.
As we are already suffering the impacts of ancillary cyber warfare (collateral damage) in the financial sector and global economy this will remain a significant risk ongoing.
There are indications of nation states ‘prepping’ systemic attacks to either use in a ‘mutually assured destruction’ deterrent (or, ‘nuclear option’) or simply a ‘stockpile’ of cyber weaponry.
Possibly more insidiously, when we examine the slowing effects of cyber and fraud, and the things we are not doing due to potential cyber attacks, we can argue that some of our slow recovery from the last crash is due to cyber effects.
My teams dealing with large data sets, new and faster payments technologies, robotics and many more are all affected by a need to secure their systems in ways that get in the way of adoption.
When we look to the future—self-driving cars, drone taxis in our urban centres, the internet of things—we simply cannot usher in the new future without handling this problem more systematically ourselves. This is not just a tech issue.
Norton: For an individual organisation, a cyber attack could be catastrophic—and we have seen very damaging things happen for non-banks.
However, it could also affect the whole sector. Banks in particular, because they are digital or virtual organisations, are very susceptible to reputational damage and to changing sentiments.
If, for example, a consumer felt a bank was not protecting their money, they could start withdrawing that money, and that can lead to a spiral of panic, with more people withdrawing their money. This can make a bank become un-viable.
Bizarrely, we’ve actually made that easier by becoming more digital. When Northern Rock collapsed, people were queuing around the corner to get their money out via a cheque—now they can just go online.
Regulators are worried that this could happen in a domino effect across a whole country—if someone loses confidence in one bank, they can quickly lose confidence in them all. There is a danger that a cyber attack could create a mass panic of withdrawals, which would have a knock-on effect on the banking system.
At the moment, it’s not clear when and how this will end. For the foreseeable future, organisations will have to spend more and more money on this, and they’re going to have to work to stay one step ahead.