Vincent Villers
In the wake of February’s billion-dollar cyber-heist, Kris McConkey and Vincent Villers of PricewaterhouseCoopers highlight how firms can protect themselves from a modern menace and keep their relationships intact
How can financial institutions protect themselves from cyber attacks?
Kris McConkey: When we’re looking at how organisations can defend themselves against attacks, part of it is about defending the network and reducing the likelihood that somebody can get inside of it, but it is also important to be able to monitor a network. They have to look at what is actually happening across the network, looking for evidence of legitimate activity being used in an illegitimate way. It’s a combination of defences, monitoring and then responding.
There are some quick wins in implementation, but if security is not part of a formal strategy it becomes a bit like playing whack-a-mole. You’re patching things up without fixing the root cause. When looking at security strategies, we try to get the foundation layers in place so that there is appropriate governance over the environment and a strong structure that employees can understand. Everyone in an organisation has to know how his or her actions impact the security of the network.
Vincent Villers: The difficulty for asset managers is that these concerns are far removed from them. They are analysts, they want to make their deals and act fast, they don’t want to worry about the security, so it can be difficult for them to make it a priority. When they talk with partners and service providers, they want to know that those teams are capable of processing everything fast, and not worry so much about the security.
They may have a list of tools to implement in order to protect themselves, but it’s not about that. It’s about understanding the key data and the key risks, and while asset managers often consider this as important, they don’t consider it the most important thing.
Who holds the responsibility for implementing these standards?
McConkey: Some organisations have it led by IT, but that is usually the wrong answer. IT departments will only focus on the technical component, and it is actually much broader than that. Some have it led by the chief information officer, but more frequently we’re seeing it being led by the general council.
Firms are starting to look at it as a business risk. The general council can oversee elements in HR and IT, and coordinate them with the strategic element.
Villers: Of course, IT has to be involved at some stage as the technicians understand the underlying data and may be able to propose mitigating actions and tools, but the real strategic decisions should be made by someone who has a wider view of the organisation, and who can identify what really matters.
A chief risk officer can define what has to be done based on a wider view of the risks, and without looking in to the technical aspect of it. IT teams will participate, but they will not be heavily involved in leading the strategy.
Should there be regulations in place to help industry players to cope?
McConkey: The trouble with regulation is that you end up with compliance standards, and a lot of these are great practice, but compliance doesn’t breed security, security should breed compliance. Any company that has a really good security strategy should tick all the compliance boxes, too.
Instead of looking at it from a compliance and regulation perspective, we can look at it from an information-sharing perspective. We are seeing an increase in this concept where information is shared by organisations in a similar sector, or even across sectors, so that if one gets targeted the information bleeds across the rest. When another firm is targeted in the same way they already have the defences in place for it.
The real challenge is that this kind of sharing only happens effectively when there’s a degree of trust. When it’s forced by a standards body, firms tend not to contribute as well as they should. The effective outcomes happen when groups know each other and collaborate just to help each other out. It’s not without its risks, but there is a pretty active group for this in the financial services sector, and that is a positive step.
Villers: Dealing with security purely from a compliance point of view probably isn’t going to solve much, but regulators could encourage sharing. In some parts of the financial sector, players aren’t willing to share much because they’re dealing with sensitive client information, or believe they can retain some competitive advantage by keeping closed. The regulators should stress the importance of sharing information and, without regulating, encourage this kind of collaboration.
On the other hand, in this sector regulation can often trigger projects that probably needed investment beforehand, but that managers have not invested in until they were forced to. It will be useful to find the right balance here.
What are the financial implications of an attack, and how are end clients affected?
Villers: Over the last year, we saw a significant increase in the average cost of an incident, which now sits at $2.7 million. This isn’t a particularly significant figure for a large organisation, which means that some companies might be willing to invest more in advance.
Of course, investing in prevention and increasing monitoring doesn’t mean that you won’t be hit. It is just an effort to reduce the impact and accelerate response time.
The real costs are difficult to assess precisely, because beyond the spend on technology, assessment, legal costs, internal security, external consultants, and so on, there is the potential impact on future business, and more importantly, reputation.
It is probably not the incident itself that would harm the reputation of a company, but the way the company deals with the incident. It will depend on how they react, how they communicate and how they reassure their stakeholders. To do this well, they have to be prepared.
McConkey: When an attack happens organisations have to spend first on investigating it and repairing any damage, and then on security improvements to ensure it doesn’t happen again. It’s true that incidents at a banking level will often end up in fees somewhere, as the bank’s insurance fees and losses go up, and eventually some of that filters down to credit card percentages and fees.
But there is always a cost differential in investing in this stuff. Organisations can invest early and avoid an incident when it happens, or incur the cost of the incident and invest afterwards. The cost of preparing in advance will always be lower than the alternative, it’s just a case of how many incidents there are, and the reputational damage they could cause.
How can firms stay ahead of the hackers?
McConkey: There is always a risk that somebody is going to get in, but there is a key difference in the way defenders and hackers view success. An attacker views their hack as successful if they gain access to a network, figure out where the data is, access that data, and remove it. A defender considers an attack successful if it gains access at all.
The technology investment is becoming increasingly important, and organisations are starting to realise that there is really good technology out there to support them in this. They’re realising that this is not optional anymore.
Villers: Some of our clients are defining scenarios of cyber attacks, and thinking about things that could happen outside of traditional risk. It requires some imagination, to not only look at what has happened in the past, but also at what could happen in the future.
Why is this kind of cyber crime such a hot topic now? Hasn’t computer hacking been around as long as the Internet itself?
McConkey: Many things have changed over the last 10 years. Motivations of attacks have changed, it’s not nuisance attacks anymore—it’s espionage and organised crime that has evolved to this landscape.
There is also the change in IT environments. The whole network used to be in an office or data centre with a perimeter you could protect. Now, with cloud computing, what firms are protecting is more fragmented. This just means more opportunities for losing things and making silly mistakes, and the likelihood of hackers gaining access increases exponentially.
Villers: The asset management industry in particular has always been quite fragmented, with many people in a chain of responsibilities, and there are now even more pieces to the puzzle, more outsourcing, and more individuals.
To understand effectively who does what, and how that serves the purpose of a particular vehicle or a particular fund, it is very complex, and becoming more and more so. There are new technologies to articulate these flows and to make the industry more agile and more flexible, and some asset managers, particularly in the alternative area, want to be the first to use them. They want to get things done as fast as possible, so they might not take the time to ensure the system is robust enough and set up properly, which opens further opportunity to hackers.
McConkey: The bottom line is that anything an organisation deems of value to them will be of value to someone else, and should have a protection strategy in place. You can’t protect everything to the highest degree, but companies should be identifying what matters most to them and investing in protecting it
