Recent high profile online attacks on US retailers Target and eBay have caused directors around the world to sit up and take notice. The financial services sector, however, with its private shareholders and reputation for security resting paramount, tends to handle cyber-security in a different vein than most other sectors. If a large cyber attack on a bank is more a matter of ‘when’ than ‘if’, is there currently enough boardroom focus on cyber security – an area tantamount to the very systemic risk that regulators are trying to control with their recent slew of regulations?
The SWIFT Institute spoke to Professor Richard Benham and Associate Dean Dr Don Finlay of Coventry University in the UK, as well as to Starnes Walker, Founding Director of the Cyber Security Initiative at the University of Delaware. Both universities are setting up initiatives in order to educate students and corporations regarding advanced technology development.
Upon speaking to Benham, he was adamant that within 10 years a large bank would undergo an extensive cyber attack causing it to fail, consequently creating an immense ripple throughout the whole market. He gave the following example, “The single biggest risk to the UK isn’t nuclear war, nor a biological attack. It is a cyber attack. The cyber aspect is so important now, because there is no safeguard if the whole lot comes down.“
Walker agreed that the threat of cyber security is growing, both in terms of the type of networks being attacked and the number of adversaries, with more advanced capabilities being made available on the black market. A grave cause for concern is what the US Department of Homeland Security has identified as “cascading events”, meaning if a critical, common node of a financial network gets attacked it would cause a ripple effect across all other nodes and multiply the amount of damage incurred.
Benham identified two types of cyber attacks. The first is of a malicious nature, putting pressure on a financial institution via blackmail or other type of threat. The second is a ‘negligent’ or ‘innocent’ attack coming from inside the organisation. The idea of hackers and malicious software has been well documented, however, a gap exists at the moment on the human side of the equation. Institutions need to provide the training to manage and identify the risk of abuse of information since that is where the biggest liability currently lies.
With regards to the situation and attention cyber security receives at board level within financial services companies, Walker explained that a big push has recently come from Wall Street analysts when performing risk analyses on companies. Analysts want to know about a company’s backup plan when it comes to continuity of operations in the face of, for example, a denial of server attack shutting down ATM’s for several days in a row. Finlay pointed out that, regardless, there is a current information asymmetry within organisations because of an over-reliance on a small number of people to provide information about cyber issues (usually the “IT guy” at the end of the table). Benham added, “Because this is such a critical area, and a bank’s single biggest risk, I would think CEO’s would want to know more about it.”
Responding to the increased threat, the Bank of England has recently set up a voluntary cybersecurity strategy (CBEST) that intends to test banks in order to assess the vulnerability of their systems to cyber-attacks. In Benham’s personal view these tests should be made mandatory. He felt that unfortunately the banks do not currently share best practice to any meaningful degree with each other because of the way they are structured and the inherent competitiveness of the banking system. Walker also emphasised that financial institutions had to start thinking about the systemic effect on the network system as a whole. Banks are not currently sharing best practices because they want to protect themselves. “They have cloaked themselves so much;” explained Walker. “They’re so afraid of protecting their reputation that in one sense they are making themselves more vulnerable.”
In terms of cooperation with law enforcement authorities, most attacks on banks go unreported because they are privately traded companies and are not obliged to report a theft. More importantly, the risk of reporting a cyber-attack in terms of reputational damage can at times far outweigh any monetary loss. Furthermore, international law enforcement agencies such as Interpol find it extremely difficult to deal with cybercrime because an international framework to help with cross-border investigations and prosecutions does not exist.
So where does that leave the financial services industry going forward in dealing with cybercrime if there is no cooperation between the banks themselves, nor with law enforcement agencies, and no regulatory oversight on a matter of systemic risk affecting the whole banking system? Benham believes that the banks will ultimately fund their own protection. In this manner the issue would be kept in house and would most likely be dealt with in a more proactive and timely manner. Ultimately, however, there needs to be an increase in awareness by business managers to the risks that cyber poses and how to manage that risk.
Walker went a step further and believed that there ultimately is a need for a trained workforce to start building systems from the ground-up with security as a core principle, just as Microsoft has done with Windows 8 and Intel with their new microprocessor chip. Walker emphasised that banks need to do away with their creaking legacy systems and design new systems with security at the heart of their development; “otherwise they just keep putting patches on top of patches.” Additionally, all employees and executives need to have a basic level of understanding and awareness of cyber security best practices, advancing threats, and “cyber hygiene” in their daily work environment, so training and education modules need to be continually presented to everyone spanning the entire workforce spectrum.
Looking into the future, Walker hoped that with increased emphasis on education and sharing of best practices that includes other industrial sectors joining with the financial sector, the frequency and intensity of attacks would eventually decline down to a manageable level, as opposed to the current avalanche of events, growing exponentially in terms of effect on operations and people.
Hence the creation of both Coventry University’s National MBA in Cyber Security and the University of Delaware’s Cyber Security Initiative, both of whose purpose is to combat the growing threat to information security and to help train and educate the workforce. The University of Coventry will be launching a virtual trading floor, and is hoping it can then use its position as a non-competitive arena to test and use best practice as a baseline to guide future behaviour. The University of Delaware will be rolling out modules for different sectors, including the financial banking sector, and will include best practices, emerging capabilities, and vulnerability assessments.
As the threats to data in the cyber world increase, it is conversely the more human level that business managers need to be concerned with. The aim of both of the Universities’ programmes is to increase education and training so all employees understand the risks of cyber security, as well as any anomalous behaviour that might occur at their place of work.
Hopefully the chance of security attacks in the future will be more a matter of ‘if’, than ‘when’.