Lynn Strongin Dodds assesses the current landscape and identifies the most prominent cyber threats and cybersecurity methods financial institutions are employing to protect themselves.
Cybersecurity threats, not surprisingly, continue to be top of capital markets agenda but they are becoming increasingly difficult to thwart. They are not only growing in number but also in sophistication. Cutting edge technology is a critical part of the defence but both buy and sell-side firms must also bolster their organisational frameworks as well as educational training for employees.
While all companies are at risk, the financial service sector is among the most vulnerable, along with manufacturing, and healthcare, according to the 2019 Global DNS Threat Report: Understanding the Critical Role of DNS in Network Security Strategy report.
RSM, an audit, tax and consulting firm, reported that in 2018 financial services firms reported 819 cyber incidents to the Financial Conduct Authority (FCA), which was a jump from reported 69 incidents in the previous year. The main causes were attributed to third party failure, hardware and software problems and change management involving switching from one system to another. These statistics were from the UK regulator on behalf of RSM, which requested the information under the Freedom of Information Act.
Research conducted by the Herjavec Group predicts that the global annual cost of cybercrime will rocket to around $ 6trn by 2021, up from $3 trn in early 2015.
Rise of Ransomware
Industry experts point to ransomware as the number one danger. Over the past three to four years, it has moved from simply being a nuisance to becoming a major challenge for financial firms, according to Joe Krull, a senior analyst at Aite Group and author of the report – Top Ten Threats in Cybersecurity 2020: More Ransomware, Evolving Strategies, and New Tools. “In the past, ransomware targeted smaller organisations who did not have regulation, but that has changed and we believe that in 2020, it will continue to plague organisations of all sizes,” he adds. “This will particularly impact those offering a high-availability services as well as those that have poor data restoration capabilities.”
There are different strains of ransomware but the most common thread is the kind that looks to encrypt files on a computer system and demand money for restoring them. Ransomware often spreads laterally across a network, locking up every computer or server it can access, eventually rendering devices inoperable and halting a business’s operations. The vast majority of attacks on financial institutions come in the form of an email disguised as legitimate communications. However, once a user opens an attachment or clicks on the URL, the computers quickly become infected.
In addition, firewalls can easily be breached if hackers trick employees into disclosing their security credentials. They can then infiltrate a company’s network for years before being eventually detected. One of the problems, according to Gareth Evans, head of consultancy Sionic’s fraud practice, is that with social engineering “criminals are using much more sophisticated techniques and focusing much more on the behavioural profile of the individual or organisation so it makes it difficult to differentiate between genuine or fake interactions.”
The savviest hackers though are bypassing the employee or user and are exploiting weaknesses within the operating system or applications. This was the method used in the 2017 WannaCry on the UK’s National Health System. Third party software tools are also being attacked and this is set to increase as more organisations rely on the: ‘plug and play’ software kits and open source tools.
As Protiviti’s Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change report points out financial service firms expect to see an exponential rise in attacks through partners, customers and vendors over the next two years. They are more cognisant of their expanded vendor and business partner ecosystem, which is opening up more entry points and vulnerabilities that can be exploited in a cyber-attack.
“Companies now run their IT systems on the platforms of third-party technology providers – like Amazon Web Services and Microsoft Azure – and employees can access applications from a wide range of devices – including smartphones and laptops – and locations,” Guy de Blonay, manager of the Jupiter Financial Opportunities fund points out in a journalists note shared February 19 2020.
Building new defences
Against this backdrop, it is not surprising that market participants are calling for a new way forward. “Technology is important but it is not just about the tools,” says Evans. “Companies need to think much more holistically in order to better identify the cracks,” says Evans. “Traditionally in banks, different departments such as anti-money laundering or fraud detection had their own tools and techniques but these silos need to be broken down in order to look at where the points of vulnerabilities sit across the whole organisation.”
Comments made in the journalist note from Jupiter also note that traditional security model, based on the ‘castle and moat’ approach, which assumes threats are external and not internal, is outdated. This approach was sufficient when a firm’s applications and data were based internally and within the company’s own data centres but this is no longer the case for most firms. Today, third-party providers and firewalls can be breached.
In the note, de Blonay states increasingly companies are now adopting more of a ‘zero trust’ policy which is based on the premise that everything (internal and external of the network) should be checked and monitored on a continuous basis. This means constant authentication of the users, securing devices and even using artificial intelligence for analytical purposes.
Stephen Scharf, Chief Security Officer at Depository Trust and Clearing Corporation (DTCC) is also seeing a “change from detection to prediction-based tools which can discover the symptoms of a pending breach and react to them before a breach happens. Resilience needs to be embedded into the very design of products and services of financial firms. Furthermore, employee education needs to evolve beyond online training and leverage more interactive tools that are now available. In the future, I think we will also see artificial intelligence and machine learning being used more frequently in predictive analysis.”
The use of cloud technologies in cyber security solutions in on the risk as they make it easier to keep updated with the changing nature of new cyber threats, said de Blonay in the journalist note. He noted industry estimations of the use of cloud in 30% of the cyber-security market as of 2019, an increase of 20% in 2018.
While individual companies are mulling over their technology option, industry wide initiatives such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as well as the FIX Cyber Working Group are also involved. They are looking at regulation, the evolution of best practice as well as risk management practices. Two years ago, the group launched FIX-over-TLS (FIXS) standard which outlines how to use the Transport Layer Security (TLS) protocol with FIX to help ensure a certain level of security is applied.
“It is down to good housekeeping and practices,” says Charles Kilkenny, co-chair of the FIX Cybersecurity Working Group and CEO at Actuare. “There is no silver bullet but you need to put in more controls today such as network segregation, multi factor authentication processes and appropriate due diligence for third party vendors. Also, the education of employees is very important. There needs to be greater awareness and constant training across the organisation so people can better understand the risks and know how they can be mitigated.”