The efforts of banks to protect their assets from cyber-attacks is often characterised as a kind of high-tech battle of wits. The ‘cyber’ prefix generates sci-fi influenced images of sinister and sophisticated criminals fighting resolute, resourceful nerds for supremacy in cyber-space. But in the evolving field of cyber-security it is often the traditional risk identification and management disciplines of the security industry that offer the best clues as to how banks should face up to the reality of cyber-crime.
Banks are increasingly aware of the threat they face. The UK finance sector currently spend £700 million on cyber-security, according to government figures. A global PwC survey reports that 70% of banks and capital markets CEOs regard cyber-insecurity as a threat to their growth prospects. But are banks responding quickly enough? Are responsibilities for cyber-security delegated effectively across the whole organisation? Is staff education, procurement management and IT investment strategy aligned with an agile long-term policy? Right now, evidence suggests not. Alongside firms’ own strategies, the British Bankers’ Association and PwC have made five recommendations to help the industry confront cyber-threats: enhanced information exchange; co-ordinated lobbying; common measurement methodologies; a central hub to support banks’ cyber professionals; and greater global coordination.
For obvious reasons, the banking industry is a key target for cyber-attacks, but many are vulnerable, and the consequences are increasingly drastic. Target, America’s third largest retailer, suffered a 62% fall in profits in Q2 2014, after it took a US$148 million charge relating to the theft of the personal details of 70 million customers and the credit card details of 40 million customers. That was not the total cost of the breach, which took place last US Thanksgiving. Though hard to quantify precisely, the firm has acknowledged that lower sales in 2014, especially online, were a consequence of the breach, at least in part. Though the firm has suffered unrelated difficulties – an expansion into Canada has since been scaled back – Target was one of the first firms for which a cyber-attack had such a material financial impact. Even in this case it, has been slow to evolve. When the news of the breach first broke, Target’s share price dipped 2.2%.
But the impact rumbles on, not just in Target’s Q2 financials but in other retailers too. In July, the US Department of Homeland Security and the US Secret Service warned companies to check for a malware dubbed ‘Backoff’ that infiltrates in-store cash register systems, the same modus operandi for the Target attack. Within a month, the department estimated that more than 1,000 US firms had been affected, including UPS and Supervalu. What was the way into Target? The malware that stole the data entered via a heating and air conditioning firm that supplied services not only to Target but a range of retail firms.
There is a growing recognition among procurement professionals that existing practices need to evolve to take account of the threat posed by cyber-attacks. Historically, procurement departments have relied on the contract as the primary tool for risk mitigation. But asking software suppliers, for example, to indemnify clients against the impact cyber-attacks caused by bugs in software may inhibit competition and innovation.
Noting that the theft of 250,000 customers’ payment data at US retailer Sally Beauty was traced to a supplier’s IT system, Jonathan Webb, head of strategic research at Procurement Leaders, a website for supply chain and procurement professionals, said defence mechanisms needed to be “tightened up”.
“In the eyes of the law, and the general public, there is no fiduciary difference between the organisation and its suppliers when it comes to protecting data that has been provided in good faith,” observes, Webb, who proposes that security arrangements must be mandated, monitored and regularly tested as part of a close working relationship between supplier and customer.
In the finance sector, the wide range of cyber-threats and their potentially devastating impact on banks and their customers is a reflection of the finance sector’s reliance on process automation and system inter-connectedness with suppliers and customers. To deliver better, cheaper, faster services, the technology infrastructure of banks must be accessible to third parties, known and unknown. “Whether it is external data feeds, customer and staff devices or cloud services, banks find themselves having to adapt to relying on systems that are outside their control,” said Richard Home, partner, cyber-security, at PwC in a recent report.
Cyber-attacks can no longer be swept under the carpet. As well as having to divulge the financial consequences of attacks to shareholders, firms are increasingly obliged by law to reveal instances of loss of customer information, but the rules still vary from country to country and industry to industry. European telecoms firms must already notify customers of breaches, but soon infrastructure providers must report breaches of their cyber-security to the relevant authorities.
The European Network and Information Security Directive, approved by the European Parliament in March, aims to establish a coordinated and harmonised approach to protection against cyber-attacks. In parallel with a proposed data protection regulation, the directive will impose minimum requirements for information security, but some interesting details must be decided before it is finally adopted by the Council of the European Union in 2015. In particular, it is not yet clear which entities will be identified as ‘market operators’ which must notify national competent authorities of security breaches (banks and financial market infrastructures are currently in scope), nor is it clear the type of incident that must be reported and how the powers and responsibilities of the new authorities impact the role of existing supervisors such as the European Central Bank.
Beyond regulation it also seems that the economic and practical realities of dealing with multiple, complex cyber-threats means banks have little choice but to work together.