Data protectors in custody and settlement need to be alert to a major shift in cyber-attack trends. It seems that the threat has moved beyond data loss to increasingly include data corruption. In a recent DTCC survey, a majority of risk managers said that cyber threats will be the cause of a high impact event to the global financial system. Some 70% cite it as a top five risk, though in the US, it’s slightly higher at 77%.
By ‘high impact’, DTCC is referring to multiple entities being hit resulting in a contagion effect, explained Michael Leibrock, Managing Director and Chief Systemic Risk Officer at DTCC. So, a cyber-attack on a financial firm that provides critical services – be it a custodian, settlement bank, or pricing vendor – ends up affecting firms relying on them, for example.
Even though a major bank would likely have resources such as insurance or capital in place to withstand losses, operational risk remains a major concern, Leibrock added.
Aside from the increased sophistication of criminal capabilities, there is also the threat from actors seeking to “intervene to disrupt financial systems by contaminating or compromising data”, said Nigel Inkster, Director of Transnational Threats and Political Risks at the International Institute of Strategic Studies (IISS) during the launch of the publication, “Evolution of the Cyber Domain”. Meanwhile, cyber security capabilities themselves are increasingly being seen as a key business differentiator in the financial sector, he added.
But does investment and awareness translate to preparedness? Inkster isn’t so sure. “I do wonder whether in countries like the United Kingdom, for example, the security issues of the financial sector are sufficiently wired in to central government to enable a coherent response in the event of a major crisis,” he said.
Eneken Tikk-Ringas, Senior Fellow for Cyber Security at IISS, added that banks, being lucrative targets and “super-critical” infrastructures, serve as a “trend indicator”. In other words, advanced attacks emerge here before other sectors. This, she added, ends up posing a difficult question for governments: who’s responsible? In the US, authorities are pushing responsibility to the CEO of companies themselves, but in Europe, it’s not clear whether that will be the same.
As it stands, most firms with internet-facing systems get a “constant onslaught of probing”, said Stephen Scharf, Chief Security Officer at DTCC. “What used to be a target of chance is now a target of choice,” he said.
Scharf described how this has also pushed a change in security industry thinking. “Security models were around stopping data loss and reputational issues, but those motives have changed. It’s gone from a theft and embarrassment model into a destructive model.”
Five years ago, nine out of ten security professionals would have identified loss of data as the top priority. Ask that question today, and you’ll find that half would point to corruption of data as the likely scenario, he said.
That should translate directly into how firms choose to prioritize greater amounts of resources, as they recognize that systemic risk, cyber and otherwise, needs a dedicated focus.
Cost of crime
Spending more money, however, doesn’t necessarily mean greater controls or protection. “It is a significant investment, it’s no longer 20 people in an IT shop in the back office, it’s a fundamental part of doing business nowadays,” said Scharf. What that looks like in cold hard cash is difficult to estimate, but a large financial firm can expect to have grown its information security and technology risk personnel to over 1,000 individuals.
In the UK, a 2013 survey by the National Audit Office estimated the cost of cyber-crime at between £18 and £27 billion ($27 – $40 billion). Since then, all signs indicate that the amount, complexity and frequency of attacks are going up, as is the cost per attack to companies, said Matthew Gould, Director of Cyber Security and Information Assurance at the UK’s Cabinet Office, speaking at the Power of Innovation conference in London.
“At the root of the problem of cyber-crime is: it’s cheap to do, the barriers of entry are coming down, you don’t have to be a technological Jedi Knight…and the downside risk is low,” Gould said. He also pointed out a whopper of an asymmetry: the cost of defending a customer’s data is estimated at £100, while buying that data will set someone back £1 or £2.
Though the human element of cyber security is essential – training and securing qualified personnel for example – technology does play a significant role. Nimrod Kozlovski, partner at JVP Cyber Labs, an investment fund and the largest investor in cyber security in Israel, said that generic “vanilla” solutions are giving way to a more mature industry. An emerging strategy at the forefront of combatting cyber-attack, he noted, is decoy entrapment – trying to lure actors to engage with fake systems and collecting information on threat actor behaviours.
Intelligence sharing too is gaining traction. “We see for the first time platforms that really create anonymous, or depersonalized, information sharing of intelligence in real-time that enable you to act,” he said. Notably, DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC) have a joint venture, Soltra, in this space.
Also growing rapidly is an understanding that detection systems require more than just alert notifications, since Kozlovski found that nobody was paying attention to them being triggered. “We need better investigation tools to automate the forensic, to automate the incident response,” he said.
And then banking itself needs to adapt as legacy systems become obsolete. “In the banking institutions you still have mainframes from the 1960s,” said Kozlovski. The next generation answer, he added, looks like a kind of “coupling” of the hardware, the firmware, and the software in a secured architecture. “We see gradually more and more next generation design, primarily in IoT (Internet of Things) and automotive. (It’s) secure by design.”