‘The term ‘cyber’ is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool – and therefore strange or spooky,’ commented New York magazine, back on 23 December 1996.
‘Cyber’ has been around for longer than many people think, and fans of the BBC’s longest running sci-fi show, ‘DrWho’ know all about the menacing ‘Cybermen’. Cyber is indeed spooky.
The reality today is that there are far more advanced attackers operating across the internet who are using new and ever more sophisticated methods to attack our networks and computers, and disrupt critical services with ever larger and more serious denial of service – and their return on investment (ROI) is really good.
These attacks are not just on electronic commerce (e-commerce) websites; they are against whole networks, companies, services, financial exchanges and power grids. Even some countries and their governments have been targeted by other state-backed groups. In some countries the results have been very well publicised, while in others the facts have been kept well concealed. Indeed, the writer has been in information security for more than 12 years and over this period has accumulated plenty of war-stories that have never been near the media. For most of the individuals involved, that’s exactly what they wanted to happen.
Less than a fortnight ago, on 26 March, it was reported that the US Securities and Exchange Commission (SEC) had convened a roundtable meeting in Washington to discuss the vulnerability of financial exchanges and Wall Street to such attacks.
“Cyber threats are of extraordinary and long-term seriousness,” SEC chair Mary Jo White was reported as saying. “The public and private sectors must be riveted in lockstep in addressing these threats.”
The roundtable discussion was set up by SEC commissioner Luis Aguilar, who called for the agency to establish a cyber security task force. Bloomberg reported him introducing the discussion as follows: “Given the extent to which the capital markets have become increasingly dependent upon sophisticated and interconnected technological systems, there is a substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.”
Everyone at Risk
It is highly likely that the outcome of this discussion will see the SEC strengthening its position and point of view on disclosures around cyber attacks and their impact. Enforcing more disclosure on SEC-listed companies will be a talking point for many stakeholders, as investors insist they have a right to know what has happened and how much damage has been done to the business. They also need to have this information to hold the company’s management to account if they have not protected the business well enough.
So, cyber attacks are regarded as a real threat to capital markets and should therefore be considered a real risk to all treasury functions. Even if your own company is not the subject of an attack, your ability to undertake the necessary transactions in the markets you use regularly may be subject to unexpected and severe disruption. Treasury departments will need to have a readily available and fully understood ‘plan B’ should things change suddenly.
Treasurers and other financial professionals will also need to think about their own systems, controls, connections and applications and make a much more detailed risk self- assessment in the light of any technology changes. They should also review the ways in which they are using the services provided by others that have become critical to the treasury function. These include the security over payment execution and the company’s payment files, which we have seen is one of main ways that treasury operations become victim to cyber attacks.
There are broadly two key reasons why cyber threats are a break from the past:
- Absence of boundaries: Effectively destroying or dissolving any boundaries that were there before.
- Cost and effort: Developing a piece of malware is cheaper than the cost involved in developing an alternative weapon with the same scale and scope of effect and commensurately little risk for the attacker.
Our new adversaries now take their time, use it to plan well organised, sophisticated attacks, and base them on intelligence they have accumulated about the target. When they strike, they are much more successful as a result. It’s very deliberate and they know exactly what they want.
Even without these new adversaries, the cost of basic computer attacks is very low and a successful attack requires just one vulnerable soft-spot for success. The defenders are required to protect everything, everywhere on every device, equally, which is not cost-effective and a strategy bound to fail.
Investment in security controls is based on known vulnerabilities or ‘vendor buzz’. The question then asked, as always, is: where we should the company invest its resources? With a constantly changing landscape of attackers and vulnerabilities, simply reacting to attacks is no longer enough.
While keeping up to date is important, ‘patching’ everything, checking to see if new threats are relevant to your company and deciding where you should invest within your setup are all critical tasks.
Treasury will need to be able to adjust to a new understanding of risks the organisation on a much shorter timescale. All this needs to be done through the perspective of what the business impact of a threat might be.
How does treasury measure that impact? This is where cyber threat intelligence comes in. If individuals wish to prepare themselves, they need to search for cyber intelligence so that you they can view themselves in the same light as their attackers. They then can begin to use this external point of view to drive their investments in security. What do they need to do to protect themselves ?
Companies and governments have to work very much harder to enhance their overall security posture. This work includes:
- Better understanding all the technical vulnerabilities and then implementing a better patching process.
- Undertaking thorough security awareness training to ensure that good behaviour is embedded within the organisation.
- Establishing a cyber intelligence team in-house, or purchasing this as a service.
- Building new incident response processes, community emergency response teams (CERTs) and implementing supporting tools to respond in a crisis.
- Reorganising the security teams that support treasury functions.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.