How banks can face the cybersecurity challenge

The day-to-day demands of running a bank are many and varied, yet many of them are increasingly overshadowed by the growing challenge of building an effective defence against cyberattacks. In February 2015, security group Kaspersky Lab reported that a concerted attack by the so-called Carbanak cybergang targeting dozens of global financial institutions could have stripped each bank of between US$2.5m and US$10m and netted the perpetrators as much as US$1bn. More recently, an attack targeted at Bangladesh’s central bank saw the gang strip it of over US$100m.

As delegates to this year’s SWIFT Business Forum London were told, cyberattacks now hit the headlines on a daily basis and the banking sector is a top target. This made a session entitled ‘Running the bank in the face of increasing cyber threats’ one of the best-attended sessions at this year’s event. As session moderator Stephen Gilderdale, SWIFT’s managing director for UK, Ireland and the Nordics noted, financial institutions increasingly stand or fall on their management of cyber risk.

At the same time the sector is increasingly competitive and banks that fail to innovate can be left behind by their rivals. Yet strong cyber risk management and the ability to innovate may prove to be two conflicting aims.

Speaker Craig Rice is director of security at Payments UK, the industry’s trade association and has previously worked in the intelligence and security sector. He described cyber risk as adversary and threat-led, requiring an understanding of both by organisations. In addition, it is adaptive and requires adapting regularly to new and emerging threats. The response needs to meet three main criteria in being authoritative, competitive and collaborative; with greater collaboration between organisations likely.

“Cyber risk is dictated by your adversary and the bad guys are highly innovative,” said Rice. “Cyber security is something that needs to be related to your business processes.”

He called for improved integration between what business wants to achieve and what security needs to achieve. As the author of three research papers published in 2014, Rice recommended that work be undertaken on an improved cyber threat intelligence service and reports that the degree of collaboration between organisations in the financial services industry has increased expedientially in the past two years.

Developments include the formation last summer of the Global Cyber Alliance (GCA), an international cross-sector initiative whose financial services industry members include American Express, Barclays, Citi, US Bank, and the US Financial Services – Information Sharing and Analysis Centre (FS-ISAC). This coming October will see the launch of the UK’s National Cyber Security Centre (NCSC), which will provide an information sharing platform and collaborate with the Bank of England (BoE) on cyber security guidance with financial firms.

Rice added that these and other initiatives use an interchangeable common language that can be used whenever a cyber threat is identified and information is exchanged. They join the non-profit Center for Internet Security (CIS) in the US, which was formed back in 2000 and whose portal provides for the sharing of cyber information that keeps even the smallest businesses up to speed.

A belated response

Also speaking at the session was William Brandon, the BoE’s chief information security officer (CISO), who noted that nation states have always been interested in other peoples’ information and are becoming steadily more adept at cyber intrusion. Asked by Gilderdale how banks should balance the need to be innovative in response to competitive demands with the need for a holistic cyber risk strategy, he admitted it was a challenge and financial institutions must carefully assess.

“In an information-led economy, we have to be more careful than ever in protecting innovation,” he added. “At the same time ratings agencies are now starting to include an assessment of an organisation’s cyberattack responses when issuing a rating. This means that the organisation must know what its most valuable assets are as well as where is vulnerabilities lie.”

Brandon admitted that there is a widely-held, but overly pessimistic view that the cyber attackers’ ability to attack is steadily overwhelming the defenders’ ability to defend, but added that many organisations are only now belatedly waking up to the size of the cyber threat and allocating money and resources to defence. Financial institutions were also facing growing regulatory pressure to improve their level of security.

At the same time “the big tech giants are investing heavily in security – because if the Internet of Things is to be a success then it also has to be secure.”

Brandon concluded: “Cyberattack is among the crimes for which the victim, rather than the attacker, receives the blame. We need to be more sympathetic, but at the same time emphasise that cybersecurity is everyone’s responsibility.”


Related reading