Security: survival of the fittest

Nothing is truly safe in the world…

The threat of cybercrime shows no sign of diminishing any time soon, but to what extent can market infrastructures and financial institutions protect themselves against hacking attacks?

It seems nothing is truly safe in the world. The internet, newspapers and our TV screens constantly bleat about street crime or the world falling apart. It’s not a pretty picture. Unfortunately, the financial technology world also has its problems and can’t be too complacent – all because the spectre of cybercrime casts a long shadow over the industry.

In a recent Depository Trust and Clearing Corporation (DTCC) survey, cyber risk topped the table of five main concerns, with 70 per cent ranking it and 37 per cent listing it as their number one concern. Stephen Scharf, managing director and chief security officer at DTCC, says: “Comprehensive security programs will need to continually evolve as they devote more resources to an ever-changing systemic risk landscape.”

With market infrastructures, such as central securities depositories (CSDs), payments clearers and financial institutions all under threat, intelligent solutions and ideas are thankfully on hand. This is where the Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organisation of Securities Commissions (Iosco) come in. In June this year they released a 32-page report, Guidance on cyber resilience for financial market infrastructures.

The report is the “first internationally agreed guidance on cybersecurity for the financial industry”, according to the CPMI and Iosco and has been developed “against the backdrop of a rising number of cyber attacks against the financial sector and in a context where attacks are becoming increasingly sophisticated”.

Some recommendations include “governance is key” and the need to “instil a culture of cyber risk awareness”. When it comes to governance, the board’s and senior management’s attention is “critical” to a successful cyber resilience strategy; while for awareness, cyber resilience needs to be looked after at every level within an organisation.

It’s good advice, but companies need to implement and adhere to it all.

It would be remiss at a Swift event not to mention its attitude to the cybersecurity conundrum. Few would have missed the stories about Swift and the spate of thefts in which banks’ access to the SwiftNet FIN network was used to execute the crimes. These incidents included a $101 million cyber heist in Bangladesh – the biggest in history, Vietnam’s Tien Phong Bank stopping an attempted wire fraud and Ecuador’s Banco del Austro losing around $9 million.

In light of these dark events, Swift chief executive Gottfried Leibbrandt warns banks with inadequate cyber defences they could find themselves booted off Swift’s network. “The days when you needed to break into a bank and carry guns and blow torches are over,” he says. “You can now rob a bank from just your own PC and that does change the game completely.”

Although he has strong words for the weak, there was nothing empty in the sentiments Leibbrandt expressed. Swift took action and unveiled a five-part plan to reinforce security across its network after the incidents. In its Customer Security Programme, Swift asks a great deal. Namely:

• Improve information sharing among the global financial community
• Harden security requirements for customer-managed software
• Enhance guidelines and develop security audit frameworks for customers
• Support banks’ increased use of payment pattern controls to identify suspicious behaviour
• Introduce certification requirements for third party providers

In August, eight US banks – Bank of America, Bank of New York Mellon, Citi, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo – teamed up to fight cybercrime by initially agreeing to share information. The alliance will also make it possible for the banks to jointly prepare and conduct “war games” to test cybercrime fighting tactics.

Jean-François Legault, managing director, global head of cybersecurity operations, JP Morgan Chase, is clear on the solutions that are required. The bank is “working closely with clients to provide enhanced education around cyber safety and payment controls through a combination of webinars, events and other channels”.

This educational approach is at the core of what the bank does. JP Morgan Chase is “driving awareness around identifying, understanding and mitigating threats” and wants all its employees to be “well-educated on the subject of cybersecurity”.

Christophe Clément, head of operational risk management and permanent control at Societe Generale Securities Services, (SGSS) says a risks control framework is necessary and mandatory and that a “security culture” is essential for banks.

“In any professional environment, culture is the result of the combination of the values expressed by the organisation and our concrete daily life at work, especially the way employees interact with each other and their managers,” he says. Banks with a strong client culture will also have a strong security culture because all of the teams know that any incident might have an impact on clients. “This culture has to permeate throughout the institution, including its subsidiaries and locations around the world. All staff must be committed to a security culture because they are committed to client service. I was deeply impressed to note how team spirit was put into action in all locations and the commitment SGSS teams demonstrate to avoid inconvenience for our clients when serious issues are met.”

One of the most important elements of a security culture is that staff should be comfortable with raising security-related issues, he says. “Staff should be able to easily report anomalies, mistakes or their concerns about particular practices without delay and without censure. The dialogue between staff and managers should be open and easy. In a security culture, everyone working within the organisation has personal buy-in to security and recognises that they are responsible for safeguarding against breaches. By encouraging the reporting of mistakes or breaches quickly, the impact on clients can be reduced. That also means that an operational mistake can be pardoned if it is promptly and clearly reported.”

Increasingly, chief information security officers and others in similar roles in the banking industry are working together to share ideas about common threats and also the technology to improve security, says Clément. “For security in particular, team spirit between our firms is an added value for all; we are approaching a period when banks will play as a team globally to strengthen the fight against security threats.”

Financial institutions are in the business of trust, and security should be in their DNA, he adds. “Obviously, financial services providers must invest in the technology and in the experts necessary to protect the organisation from security breaches and also to rapidly detect new threats and incidents; but if a security control framework is a necessity, security culture among staff is essential.”

Shabirin Binhan, risk consultant at NetGuardians Asia, says the “advancement in technologies such as in the areas of artificial intelligence, big data and analytics have helped in availing new methods to mitigate and repudiate cyber attacks”. NetGuardians develops risk mitigation software.

The challenge to overcome cybercrime has almost turned into an arms race, he adds. The technology must be better than the hackers’ ‘weapons’ and the action needs to be proactive, not reactive. Some solutions could involve internal controls based on pattern-based intelligence, user behaviour and predictive analytics combined with big data technology. These are then able to analyse seemingly uncorrelated actions in coherence and bring insights to detect anomalies or threats at an early stage.

Binhan says this ensures continuous monitoring and auditing of human behaviour across entire banking systems, with immediate alerts when control breaches occur. “Only then, cybercrime can be combatted in a proactive and effective manner.”

Everyone knows that no measures can be fool-proof or absolute in solving the scourge of cybercrime. But the answer may well require a ruthless streak (which is not difficult in the business world).

If you’re doing more than the competition, the hackers may well target the weak.