In as much as technology keeps advancing on a daily basis, security – especially cybersecurity has caused the entire financial space, including banks, a lot of worries. Day in day out, financial institutions are faced with several cyberattacks – both domestic and international, all in different forms which potentially lead to data breaches, loss of assets and a decrease in customer confidence. Ironically, as digital banking increases in innovation, the risk of exposure to attacks keeps rising and there still isn’t any rock-solid way to totally counter these threats as new ones develop daily.
One might ask, what then is the benefit of technological development if there are no sure-fire ways to counter these threats? The answer is simple. A large amount of data and assets, both financial and otherwise in the possession of these banks make them attractive prey for attackers who look to make away with some prize. About a quarter of cyberattacks waged at institutions worldwide are directed at financial institutions. It is only reasonable that these attacks be prevalent either from a tech expert in his/her bedroom, corporate spies or even government agents as the costs incurred in launching an attack are relatively low compared to the amount to be spent in setting up defenses against cyberattacks. Just last year alone, as reported by the UK’s Financial Conduct Authority, 50 financial institutions were reported to have faced cyberattacks – a number that skyrocketed from the mere four or five in the previous years.
Despite the severity of this growing threat and pressure from regulatory bodies, several banks are yet to implement effective measures to exhaustively handle these threats as most of them treat this issue as a secondary concern. Upon investigation of an attack, more times than not, they tend to find an intruder dwelling in their systems. On the subject of cyberattacks, an expert once categorized businesses into two: the ones who are being attacked and are aware of it and those who are being attacked but aren’t aware yet.
The banks termed to be the most secure ones have mostly increased their abilities to detect and counter cyberattacks. While this is commendable, until financial institutions generally begin to give IT security the importance it needs – just as much as they do to compliance, credit, and counterparty, the strategy just remains the same and would oftentimes yield the same old result that they have been receiving. To achieve the ultimate goal of developing a secure banking system for this digital age, banks have to invest in new operating models and make tactical investments in new and reformed technologies.
The threat to Information Security on a Rise
In a report released by the World Economic Forum, cyberattack was named to be one of the man-made threats posing issues to the global economy. As security measures to defend against cyberattacks increase, so do the ways by which malicious elements launch their attacks also increase. Many of these cyberattacks are constantly targeted at databases, IT systems, and even payment systems. A vast number of these attacks go unreported in order to preserve the integrity of the victim organization but an attack on a massive scale can definitely not go unnoticed. Just after cyberattacks, data theft and fraud comes next on the rank of the manmade threats facing the global economy. It might interest one to know that even central banks are not immune to cyberattacks. The most recent attack on a central bank payment system reported the loss of tens of millions of dollars to hackers in the attack.
The aim of every cyber threat is different – while attacks on payment systems, distributed denial of service (DDoS) and Man-In-the-middle attacks are relatively common, some attackers seek to take hostage of confidential data. At times, these private data are published for malicious intent or at times published mistakenly by some staff or due to an IT error. In 2017, over 1200 different kinds of ransomware attacks were detected daily and ended up costing the financial industry several billions of dollars.
As mentioned earlier, the effect of these attacks goes beyond the loss of assets. The aftermath of these attacks could lead to a drop in confidence levels among clients, customers, and even financial markets. The cost of repairing the damage done and repairing the blotted reputation of the attacked institution is also often costly. Additionally, there are usually several digital endpoints from the bank to switching companies and a host of all other institutions meaning that one or more endpoints might also be affected in an attack.
Pressure from Regulatory Bodies Intensifies
Banks are naturally under compulsion to check cybersecurity risks in order to not only protect their business but comply with stipulated rules laid down by regulatory bodies. According to the Financial Stability Board, about 75% of regulatory bodies worldwide are working on new cybersecurity measures, policies, guidelines, supervisory practices and regulations within the coming year in order to put in place better infrastructure to fight this cyber warfare.
A typical example of these policies is the ISO27k global series of standards published by the International Electrotechnical Commission and the International Organization for Standardization. These series of standards provide the best and standard practices regarding management systems for information security. They contain professional recommendations regarding the documents, processes, technology and the manpower to audit, manage and improve the security of information. Implementation of such processes would require coordination and leadership across the management board.
Known Vulnerabilities in Banks
The steady increase in the complex levels of cyberattacks and the consistent pressure from regulatory bodies further intensifies the need for these financial institutions to tighten their defenses in order to strengthen information security. Despite these, many underestimate the risk and are usually unprepared when the attack strikes. Below are two of the known weaknesses possessed by these institutions.
Improper prioritization of Cybersecurity: In the management of IT assets, many banks fail to make cybersecurity a crucial element during their decision-making processes. This is often revealed in the roles assigned to the Chief Information Security Officer (CISOs) whose duties are often unconnected with operations, product development, and digitization efforts. Oftentimes, banks do not assign roles to CISOs which would enable them to infuse security awareness and information security into the purchase or design process. They are often left out of board-level decisions where IT risks can be assessed and contained early enough.
Inadequate focus on Detection and Counter-action: It has become a habit for banks to perpetually focus on preventing cyberattacks against their systems which is only useful in the event of generic attacks. For determined and specific attacks, such preventive measures may not suffice. Despite these stringent measures that banks happen to have in place, hackers still manage to breach these defenses and exist in the system for an average of 200 days, as reported in a study. Security measures that detect and report malicious elements have become available for the risk management sectors of banks to start harnessing and making use of in order to curb this menace.
With all these in place, the duty to employ appropriate technologies and resources and even stick by the best practices set aside by regulatory bodies rests upon financial institutions as the warfare against cybersecurity continues.