PRIMER: banks and cyber security (part 1)

Author: Amélie Labbé | Published: 8 Feb 2018
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

What’s the scale of the problem?

Banks make attractive targets for cyber criminals because the bulk, if not all, of their activities – managing flows of funds and related data - is carried out online. But even though banks are some of the most regulated entities in the world, not all of them are confident they would be able to deal effectively with a breach and its long-term effects, according to a study from Accenture.Cyber

"Cyber security has become a board level issue, which is crucial," said Mark Camillo, head of cyber, EMEA at AIG. "But even though banks are some of the most mature entities when it comes to incident preparedness, and they have spent quite a bit on this over the years, they are still susceptible to breaches."

No financial institution or region has been spared by digital criminals, from Bangladesh Bank to JPMorgan, HSBC, Ecuadorian Banco del Austro and South Korea’s Shinhan Bank. At the end of January, Dutch banks ABN Amro and ING fell victim to a distributed denial of service attack, causing their servers to become overloaded with traffic and resulted in a temporary shutdown.

A few figures and facts show the scale of the issue:

  • Over one-third of all cyber attacks have succeeded in stealing data.
  • Cybercrime is estimated to cost the financial sector $18 billion every year, in front of energy ($17 billion) and defence ($14 billion).
  • JP Morgan, Bank of America, Citibank And Wells Fargo spend a combined $1.5 billion on cyber defence every year.

Do banks have specific cyber security rules?

Yes, but they are not set in stone. Only a few jurisdictions have rules that concern banking cyber security specifically, including Hong Kong, Singapore, the UK, the EU and the US (including nearly 40 individual states). This is probably because they are major global financial centres, with financial institutions critical to the functioning and stability of the economy.

According to Andrew Beckett, managing director and EMEA leader for Kroll's cyber security and investigations practice, banks need to understand the nuance of geographical requirements, which can sometimes make compliance very difficult.

For instance, New York’s Department of Financial Services (NYDFS) mandates the use of encryption and multi-factor authentication, and the nomination of a chief information security officer (CISO). In contrast, the General Data Protection Regulation (GDPR) only asks businesses to consider using these, and does not legally require the hire of a CISO.

"One thing that is holding back big business is the lack of coordination globally and ever-increasing standards," said Beckett. "It’s also a delicate balancing act: businesses have to weigh up the cost of complying, the potential fines and the loss of a business licence – on a global scale - with the level of risk that they face."

For instance, banks in Singapore are expected to be subject to a proposed new law that will require them to increase their cyber defences, Monetary Authority of Singapore managing director Ravi Menon told the media in November. Singapore also has a Cybersecurity Bill in place since the summer of 2017, which mandates companies to notify regulators of any data breaches, share threats and best practice information, and conduct regular system audits of their systems.

The EU’s 2016 Network and Information Security Directive (NISD) also has a very general scope. Clearing houses and banks officially fall within the definition of critical infrastructure, though the UK has exempted them from complying with NISD and will instead implement separate rules for them ahead of the May 2018 implementation deadline. These will also apply to banks and other financial services institutions.

The European Central Bank requires banks to submit cyber threat data in real-time, and has been monitoring some of the EU’s largest banks since 2016.

"Under the US Sheltered Harbour initiative, if a cyber attack takes down a participating bank or clearing house, another takes over"

The US framework for improving critical infrastructure cybersecurity, developed by the National Institute of Standards and Technology (NIST), encourages the public sector and private sector companies to share details of threats and best practices. The NYDFS has very similar rules in place for banks, as does California.

One of the major issues with cyber security regulations globally is their lack of a definition on what constitutes a good level of preparedness, and what systems/controls are effective. The focus has historically been on best practices.

"Because of the lack of prescriptive frameworks - threats are so fast-evolving - banks tend to follow ISO standards [ISO 27001 is the international standard for best practice information security management systems] to address cyber security," said Camillo.

Given how quickly digital threats evolve, this is unsurprising, and each organisation has to determine their risk profile and take what they believe are the adequate steps.

But this can prove difficult. The UK government recognises ISO 27001 as the best practice standard, and uses it as a baseline for data protection. It does concede however that additional controls are needed where there is a higher level of security required. In comparison, NIST uses 20 mandatory controls as a best practice standards, which are similar but not the same as the UK’s. NISD in the EU uses other benchmarks.

What are Sheltered Harbour and Quantum Dawn?

Because the digital landscape changes constantly – as do the threats banks face – there is no single fail proof way of staying safe. Financial institutions have focused on improving the market’s resiliency and readiness, with initiatives such as Quantum Dawn and Sheltered Harbour. These have the backing of governments and defence departments.

The first is a cyber war exercise which Sifma has held since 2011. In 2016, some 80 financial institutions took part in a simulation to improve incident readiness in areas including domain name hacks, customer data theft, malware in clearing systems, loss of connection and ransomware.

Under the US Sheltered Harbour initiative, if a cyber attack takes down a participating bank or clearing house, another takes over. Customer and transaction data is saved and deployed securely in a new duplicate financial institution. 

"One thing that is holding back big business is the lack of coordination globally and ever-increasing standards"

"The coordination and information sharing they we have seen around threat intelligence, sector wide incident readiness and systemic resiliency are all leading practices that other industries could model," said Joe Nocera, PwC US, cybersecurity & privacy financial services industry leader.

Can banks be held accountable anyway?

Yes, they can. A number of regulations have implemented fines and, in some cases, prison sentences for organisations found to have insufficient processes in place to protect data and/or systems, and have failed to report that a breach has occurred.

Under Singapore’s Cybersecurity Bill, any organisation that doesn’t comply is liable to a fine of up to $100,000 or a jail term of up to 10 years. The UK is also contemplating penalties of up to £17 million (around $24 million) or four percent of global turnover for companies in essential services (which includes financial services) in its own version of NISD. Covered entities under the NYDFS Cybersecurity Regulations will also be subject to penalties.

But there is one piece of legislation that is putting increasing pressure on financial services entities to comply: the EU’s GDPR. This landmark legislation introduces a fine of €20 million ($25 million) or four percent of annual turnover for the most serious offences of failing to comply with the data breach notification rules. The GDPR primer, last August, noted that these fines are much larger than the current £0.5 million penalty that the UK’s Information Commissioner’s Office (ICO) can currently use. It’s important to remember that individual member states are required to implement it nationally, which will inevitably lead to different levels of compliance.

 "Banks are worried about getting this wrong and being hit with larger fines than we have seen recently," Simmons & Simmons partner Alex Brown told IFLR.

Part 2 of this Primer will focus on areas that banks still need to improve on to be fully prepared for cyber attacks.

Click here for IFLR’s Primer series

See also

PRIMER: the General Data Protection Regulation

China’s new cyber law worries market

NYC’s cyber rules raise concerns