Evolving cyber risks in the financial services sector

December 2019  |  TALKINGPOINT | BANKING & FINANCE

Financier Worldwide Magazine

December 2019 Issue

FW discusses evolving cyber risks in the financial services sector with Nick Parfitt at Acuris Risk Intelligence.

FW: How would you characterise the extent and variety of cyber risks facing financial services (FS) firms today? What tactics are malicious actors deploying to penetrate and disable systems?

Parfitt: In July 2019, Capital One was the subject of one of the largest financial institution (FI) hacks ever seen, which impacted tens of millions of credit card applicants. Clearly, FIs remain attractive targets for hacks and what is interesting with this case is that it originated from a cloud vendor, so illustrates the risks in an FI’s supply chain. It is often said that cyber security is only as strong as an organisation’s weakest security point. And the many threats facing the financial sector are not going away. Ransomware in particular has evolved to malware disguised as ransomware – a ransomware attack can now destroy, exfiltrate or encrypt data. We saw this with the NotPetya attack in 2017. Other threats include distributed denial-of-service (DDoS) attacks, social media attacks, spear phishing, PoS malware, ATM malware and credential theft. The increased use of biometrics also poses new security threats, as does quantum computing. There also continue to be threats stemming from employee error or carelessness. When employees use public Wi-Fi or a deficient private network, they also open the FI up to hackers, as they do, of course, when they click on a spear-phishing email. Business email compromise in particular was the subject of a recent US Securities and Exchange Commission (SEC) warning. Nine public companies that fell victim to these scams lost a total of nearly $100m to the perpetrators. The SEC noted that these scams were successful “at least in part, because the responsible personnel did not sufficiently understand the company’s existing controls or did not recognise indications in the emailed instructions that those communications lacked reliability”.

FW: How can FS firms ensure that their cyber security strategies reduce the risk of attacks and limit financial and operational impacts? How important is a comprehensive approach, including overhauling legacy systems, in this regard?

Parfitt: A key component of any robust security programme is carrying out regular risk assessments and implementing effective programmes that address access rights and controls, data-loss prevention, vendor management, incident response drills and enterprise-wide training. Training can be particularly effective if regular internal emails simulating ‘phishing’ attacks are sent to staff, with responses tracked to help improve education and awareness. We regularly see failure rates in the high 30 percent range, which shows just how easy it is for hackers to spook employees and gain entrance to the network or instruct bogus payments to be made. In the case of ransomware-type attacks, FIs should look to have backup systems and redundancy for key, or primary, data sources so operations are not negatively impacted, or at least not severely compromised. Backups can be lifesavers in ransomware attacks, as can segmenting data so that the attack can be contained. Being part of an information-sharing group can also help the FI quickly determine more about the type and severity of the attack. Cyber security should be a board-level agenda item. Appropriate accountability and sponsorship is an essential foundation for a comprehensive approach to risk management and mitigation. Legacy software is particularly prone to breaches, as patches may not be available or may not have been applied, so it is vital to risk-assess all software and hardware components for weaknesses and vulnerabilities and build suitable strategies to address these risks.

FW: What options are available to FS firms looking to build or maintain a strong cyber security stance, to defend against malicious attacks? What considerations should they make when assessing the suitability of these options for their particular business?

Parfitt: FS firms can employ a variety of strategies to harden networks, segment data and business units and employ advanced software to monitor attacks, as well as increase the number of dedicated security staff. We are seeing that the application of artificial intelligence (AI) and machine learning (ML) to data analytics is becoming an important part of security programmes. Here, AI-driven anti-malware software looks for file and operating system changes that are out of line with normal computer operations. This approach can also be applied to other entry points that are attractive to hackers, such as smartphones. Often firms have simply locked USB ports and limited internet access to certain approved websites only, which is fine for some operations but not others. For example, compliance staff performing due diligence on customers and prospects require access to a far broader set of websites, making management of their URLs almost impossible. Similarly, financial intelligence units that carry out specialised investigation work may require specific, ring-fenced hardware to protect the rest of the business when they access information, particularly on the dark web.

FW: How should firms go about allocating resources, such as dedicated staff, in order to build a strong cyber security posture?

Parfitt: Designating a chief information security officer (CISO) is a wise option. It is often better to have the CISO develop the cyber security programme than tasking a chief technology officer (CTO) or chief information officer (CIO) with it. The company should take steps to ensure that cyber security is an enterprise-wide risk and not just an information technology risk. We often hear that there is a communication gap between information security and information technology on one hand and legal and compliance on the other. These teams need to work together and bridge that gap with clear lines of communication and no assumptions that each team understands all the terms.

FW: What impact are new regulations and requirements having on cyber risk management for FS firms?

Parfitt: Regulations are having a significant impact on FS firms and fundamentally they need to know where their data is. Our conversations reveal that they increasingly understand that data mapping is an important first step. An updated and compliant privacy notice is also foundational. If the FI has to comply with the US Gramm-Leach-Bliley Act, it will have published a privacy notice, but revisiting it and ensuring transparency is important, especially for FIs subject to the General Data Protection Regulation (GDPR). For GDPR compliance, other crucial steps include reviewing third-party contracts. Some companies have told us that to get a handle on their third parties, they had to look at a list of accounts payable. It is also essential to assess whether a data protection officer (DPO) is needed and to identify the bases for processing data. Also important is developing a procedure for answering data subject requests and making sure that the company properly preserves its defences for the legal bases of data uses under Article 6 of the GDPR.

FW: In addition to the direct financial cost of a cyber attack, how should firms prepare to address non-financial costs, such as reputational damage?

Parfitt: Preparations boil down to the reputational implications of each type of cyber attack and should be understood at board level too. We are told that the recent high-profile cases of Equifax, Uber, Marriott, British Airways and now Facebook have raised the profile of both data security and privacy at the board level. The SEC issued guidance in February 2018 around cyber-related disclosures and governance and that also played a role in elevating the issue. It should be noted too that hacks can result in privacy implications, and in the case of Facebook’s settlement with the US Federal Trade Commission (FTC), an independent privacy committee, comprised of independent directors who meet certain privacy and compliance standards, was mandated. This is something not seen traditionally with these types of settlements.

FW: With cyber attacks continuing to grow in sophistication, what challenges are likely to confront FS firms in the years ahead? What is the likely fate of those FS firms whose cyber defences fall short?

Parfitt: The main challenges are likely to be around staying current with cyber attack typologies and ensuring the business and security functions can respond effectively. As the Internet of Things (IoT) increases in ubiquity, the chances of having weak security points becomes more probable. We have seen how CCTV cameras, smart TVs and Wi-Fi-enabled kettles, to name but a few, can be easily hacked to gain deep network access. For the FS industry, the introduction of the second payment services directive (PSD2) could increase security risks as FS companies open up their payment channels to FinTech firms seeking to provide novel products and services, increasing vendor supply chain risks. The penalty for not getting this right can result in material regulatory fines, reputational risk and customer confidence, meaning there is very real risk of a firm failing and going into administration.

Nick Parfitt is responsible for determining Acuris Risk Intelligence’s approach to the market and building subject matter expertise. He has 18 years’ experience in project and programme management, business process change and implementing technology and business solutions at financial services, telecoms and public sector organisations. His experience in the financial crime sector spans seven years, helping tier one financial institutions assess and improve anti-money laundering (AML), know your customer (KYC) and sanctions operations. He can be contacted on +44 (0)20 3741 1200 or by email: info@acuris.com.

© Financier Worldwide

THE RESPONDENT

Nick Parfitt

Acuris Risk Intelligence