Building immunity to cybercrime requires collaboration, now more than ever

By Waleed Saeed Al Awadhi, Chief Operating Officer, Dubai Financial Services Authority (DFSA)

Today we see almost every business operating from home across the globe, with an increased reliance on digital platforms becoming a core component of business operating models.  While remote working to this extent may well be new, the financial sector has long experienced a growing reliance on IT platforms, digitalised product channels and communication networks, giving greater vulnerability to a wide range of operational risks.  The pandemic created a perfect storm, with cyberattacks on the increase as opportunistic criminals take advantage of the crisis.

The real number of targeted attacks, however, is always unknown. Some organisations decide not to disclose information about breaches to avoid negative consequences to their reputation and customer trust. Large financial institutions often have advanced monitoring systems that detect hundreds or thousands of suspicious events (cyber threats) per day and the majority of these events are caused by automated tools that cybercriminals use to identify vulnerable targets. On the other hand, well-prepared targeted attacks may remain undetected for months.

The sudden global shift of focus of individuals, organisations and governments and an increased dependency on digital infrastructure has created a gateway for cybercrimes. According to Cybersecurity Ventures’ Official Annual Cybercrime Report, cybercrime is predicted to cost the global economy $6 trillion annually by 2021[1] and this prediction was before the pandemic hit. The COVID-19 pandemic is a wake-up call for businesses to consider and evaluate their capabilities to face extreme events, even the ones we all thought were unlikely to occur.

The actual cost of a successful cyberattack in the financial sector can be difficult to quantify. Aside from the direct theft of money or assets, a cyberattack may also negatively impact a company’s reputation and expose it to regulatory consequences. According to a study carried out by Accenture in 2018[2], the average annual cost of cybercrime per company in the financial sector could be as high as $18 million for the banking industry and $13 million for capital markets; and malware and web-based attacks were, on average, the most expensive types of attacks at an average cost of $2.6 million and $2.3 million per company, respectively.   The actual cost depends on the size of organisation and the severity of the cyber breach. For example, if we take a look at one of the recent major cyber breaches in the financial sector – Capital One – the cost of that breach may be estimated between $100 million and $150 million in 2019 alone.

Regulators play a key role here, and are taking proactive measures to assist the financial sector in mitigating the risk of falling victim to known threats with a multi-dimensional approach to support greater operational resilience.   Such measures don’t work in isolation however – a siloed approach won’t allow for the creation of resilient infrastructures that can protect not just individual companies but the wider economy.  Never has this been more relevant than now – a time when all our fates are interconnected and when collaboration between government, business and citizens is crucial.

The more complex and sophisticated cyber controls become the more sophisticated cyber criminals become. This means that even the best defence systems must continually adapt to the changing threat landscape. The only way for a company to ensure that its defences adapt effectively, is by having information in regard to the types of threats the defences need to adapt to. Information is key to reducing cyber risk.

Solutions such as the DFSA’s Cyber Threat Intelligence Platform (DFSA TIP) facilitate the dissemination of threat information to assist its member companies in taking proactive measures to mitigate the risk of falling victim to known threats. To ensure that timely, actionable and usable threat intelligence is continually available on such platforms, its vital to engage numerous third-party cybersecurity vendors to provide intelligence, threat analysis, and periodic threat reports.

These solutions, however, cannot work independently. They need to be coupled with larger initiatives to elevate cyber awareness, understanding, and knowledge. It is important that regulators are transparent and provide companies enough information to navigate such solutions. These could be series of user guides that provide guidance to members on how to integrate with the platform and how best to utilise the threat intelligence information they receive through the platform. Members would also appreciate workshops to provide more in-depth training on how to utilise threat intelligence and will continue these going forward.

We have built an ecosystem of expert support around the platform by appointing HelpAG to manage and operate the platform and by collaborating with Government agencies (DESC and aeCERT) and cyber security vendors to help fast-track the maturity of the platform to ensure it provided usable and actionable intelligence from day one and to ensure that all institutions (big and small) benefit.

As cyberattacks targeted at the financial services sector are becoming more frequent and sophisticated, it is crucial that financial institutions strengthen their cyber vigilance and diligence and explore new approaches to build greater cyber resilience. A cyber breach is a matter of “when” rather than “if”; therefore, it is important that firms not only focus on protection and prevention capabilities but also focus on strengthening their capabilities to respond to and recover from a cyber incident.  And that starts with knowing the threat.  As the financial sector evolves and as our FinTech sector grows, the UAE’s ambitions to become a world leading investment powerhouse remain the goal.  To achieve this, collaboration is key along with the development of pioneering initiatives to deal with ever emerging digital challenges – even if we can’t ever fully predict what those challenges will be.

[1]https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/

[2]https://www.accenture.com/ae-en/insights/financial-services/cost-cybercrime-study-financial-services