By Guy Warren, CEO, ITRS Group
As the war in Ukraine draws towards its 50-day milestone, banks and financial institutions across the world are increasingly aware of how a long conflict will impact the operations of the global financial system. The cyber threats that have come to characterise modern warfare pose a significant risk to institutions which are critical to their country’s infrastructure.
As such, it is crucial that banks and other financial institutions assess their vulnerability to such attacks – and do so urgently.
A global crisis
Whilst some in the west might feel that the Russia-Ukraine crisis is a faraway problem that can’t impact them, recent history indicates otherwise. NotPetya – a Russian-organised cyberattack targeting Ukrainian power, transportation, and financial systems – was less than five years ago. And while its intention was to destabilise Ukraine, NotPetya spread rapidly.
The consequences of the attack included massive operational disruption to countries across the globe – including the US, UK, France, Germany and India, with the ripple effects felt in even the furthest corner of the global economy. The consequences were disastrous – with the White House estimating the total worldwide cost of the attack exceeding $10 billion.
Now, both the threat and the stakes of a cyberattack are even higher.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning of the risk of Russian cyberattacks spilling over onto US networks, which follows previous CISA warnings on the risks posed by Russian cyberattacks for US critical infrastructure. And the European Central Bank (ECB) has warned European financial institutions of the risk of retaliatory Russian cyber-attacks in the event of sanctions and related market disruptions.
Clearly, countries across the globe are anticipating the possibility of their critical financial infrastructures getting caught in the cyber-crossfire of the conflict.
But what can they do to protect themselves?
Understanding the risk
Firms have no hope of protecting themselves against cyberattacks unless they have a comprehensive understanding of the range of attacks they are open to.
And there are many forms of cyberattacks that banks are vulnerable to. There are attempts to crash a website (DDOS); hacking to penetrate the network; Trojan horse with software running inside the firewalls reaching out to the criminals; spam and attempts to fool someone to let them in; virus payloads which can encrypt the computers; and these are just a few.
When it comes to the impact, this can vary – from bringing down a critical service, to stealing data, to ransom to de-encrypt, etc. However, because of the intertwined nature of the financial services industry, if one part is hacked, it can have ripple effects on other parts. For example, if payment processers were victims of a cyberattack, stock exchange transactions would be impacted.
Damage limitation and control
While these techniques are known and understood, it is significantly harder to ensure that all means of access are not vulnerable – particularly as banks’ infrastructures are more complex than ever, and, for many traditional players, suffer from significant siloes.
Fortunately, there are techniques to prevent each form of cyberattack, but getting the right preparation in place is key. Firms must consider not only their ability, but the ability of their third-party providers, to withstand cyberattacks.
Another effective tactic is raising staff awareness – including re-running staff ethical phishing campaigns and holding drills to ensure your firm is prepared. For example, in November 2021, the Securities Industry and Financial Markets Association, a trade association, led a global ransomware drill to practice fighting against such attacks, which over 240 public and private sector institutions, including financial firms and central banks.
However, in a large, complex IT estate with many staff, as is the case for many banks, it is very difficult to prevent all techniques all the time. Teams looking at cybersecurity, geopolitical risk, and physical security should be working closely together, not in silos – and it’s far better to build communication and cooperation before disaster strikes, rather than in the face of a crisis.
Regulators around the world have recently increased focus on this, introducing new Operational Resilience regulations and recommendations (DORA in the EU for example). And the FCA recommends that firms report material operational incidents to them in a timely way in order to ensure that they can provide specialist expertise and work to minimise harm to consumers, markets and the wider UK financial sector.
Of course, there can be no guarantee of entirely escaping the consequences of the conflict and cyber threats remain a significant risk. However, there are several processes banks and financial institutions can put in place to safeguard themselves against the worst-case scenarios – and in doing so, strengthen the stability of their entire country.