By Tom Gilheany, Product Manager, [email protected]
You don’t have to look far to find examples of cybercrime in the financial services space.For instance, back in January, Lloyds Banking Group was the target of an online attack.
The 48-hour fiasco involved cybercriminals trying to block access to 20 million U.K. accounts.The hackersaimed to do that by running denial of service attacks.
The good news is that no accounts were hacked, and Lloyds did not pay a ransom.The bad news is that the attacks temporarily blocked some customers from logging on, and that we have yet another reminder that the financial services sector must beever vigilant about cybersecurity.
Indeed, the past year helped illustrate just how at risk we all are.
2016 in cybercrime
There was something like 3,000 publicly disclosed data breaches worldwide in 2016. That exposed about 2.2 billion records. publicly
Yahoo was the subject ofthe largest hack in history. That moved Verizon to reconsider its offer price for the company.
Distributed denial of service attacks demonstrated how the Internet of Things can be enlisted to do damage to targeted systems.
Cybersecurity was even a theme in the U.S. presidential election.
Ransomware was also center stage in 2016. Yielding high profits to cybercriminals, it’s expected to stay there in the months ahead.
In the first quarter of 2016 alone there was an average of over 4,000 attacks per day, according to Deloitte. That was a 300 percent increase from the 1,000 ransomware attacks per day the prior year.
Fifty-five percent of the financial services firms surveyed by SANS recently said they consider ransomware the biggest threat to their business. And more than 32 percent of financial firms said ransomware attacks have resulted in losses of between $100,000 and $500,000.
The money and reputations at stake from cyberattacks, and the attention these activities are getting in the press, are making thisa very high stakes game. So high stakes, in fact, that regulators are expected to play a growing role in it going forward.
Of course, the Cybersecurity Act of 2015is already in place. That encourages voluntary sharing of cyberthreat information between private entities and the federal government, as well as within agencies of the federal government.
The scope and language of that law is very general, however.
New financial cybersecurity regulations in 2017
Now the incoming administration, which already voiced its interest in cybersecurity during the president campaign, has the opportunity to add some meat to these bones. The incoming administration is not expected to be heavy handed with regulations;however, the high-profile subject of cybersecurity could be the exception.
But whoever takes the lead on it, authoring cybersecurity regulation would enable those individuals to make their mark on a high-profile issue that’s getting a whole lot of attention.
We’ve already seen a fair amount of actual movement on this front.
The Group of Seven industrial powers in October agreed on guidelines to protect the global financial sector from cyberattacks. That followed various cross-border bank thefts at the hands of hackers.
“Increasing in sophistication, frequency, and persistence, cyber risks are growing more dangerous and diverse, threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems,” the G7 document notes.
Down under, Australia has developed a national strategy through which government and the private sector are working together to address cybersecurity. Last year it issued a white paper describing major risks and initiatives on this front. And a few years ago it created the Australian Cyber Security Centre, an initiative to make the country’s networks harder to compromise.
Meanwhile, the European Union has approved cybersecurity rules that force businesses to strengthen their defenses. They require banking, energy, and major tech companies to report attacks. And they talk about how EU nations must cooperate on network security matters.
The European Union’s General Data Protection Regulation required four years of negotiation and about 4,000 amendments before being passed, according to Financier Worldwide.
“Financial institutions and service providers to the financial industry process a vast amount of personal data on a daily basis,” notes the article. “Much of the data processed is confidential and sensitive. This means there are increased risks and a likelihood of a focus on this sector by supervisory authorities, which will have new rights to audit and to impose administrative fines. Indeed, the GDPR allows for administrative fines which can amount to a maximum of €20m or 4 percent of the global annual turnover of a company.”
And at least 28 U.S. states last year considered or introduced cybersecurity legislation, according to The National Conference of State Legislatures.
Most of these laws and bills address national infrastructure and governmental agencies. But some of them specifically target the interests of organizations, including financial service organizations.
For example, one of the three cybersecurity bills signed into law in California last year makes it a crime for a person to knowingly introduce ransomware into any computer, computer system, or computer network.
A new law in Coloradocalls for the creation of a state cybersecurity council to provide policy guidance to the governor. That council will also coordinate with the general assembly and the judicial branch regarding cybersecurity.
Utah has enacted civil penalties for hackers.And Washington State has established the State Cybercrime Act.
That said, financial services with a stake in cybersecurity and related regulations – which is to say most of them – need to be ready for what’s happening on that front.
Banks that aren’t already involved in the cybersecurity discussion may want to start voicing their opinions and offering a hand on these efforts now, before cybersecurity regulatory decisions are cemented.
Likewise, Regulators should include cybersecurity experts in their consultation, to ensure that they fully understand cybersecurity risks and factors, as well as any unintended consequences to regulations written with too broad, or too narrow a scope.
At the same time, financial service providers should keep in mind that regulations typically lag technology by three to four years. That means they need to go beyond simply complying with cybersecurity regulations. They need to take additional steps to ensure their organizations are as secure as their risk assessments suggest they need to be.
About Tom Gilheany
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and over a dozen years in IT sand Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom holds a CISSP, an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.