By Simon Viney, Cyber Security Financial Services Sector Lead at BAE Systems Applied Intelligence
Cybersecurity has always been important in the financial services sector. But, until recently, it’s been articulated mainly in terms of the risk of sensitive data theft, unauthorised access to customer accounts and fraudulent money transfers. What happens when cyber risk escalates to the point where it threatens the very stability of the financial system itself? Such are the fears recently articulated by the European Central Bank (ECB) president, Christine Lagarde.
With the threat of ransomware looming large over modern financial services sector IT systems, she’s right to be concerned. So what can industry players do to better manage this risk?
A liquidity crisis in the making
Speaking at an event in Paris in early February, Lagarde cited European Systemic Risk Board estimates that cyber-attacks could cost anywhere between $45 billion and $654 billion annually.
“As an operator of critical infrastructures, the ECB obviously takes such threats very seriously. But cyber-risk is becoming important for financial stability, too,” she continued. “There are plausible channels through which a cyber-attack could morph into a serious financial crisis. An operational outage that, say, destroys or encrypts the balance accounts of a major financial institution could trigger a liquidity crisis, and history shows that liquidity crises can quickly become systemic crises.”
Her speech highlights an important point: that aside from being the guardians of highly sensitive personal customer data, and the gatekeepers of huge sums of money, banks and other financial firms operate critical infrastructure. That means they are particularly exposed to a rising threat from online extortionists.
It’s a concern echoed by the World Economic Forum (WEF) whose annual Global Risks Report earlier this year ranked cyber-threats as one of the top 10 biggest risks facing global businesses over the coming decade. Over three-quarters (76%) of respondents predicted that attacks disrupting operations and infrastructure would increase in 2020.
Cyber-criminals are nothing if not opportunists. And they’ve spotted a great way to make money: find a cash-rich business that is critically dependent on IT systems, and then effectively lock it out of those systems by encrypting all of its files. Even those that have a best practice backup and recovery policy may suffer serious service outages and reputational damage while they restore affected systems. Plus, ransomware authors have started to steal sensitive customer and internal data before encrypting it — adding an extra risk of unauthorized data disclosure if the ransom is not paid.
The challenge is that, as financial services firms close high street branches, invest heavily in new cloud- and mobile-based infrastructure and roll-out digital services to meet changing customer demands, two things happen. They become both more dependent on IT for business growth and success, and the cyber-attack surface expands, presenting cyber-criminals with more opportunities to strike. Financial firms are also exposed in that most run a blend of legacy platforms and modern digital infrastructure, with an extensive ecosystem of supply chain partners adding further to the complexity. It’s often said that complexity is the enemy of effective cybersecurity.
The threat from the digital supply chain was highlighted recently when a major ransomware attack caused a serious outage at foreign currency giant Travelex, which counts many high street lenders among its partners. Over a month after the company was first struck, these banks were reportedly still unable to offer online foreign currency services, with cashiers in-branch forced back to using pen and paper.
So what can financial services firms do to mitigate the heightened risk of ransomware-related outages? It all boils down to good risk management, IT security best practices and perhaps most importantly robust operational resilience planning.
Ransomware can spread via various methods: phishing emails, RDP brute forcing, exploitation of system vulnerabilities, malvertising and drive-by-downloads have all been used in previous attacks. Defence-in-depth security practices are, of course, needed. These should include prompt patching of all systems, improved cybersecurity training so that staff can better spot phishing emails, and tighter access controls — secured with multi-factor authentication and operated along “least privilege” lines. Application whitelisting and anti-malware scanning can also reduce the attack surface, while network segmentation will help to minimise the spread of infection.
None of these controls are fool proof. For financial firms, the key is to acknowledge the seriousness of the risk, have a well-tested incident response plan in place in the event of a worst-case scenario, and have considered how, as a firm, you ensure the operational resilience of the important business services your firm provides.
A great deal of work is being done at a regulatory and industry level to improve the resilience of the sector. But that will only be effective once individual organisations also meet their responsibilities.