Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Don’t forget that cyber risk continues to represent an existential crisis for financial services: here’s how to tackle it

By Simon Viney, Cyber Security Financial Services Sector Lead at BAE Systems Applied Intelligence

Cybersecurity has always been important in the financial services sector. But, until recently, it’s been articulated mainly in terms of the risk of sensitive data theft, unauthorised access to customer accounts and fraudulent money transfers. What happens when cyber risk escalates to the point where it threatens the very stability of the financial system itself? Such are the fears recently articulated by the European Central Bank (ECB) president, Christine Lagarde.

With the threat of ransomware looming large over modern financial services sector IT systems, she’s right to be concerned. So what can industry players do to better manage this risk?

A liquidity crisis in the making

Speaking at an event in Paris in early February, Lagarde cited European Systemic Risk Board estimates that cyber-attacks could cost anywhere between $45 billion and $654 billion annually.

“As an operator of critical infrastructures, the ECB obviously takes such threats very seriously. But cyber-risk is becoming important for financial stability, too,” she continued. “There are plausible channels through which a cyber-attack could morph into a serious financial crisis. An operational outage that, say, destroys or encrypts the balance accounts of a major financial institution could trigger a liquidity crisis, and history shows that liquidity crises can quickly become systemic crises.”

Her speech highlights an important point: that aside from being the guardians of highly sensitive personal customer data, and the gatekeepers of huge sums of money, banks and other financial firms operate critical infrastructure. That means they are particularly exposed to a rising threat from online extortionists.

It’s a concern echoed by the World Economic Forum (WEF) whose annual Global Risks Report earlier this year ranked cyber-threats as one of the top 10 biggest risks facing global businesses over the coming decade. Over three-quarters (76%) of respondents predicted that attacks disrupting operations and infrastructure would increase in 2020.

Going digital

Cyber-criminals are nothing if not opportunists. And they’ve spotted a great way to make money: find a cash-rich business that is critically dependent on IT systems, and then effectively lock it out of those systems by encrypting all of its files. Even those that have a best practice backup and recovery policy may suffer serious service outages and reputational damage while they restore affected systems. Plus, ransomware authors have started to steal sensitive customer and internal data before encrypting it — adding an extra risk of unauthorized data disclosure if the ransom is not paid.

The challenge is that, as financial services firms close high street branches, invest heavily in new cloud- and mobile-based infrastructure and roll-out digital services to meet changing customer demands, two things happen. They become both more dependent on IT for business growth and success, and the cyber-attack surface expands, presenting cyber-criminals with more opportunities to strike. Financial firms are also exposed in that most run a blend of legacy platforms and modern digital infrastructure, with an extensive ecosystem of supply chain partners adding further to the complexity. It’s often said that complexity is the enemy of effective cybersecurity.

The threat from the digital supply chain was highlighted recently when a major ransomware attack caused a serious outage at foreign currency giant Travelex, which counts many high street lenders among its partners. Over a month after the company was first struck, these banks were reportedly still unable to offer online foreign currency services, with cashiers in-branch forced back to using pen and paper.

Fighting back

So what can financial services firms do to mitigate the heightened risk of ransomware-related outages? It all boils down to good risk management, IT security best practices and perhaps most importantly robust operational resilience planning.

Ransomware can spread via various methods: phishing emails, RDP brute forcing, exploitation of system vulnerabilities, malvertising and drive-by-downloads have all been used in previous attacks. Defence-in-depth security practices are, of course, needed. These should include prompt patching of all systems, improved cybersecurity training so that staff can better spot phishing emails, and tighter access controls — secured with multi-factor authentication and operated along “least privilege” lines. Application whitelisting and anti-malware scanning can also reduce the attack surface, while network segmentation will help to minimise the spread of infection.

None of these controls are fool proof. For financial firms, the key is to acknowledge the seriousness of the risk, have a well-tested incident response plan in place in the event of a worst-case scenario, and have considered how, as a firm, you ensure the operational resilience of the important business services your firm provides.

A great deal of work is being done at a regulatory and industry level to improve the resilience of the sector. But that will only be effective once individual organisations also meet their responsibilities.