The Bank of England’s latest systemic risks report has, for the first time, identified cyber security as the greatest operational risk facing the UK financial system. Drawing on the insight of senior executives from across banks, building societies, hedge funds, asset managers, insurers and other financial institutions, the survey sets out some of the key underlying and emerging risks.
Even with sophisticated systems in place, institutions remain key targets for cyber criminals, as witnessed with the recent large international MasterCard prepaid ATM fraud. Offering startling insight into a world of international organised cybercrime, the $45m fraud highlights the potential risks facing the industry, as criminals abandon traditional bank heists in favour of cyber attacks that are simultaneously more profitable and less risky.
But how well prepared are financial institutions generally and what lessons have been learned after cyber criminals turn their attention to this sector?
If Bank of America Merrill Lynch’s action is anything to go by, banks are taking their battle against cybercrime beyond its own technology infrastructure. According to reports, the bank is carrying out a review of its external law firms, following concerns that such firms could inadvertently offer a route into BAML’s own systems.
More institutions, not just in the US, are likely to follow in the footsteps of Bank of America Merrill Lynch, as they broaden their approach to tackling cyber risks. Recognising the challenges of this emerging risk landscape, banks must ensure their own focus is clearly centred on the prevention and preparation for a response, both within their own organisations and those of external partners.
As with any security system, there is no fool-proof way to prevent a cyber attack. However, at the heart of mitigating such risks across the wider internal and partners’ infrastructure is the development of an effective cyber risk response strategy.
Typically, this will start with an audit of IT and physical security systems. In the same way as a financial audit, this should be carried out by an outside team without a stake in the existing IT infrastructure.
The team will determine the organisation’s threat profile and any vulnerabilities. In addition to ensuring that IT security practices are up to industry standard, a thorough security assessment will also identify where sensitive data is stored and whether this can be segmented or further removed from the rest of the IT system. Segmenting data is a key part of good data security. It helps ensure that a breach of one layer of security does not grant access to everything.
A security assessment must also review the weakest link in any security system: the users. Are passwords up to date, or can they be easily guessed or broken? Do users know not to click on attachments to suspicious emails? Are they tested to see if they in fact do not click on such attachments? Do users know who to call if they accidentally open an attachment?
Each of these steps may sound obvious, but it is surprising how few organisations actually take the time regularly to step back and ask such questions. A security audit can help identify and rectify these vulnerabilities, thereby reducing the likelihood or severity of an attack.
Response and report strategy preparation:
Even the best preparation cannot prevent all attacks, just as in the case of physical security. Therefore, preparing a response strategy, which is activated in the event of an attack, is an essential part of risk and contingency planning strategies. This must include a specific plan to ensure that valuable time is not lost, as the organisation decides who is in charge of the response efforts.
We have seen first-hand how the lack of a clear strategy affected an organisation’s ability to respond effectively. On one particular case, a client had suffered a data breach. While the attack was stopped reasonable swiftly, a bureaucratic morass prevented the bank from quickly determining who was responsible for establishing what was breached and who needed to be notified. As a result, weeks went by before the bank was able to establish a plan to determine the scope of the breach.
The importance of preparation cannot be overstated, with a strategic plan and clear responsibilities key factors in successfully dealing with a security incident and the potential regulatory, financial and legal fallout.
For this reason, any organisation should set out, in advance of an incident, the response team’s chain of command. A specific executive should be designated to lead the response team and, where appropriate, their external legal advisers and IT consultants.
In an increasingly complex regulatory and legal environment, the question of whether and when to report a data breach will be a key decision facing the response team. The biggest challenge when contemplating reporting an incident is making sure you really understand what has happened. This needs to be addressed in advance of a breach, so that the questions can be answered as quickly as possible. Without such insight, an organisation may be forced to make an announcement without knowing the detail of what has actually happened, which can greatly exacerbate the public relations problem caused by the breach.
Ideally, stakeholders should be informed first, but this will depend on the number of individual parties involved. For example, if the breach involved customer data, there may not be a need to inform all customers but only those affected. However, this may only be clear once the data analysis has been completed. A key challenge is to find the right balance between establishing who has been affected, against the need to report as swiftly as possible. This requires the incident team to decide when the investigation is over and sufficiently complete.
The reality of a data breach is that there are many types of data breaches and the incident strategy must have sufficient flexibility to accommodate a range of scenarios.
Senior executives have a duty to customers, fellow directors, staff and other stakeholders to respond rapidly and appropriately to an incident, keeping in mind that hacking often requires a very different type of response from other sorts of crimes. However, they cannot assume that a cybercrime incident should be treated in the same way as any other theft or embezzlement. For example, for most crimes, when an organisation finds itself victimised, it goes to law enforcement to identify and prosecute the perpetrator. For cybercrimes, while law enforcement has a role to play, institutions must direct the investigation themselves and determine whether they have a duty to notify customers, regulators or other stakeholders.
Whether law enforcement can play any meaningful role in the aftermath of a hacking incident is often dictated by the type of incident involved. For example, many incidents are carried out by employees or former employees with a grudge. Sophisticated computer forensics should allow the perpetrator to be tracked and located, providing organisations with a range of civil enforcement options, including dismissing or suing the individual. From a law enforcement perspective, a wide range of possible criminal actions may be pursued.
In contrast, hackings co-ordinated by outsiders present a much steeper challenge. Unlike most crimes, there is typically no physical link between an outside hacker and his victim. The hacker could be thousands of miles away and completely unknown to the victim. For this reason, law enforcement may not be able to provide help.
Even if law enforcement could determine the scope of the incident, there are often serious downsides to allowing them to lead an investigation. To conduct a thorough investigation, forensic experts must secure and review copies of the network traffic logs and configurations, and make forensic images of infected computers. This is an intrusive process which could see an investigation led by law enforcement provided unlimited access to customer and internal data, including restricted networks. This scenario makes many organisations, especially banks, uneasy as the scope of the data transfers may not be possible to define at the outset. In my experience, most banks faced with this situation conduct a private investigation before notifying law enforcement.
The financial services industry is facing a significant challenge in developing strategies and tools to successfully tackle cybercrime, where the enemy lacks homogeneity or common goals. Only by developing and regularly reviewing an incident response strategy, which must bring together an institution’s wider ecosystem, will such threats and actual incidents be effectively managed.
Seth Berman is executive managing director and UK head of Stroz Friedberg, a digital risk management and investigations company. He spearheaded government hacking investigations as a former US Department of Justice prosecutor, before making the move into private consultancy (www.strozfriedberg.com)