For the second time in a little under two months, an audacious hack of major institutions spanning vast geographies was executed by cyber criminals. Companies operating in around 64 markets were breached as a result of malware, causing enormous cost and delays to their operations.
Recent attacks have been indiscriminate, sophisticated and diverse. A very timely Standard Chartered white paper – “Strengthening responses to cyber crime in Financial Services” cited figures from Cybersecurity Ventures, which said global annual cyber-crime costs would increase from $3 trillion in 2015 to around $6 trillion by 2021.1 Financial institutions look after trillions of dollars in retail and institutional assets, making them ideal targets for cyber criminals. In such a heightened risk environment, cyber security measures must be effective, and implemented rigorously.
One of the biggest cyber breaches in history occurred in February 2016, when $81 million was stolen from the Bangladesh Central Bank by cyber criminals, who successfully obtained unauthorized access to Swift and set up fraudulent bank accounts to which funds stolen from the Central Bank were wired. These attacks are not confined to lone hackers, but extend to highly sophisticated criminal, quasi-corporate enterprises who have acquired the technical knowledge and tools inexpensively on the dark net. Cyber risk in securities services: Be alert The securities services industry needs to be on top of cyber security otherwise it could face severe consequences, and it is something the delegates at the inaugural Network Forum Annual Meeting in Warsaw were under no illusions about.
The Standard Chartered white paper highlighted core cyber risks to securities services including the theft of assets, misappropriation of customer data, data corruption or manipulation, disruption to clearing and settlement, or a DDoS attack on corporate actions which could cause significant delays to transactions. Depositaries are held liable by the Undertakings for Collective Investment in Transferable Securities V (UCITS V) and the Alternative Investment Fund Managers Directive (AIFMD) for assets that go missing in custody, so the cyber security risks associated with asset safety must be prioritized by providers of custody.
The consequences of failing to implement a robust cyber security regime are major, and often lead to monumental losses. For example, a bank could face huge claims from clients in the aftermath of a significant hack or cyber security incident, and it would be practically a mission impossible for organizations to prevent the misuse of leaked information. Recovering stolen files would be an unenviable problem, and it would involve equally massive reputational risk.
Even if a firm recovered from the breach and the associated PR fall-out, regulators would scrutinize what went wrong, and this could precipitate civil or criminal proceedings. With the stakes being so high, an organization’s cyber protection framework has to be excellent. The securities services industry faces several issues which may make it harder to adequately confront cyber risks. The most obvious is that much of the industry still uses legacy technology, which is infused with structural flaws that may prove vulnerable to hackers. But it is not simply ageing infrastructure which is susceptible to attacks.
Technologies like blockchain or Artificial Intelligence (AI) are still in the trial stages of their development. The paradox is that while these technologies could be used to mitigate cyber risks, overly hasty adoption of such disruptors could render such organizations more vulnerable to cyber risks, particularly if they do not fully understand the technology. In the selection of a new service provider, or in their due diligence assessment of their current provider, network managers undertake careful scrutiny of that provider’s risk culture and framework. The lack of a proper cyber security framework, inadequate investment in a robust cyber security infrastructure or complacency on a firm-wide level will not be looked upon kindly.
Indeed, cyber health checks are now a constant in network managers’ sub-custodian due diligence questionnaires (DDQs). The Association for Financial Markets in Europe (AFME) DDQ contains an excellent section on cyber security, where it asks about company policy, governance, business continuity, testing, past incidents and track record on prevention. It is crucial banks are up to speed with this. A failure to demonstrate a strong risk culture and up-to-date, frequently tested cyber protection will likely mean any supplier will struggle to win clients. Evolving workforce Effective cyber security infrastructure is only part of the solution. Humans are ultimately the first and last line of defence against cyber crime.
Financial institutions – and not just securities services – need to rethink how they engage with staff on cyber matters. Simply sending an email or circular to employees advising them against clicking on unsolicited or suspicious links is hardly sufficient. A deep-rooted cultural change needs to be executed in the short-term. Standard Chartered’s white paper emphasised how important it is that C-level executives engage and communicate regularly with staff on cyber security issues to drive awareness and compliance, and embedding the risk culture from the top down. This comes following a paper by Accenture, which found two thirds of banking executives did not believe their business unit and cyber security strategies were aligned with the leadership and across the organization.
2 If the C-level is taking the threat seriously, enterprise-wide training that is consistent and meaningful will usually follow. This may see staff undergo simulated hacking exercises, for example. As the white paper articulated, such testing must not be ad hoc or reactive, but regular and documented, and made readily available for future reference. Hiring practices also need to be revised at banks. Cognitive diversity is an asset – indeed, it should be a requirement – in every field and every industry, whereby individuals with different skillsets, experiences and backgrounds provide their own unique insight and consultation towards solving a problem.
The cyber world is no exception. However, it remains un-diverse insofar as the individuals in such roles are overwhelmingly male. In Asia-Pacific, just 10% of cyber-roles are carried out by women3, and this is something that urgently needs to change. The absence of gender diversity in cyber roles is a problem as it makes it harder to recruit talented, younger or millennial women to those roles. Cognitive diversity will enable cyber security experts to engage better with board directors and senior managers, and this will ultimately help organizations deal with new challenges holistically.
It is imperative that further work be done to encourage women to contemplate working in the burgeoning cyber security industry, a point made in the Standard Chartered paper. Addressing the problem Securities services is changing, but so are the threats and risks. Cyber crime is a continuously evolving challenge, to the extent that regulators are reluctant to impose prescriptive legislation for fear that it will be out-of-date by the time it is formally introduced.
Adhering to industry-wide standards such as the ISO 27000, NIST or CPMI-IOSCO provisions is a positive starting point, as is building excellent cyber security protections and regularly testing them. The human factor, though oft overlooked, remains key. Financial institutions would do well to make concerted efforts to address this, and a good way to start is by expanding the cyber talent pool with a view to achieving cognitive diversity.