Cybersecurity is worrying financial risk experts who increasingly fear the havoc that hackers might wreak in bank IT systems.
By Adrian Rollins and David Walker
Financial risk experts increasingly fear the havoc that hackers might wreak in bank IT systems.
Still off balance from the 2008 credit crunch, the global financial system is facing up to what could become an even more serious threat – from cyberspace. Across the world, banks, securities markets, funds, retailers and just about anyone with a modicum of funds at their disposal find themselves coming under attack from criminal gangs, activists, rogue employees, commercial rivals and even, it is claimed, state entities.
The scale of the global cybersecurity problem is astounding. PricewaterhouseCoopers estimates there were 42.8 million cybersecurity incidents detected in 2014, up almost 50 per cent from the previous year.
Experts believe this is just a fraction of the attacks that go undetected, and the total cost of cybercrime to the global economy has been estimated by the Australian Securities and Investments Commission (ASIC) at more than US$400 billion a year.
The finance industry takes a disproportionate share of these attacks – 300 per cent more than those in other fields, according to a report by computer security software firm Websense. The Australian Government’s Cyber Security Strategy (PDF), released in April, names banking as one of the “key targets for cyber criminals and malicious state actors”. Prolific US bank robber Willie Sutton is said to have declared he robbed banks “because that’s where the money is”. Cybercriminals are using the same logic.
Software firms such as Websense have an incentive to dramatise the finance cybersecurity threat. This February, though, a real-life drama underlined the potential for systemic damage: hackers removed US$80 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York. To do it, they used the financial system’s own SWIFT network codes.
Risk management value pack - this value pack includes 15 courses with topics covering the identification, measurement, and management of the main categories of risk to which banks are exposed.
Watching such exploits, some experts worry the day may come when an even greater cybersecurity catastrophe occurs. The worst scenario would be for a major bank or other financial institution to permanently lose access to some of its own customer balance records. That could put billions of dollars of customer funds at risk in such a way as to ensure no real compensation could be made and no government bailout provided, potentially destabilising the entire global financial system.
Warnings on several levels
Cybersecurity is not some remote threat. Ratings agency Standard & Poor’s warned last year that weak cybersecurity could cause it to downgrade banks’ credit ratings. Former Australian Prudential Regulation Authority chairman John Laker has bemoaned financial regulators’ lack of cybersecurity skills; a 2016 Accenture report noted “the technology gap in financial services boardrooms”.
An ASIC report last year warned that cyber attacks on financial institutions posed a systemic risk, with the potential for serious consequences for the real economy.
Perhaps most tellingly of all, the Reserve Bank of Australia (RBA) – an institution not known for its alarmist rhetoric – has been sounding increasing warnings about the cyber threat.
The most detailed banking cybersecurity warning came last year from Sarah Dahlgren, at the time a key US banking supervisor at the Federal Reserve Bank of New York. In a speech largely devoted to “the things that keep me awake at night”, she put cybersecurity at the top of her list.She warned that the financial sector was “under unprecedented attack from a broad spectrum of intent and attack methods that are complex, widely distributed and increasingly interconnected”.
Dahlgren noted that even experts can’t adequately define the risks, and that those risks were changing over time. She raised the problem that all bank supervisors fear: the risk that a failure in one institution spreads to others in a domino effect that collapses the entire system. She warned that institutions had to not only protect themselves but also plan for recovery on the basis that “it’s not a matter of if we get hacked; it’s a matter of when”.
“We are moving into business-aligned security, so the conversation is increasingly [about] ... the things that we need to put in place to control that risk.” Damien Manuel, Australian Information Security Association
One of Dahlgren’s concerns were the huge computer programs known as “core banking systems” that sit at the centre of every bank’s dealings. Many of these systems were installed in the 1970s and 1980s, and the past quarter of a century has been one long fight to extend them without breaking them.
Online banking and systems to deal with mobile apps have been mostly bolted on to the banks’ existing creaky structures as technology has advanced. Dahlgren warned that these systems needed “a great deal of clean-up”.
Banco Bilbao Vizcaya Argentaria (BBVA) chairman Francisco Gonzalez, who worked as a software engineer before becoming a banker, has derided the many fixes as “more spaghetti on the spaghetti”. In Australia, only the Commonwealth Bank has removed this spaghetti and replaced its old core IT system. While other bankers look at the costs (perhaps A$5 billion) and risks of an upgrade, old systems grow more complex and more vulnerable to threats.
No-one is immune
Cybersecurity expert Nigel Phair, a former Australian Federal Police officer who heads the University of Canberra’s Centre for Internet Safety, says that although there is widespread awareness of the issue across Australia’s finance sector, the response of organisations is varied.
The Big Four banks, Phair says, “are all over it”, with good board-level understanding of the scale and significance of the threat and ample investment in resources. But he says many smaller institutions and operators are less attuned to the risk.
“You get financial advisers and other companies who do not see themselves as subject to cyber attack,” says Phair. “There is an awareness of how bad it is out there, but are they doing enough? No, nowhere near it.”
This is a problem in the heavily interconnected financial system, because hackers trying to crack into a bank will probe for the weakest link in the network, which could be another bank, a customer or even a vendor.
Improve your data security and keep the hackers out
Damien Manuel, from the Australian Information Security Association, shares Phair’s concerns. He underlines the additional risk from outsourcing vital functions to contractors, who may in turn use subcontractors. With every link in the supply chain, the chances of vulnerability multiply.
The RBA is usually tight-lipped about security breaches. Three years ago, though, it admitted to being a target of cyber attacks, including an incident in 2011 when several employees were targeted in an email scam aimed at installing a “Trojan” program in its computer system.
“The financial sector is under unprecedented attack from a broad spectrum of intent and attack methods.” Sarah Dahlgren, ex-Federal Reserve Bank of New York
That incident may have sensitised the RBA to the issue. It also speaks regularly with its overseas counterparts about key global risks – and regulators in many countries share the same set of concerns.
Australia’s regulators are exploring the effects of cyber attacks both on institutions and on markets such as the Australian Securities Exchange. ASIC has warned that the increasing digitisation of securities markets has not only made trading shares easier and cheaper than ever before, but has also made them more susceptible to cyber attack. It notes that more than half of the world’s exchanges have been attacked: hackers have taken the logins of brokers, stolen client identities and impersonated traders to try to manipulate stocks.
It worries that such attacks could “result in widespread mistrust and retreat from markets”.
Stevens ponders trust
In a speech at the end of last year, RBA governor Glenn Stevens predicted that growing awareness of cyber risk would see even more resources thrown into IT security. He also suggested IT security may “need to get as inconvenient as airport security and more costly – a whole new meaning of the term digital disruption”. Even then, he suggested, the security risks of continuing to link us all more tightly into the world’s financial systems might eventually be judged to outweigh the benefits.
Related: 10 big economic ideas for the next 10 years
“The issue of trust in cyberspace,” said Stevens, “may turn out to be every bit as problematic as that of trust in the financial system.”
Walls come tumbling down
Data encryption and passwords have for a long time been the mainstay of attempts to fend off cyber attacks.
According to some experts, this “perimeter” approach to cybersecurity has had its day.
Mike Gault, founder of cybersecurity firm Guardtime, argues that as networks have expanded, so has their vulnerability, and it is no longer realistic for companies to think they can lock out criminals and hackers. Continue to use encryption and passwords by all means, he says, but don’t expect they will save you.
The Australian Information Security Association’s Damien Manuel says there needs to be a change in mindset away from viewing cybersecurity as simply an IT issue to one involving risk management for the whole organisation.
“The time when the IT department would say, ‘You can’t do that’ is going,” says Manuel. “We are moving into business-aligned security, so the conversation is increasingly, ‘You can do that, the risk of data loss occurring is this and these are the things that we need to put in place to control that risk’.”
Biometix CEO Ted Dunstone says that rather than trying to prevent security breaches, banks are instead using big data and data analysis to monitor transactions and alert customers when they detect usage that seems out of the ordinary. Some of the banks are very proactive in notifying end users.
Organisations are also looking to make themselves more resilient to attack
The Reserve Bank of Australia, for example, operates duplicate IT systems. Its Information and Transfer System, used by banks and other financial institutions every day to settle transactions worth hundreds of millions of dollars, has critical infrastructure duplicated in two geographically separate sites, with one closed off from the internet.
AUSTRAC CEO Paul Jevtovic and the fight against organised crime and money laundering