Cyber crime attacks are now like an overloaded freight train, barreling down the tracks totally out of control. It is not a question of will the crash occur, but only when and where it will take place. Individuals, banks, and their processing partners are all vulnerable in today’s electronic world, where sophisticated software can maliciously penetrate even the most dedicated firewall on the planet. If the threat of a data breach or financial loss were not enough to spur banks into action, then perhaps a dent in their credit rating will.
The credit-rating firm of Standard & Poor’s recently announced that it would soon begin downgrading banks with weak cyber-security controls, regardless of whether they had sustained an attack. Stuart Plesser, a leading analyst with S&P, wrote in the report, “We view weak cyber-security as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades. Cyber defense is a continual battle, particularly as technology evolves. Many tech experts believe that if a hostile nation-state put all its resources into infiltrating a particular bank’s tech system, it would probably prove successful.”
S&P will more than likely be followed with similar positions from the likes of Moody’s and other rating agencies. The concern, outside the potential for financial losses suffered from a data breach, centers on the issue of what is termed reputation risk. If banks are seen more and more in the press as likely targets of successful cyber attacks, then confidence in these public institutions could deteriorate, causing runs on weak and even well protected banks in the community at large. Preserving the public trust in financial institutions is imperative and was the first priority taken when banks failed in 2008.
For these same trust reasons, banks are loath to disclose any cyber attempts directed at their institutions or how many resources are being devoted to thwarting the crooks at the front door. We are left with anecdotal stories passed about by cyber consulting firms or banking insiders. In one case, JP Morgan Chase & Co. customers were exposed to potential financial harm when a data breach compromised over ten thousand accounts. The bank has subsequently invested over $750 million over 2014 and 2015 to prevent any recurrence in the future. In another case, a Russian security firm “uncovered a two-year, billion-dollar theft from banks around the world by a gang of cyber criminals.”
How big is the present problem?
In a previous article, the severity of the cyber-crime threat was revealed — A total of 556 million individuals were impacted in one year for an average direct cash loss of $200, but this figure increased by 50% in 2013. As one expert relates, “Cyber crime can’t be ignored – with data breach headlines appearing daily, it’s well known that computer-related fraud and cyber crimes are significant, growing problems. In fact, a recent Ponemon study found that over the past four years, cyber-crime-related costs have climbed an average of 78%.”
In another study, compiled by Risk Based Security, a leading information technology solutions provider, it was “revealed that there were 904 million records exposed and 1,922 data breaches reported within the first nine months of 2014. This figure has since grown, and several high-profile breaches at companies including Sony and Target highlight why companies should take action before similar breaches become a reality for their organization.” Despite these facts, activity in this area has been underwhelming.
Who is behind these new and ever-present cyber crimes? According to an IBM study, organized criminal groups perpetuate 80% of cyber fraud schemes. With respect to banks, the S&P report states that, “Hostile nation-states, terrorist organizations, criminal groups, activists and, in some cases, company insiders are behind most of the global cyber attacks on banks.” Bankers have read the same headlines and many are now busily ramping up counter-cyber-attack strategies.
The largest banks, which are the largest targets, will typically react first, primarily because they have the extra resources due to their immense revenue base. Small and medium-sized institutions will follow over time. In the meantime, many banking customers, roughly 71% according to IBM, will experience fraud and change their account relationships, as detailed in the graphic shown below:
Why are banks viewed as being easy targets for having weak controls?
Banks are some of the most heavily controlled and regulated business entities on the face of the earth, but, as their global brethren have increased enormously in size and geographical breadth, the ability to manage their affairs effectively has become more and more difficult. Anticipating every form of human error, along with the hostile intents of the criminal element within our society, and then creating a workable solution to protect against the defined threat is becoming more complex with each passing day.
The problems that occur at our major banking institutions can best be illustrated by the travails of Deutsche Bank. As related in a recent article in the press, “Deutsche Bank is already under fire over poor controls. The bank is embroiled in several scandals, including alleged breaching of U.S. sanctions against Iran, Libor rigging and money laundering in Russia.” Today’s headline, however, noted that a forex department employee inadvertently wired $6 billion to a hedge fund client, when a much smaller “net” amount was in order. We tend to hear about rogue traders and such, but in this case, a simple control that required a second person to sign off on the wire failed.
According to crooks of historical lore, banks are targets because that is where the money is, but today’s cyber crooks are much more sophisticated in their approach. In most cases, banking officials never know what hit them until much later in the process. For a large bank with thousands of employees, it only takes malware on one employee’s device to provide the necessary login and password information for a successful penetration into the core system. Once the security breach is discovered, a quick response is necessary in order to mitigate its impact.
What steps are big banks and the government taking to prevent cyber crime?
Banks, asset managers, brokers, and hedge funds have been moving slowly, perhaps, because they have yet to experience a defalcation, which is part of the problem. It is more difficult to protect against something that you have never seen. There have been examples where large, global banks have stepped up their cyber preventative measures. The efforts of JP Morgan Chase were discussed above, but their aggressiveness only happened after an attack on their systems.
Douglas Flint, the chairman of HSBC Holdings, recently announced that the global conglomerate would begin in August to invest over $1 billion “for information technology and cyber security improvements in an effort to streamline operations and also to reduce the size of retail banking operations by 20 percent by shifting customers over to online-only banking operations.” This investment follows an earlier attack on a mortgage subsidiary’s database. Banks like Citibank and Wells Fargo are also taking an indirect approach. Each is investing in cyber security startups that are focusing on various technologies designed to assist banks and counter cyber related threats.
From a government perspective, many agencies on the forefront of law enforcement, like the SEC and the FBI, are publishing guidelines, regulations, and other helpful information on their respective websites. In order to focus attention on the banking threat, the Government Accountability Office (GAO) released a report back in July that stated, “Depository institutions are estimated to have incurred hundreds of millions of dollars in losses from breaches in the systems of their corporate customers that allowed criminals to illegally transfer funds from the customer’s bank accounts, and from frauds perpetrated against their automated teller machines.”
The GAO listed six areas where both banks and regulators could improve their ongoing efforts in the cyber security arena:
1) Many bankers still do not take the cyber security threat seriously. The absence of an attack can blunt efforts. The GAO does admit that banks that can afford in-house support are better off, and that small banks may actually be safer, since they have fewer and less complex systems to secure.
2) Regulators are also behind the learning curve in this area. They may gather data in cyber security departments, but they never analyze it to recommend potential solutions to inherent problems. In the absence of basic knowledge, they do not try to highlight repeating patterns of abuse across institutions.
3) The newness of technology in this arena has forced many banks to depend on third-party technology firms, but regulators do not have the authority to audit the services or the risks inherent in dealing with an outside service provider. At present, these providers could represent high risk potentials.
4) The mobile revolution is upon us, but banks are relatively new to this new wave of technology. Home banking took decades to evolve, but smart phones are sweeping the nation and rapidly leading to new payment technologies at the point of sale. Mobile malware is on the horizon and requires attention.
5) There is a shortage of high-level IT expertise available for examinations of small and medium-sized banking institutions. In past examinations of smaller entities, IT specialists often helped the smaller banks define their cyber security needs, but today’s staff fall short of providing similar expert advice.
6) People under attack are not sharing important details and critical aspects quickly. In the old technology days, when a counterfeit bill passed over a bank’s clearing table, all banks were immediately informed of the threat. In today’s world, reputation and law enforcement concerns delay sharing.
Cyber crime is definitely a fast-growing threat for our banks and related banking institutions. The American Banking Association notes that, “Cyber and data security remain a priority issue for banks. Criminals are constantly searching for creative new ways to obtain money from banks and customers through fraud and cyber security vulnerabilities. And as consumers and businesses rely more on electronic devices such as computers, tablets, and smart phones to bank and shop online, vulnerabilities increase.”
Global banks are at the heart of our foreign exchange system. Many experts view cyber security risk as an iceberg. Above the waterline are the hackers, malware, and valuable data, but lurking in the murky depths are the more difficult issues — suppliers, partners, systems, and insiders. The threat is real and growing at a tremendous pace. Choose your bank and partners wisely and stay ever vigilant on the look out for cyber crooks.