From: Risk.net
Miranda Alexander-Webber
The rise in cyberattacks poses a significant danger to the financial services industry, and to its customers. The sector is widely regarded as being the most prepared for such attacks, but continued efforts to improve security may not always prove sufficient. New laws mean that banks will face penalties if failures in security compromise customer data
Cyberattacks pose a growing threat to all industries. Most at risk is the financial services sector – not only for straightforward theft, but also because it holds sensitive information about clients and customers which is highly sought after by attackers. It is also widely regarded as the best equipped to deal with an attack. Nonetheless, industry experts believe it still has essential improvements to make in order to adequately shore up defences – and governments, fearing that the steps taken by banks to improve defences may be insufficient, are now preparing to sanction organisations with inadequate security measures. Proposed legislation by the EU could come into force within three years.
In December 2012, a series of distributed denial of service (DDoS) attacks against US banks led to a security warning from the US Office of the Comptroller of the Currency (OCC). In the same month, antivirus specialist McAfee released a report stating an impending attack on US financial institutions was a “credible threat”. A co-ordinated series of attacks originating in eastern Europe, McAfee suggests, will selectively target accounts at investment banks, consumer banks, and credit unions. Operational Risk & Regulation highlighted IT sabotage as one of its top 10 operational risks for 2013.
The threats are not solely faced by the financial services industry. A 2012 survey by PwC, for instance, found 93% of large corporations and 76% of small businesses had a cyber security breach in the past year. The cost of a security breach is estimated at £110,000–£250,000 for large businesses in the UK, and £15,000–£30,000 for smaller ones.
Related articles
 |
 |
Industry experts believe the financial industry is the best prepared for potential attacks since it is the most at threat. “They’ve got valuable assets that people would love to get their hands on,” says George Quigley, partner at accountancy firm BDO. And it is for this reason that they are widely seen as being more prepared than other sectors in terms of cyber security.
The industry nonetheless still has some way to go. Speaking at the World Economic Forum’s presentation of its global risks for 2013, Axel Lehman, chief risk officer at Zurich Insurance Group, acknowledged that responses to cyberattacks were still in their early stages.
“Leading companies in the financial sector and insurance are taking it very seriously, but it will take some time to develop,” he said.
Moving target
The sophistication of attacks is increasing rapidly, and financial institutions face a significant challenge to meet security needs. The threat is constantly evolving, particularly with recent developments in mobile and cloud technology. Various attack tools are even available in the form of downloadable kits, permitting less experienced fraudsters to commit crimes.
“The professionalism of the attackers is getting better and the levels of complexity within any organisation are getting more complicated,” says Frank Coggrave, general manager for Europe, the Middle East and Africa at UK digital forensics company Guidance Software. “The more complicated something is, the more likely there are going to be holes in that environment.”
Nick Seaver, a partner in Deloitte’s information and technology risk group in London, describes the challenge to banks of combating the threat of cyber crime as “like swimming uphill”. He emphasises that financial institutions have to constantly improve their defences, a process which invariably leaves temporary weaknesses.
Cyber security experts warn, however, that as defences are shored up in one area, attackers will move to wherever the next weak spot can be found.
“They’re avoiding the really big players because they know they have a lot more stringent controls,” warns Quigley. Smaller institutions will instead be targeted, he predicts. Larger institutions may be more likely to be attacked because they are well-known, but attackers will also conduct random searches to find vulnerable websites or internet protocol (IP) addresses.
Leave a Reply