With rumblings about a possible global recession ushering in 2019, prospects for a financial crisis are increased by the very real risk of cyber attack causing disruption to global financial services. Recent data suggest a high percentage of financial services leaders feel quite confident about their organisation’s cyber resilience?the ability to defend or recover from adverse events.
That confidence is out of sync with the realities of evolving threats, where ever-more sophisticated malicious actors use advanced phishing and social engineering tactics to expand opportunities for fraud.
Accenture reports that in 2018, “only” 19% of cyber-attacks against financial services firms succeeded. How that translates to high confidence amongst financial service leaders is a little surprising. While the percentage of successful attacks has decreased considerably from previous years, at Glasswall, we’d argue this is not necessarily good news for what lies ahead. One in five threats are still punching through layers of security and tricking users into being part of the attack; and that doesn’t reflect robust cyber resilience.
What lies ahead
The fastest growing cause of successful cyber-attacks is a technique called Fileless Malware, a seemingly unstoppable threat referred to as the future of all malware. Fileless Malware is a document that contains no malicious code and leaves no trace files after causing damage?hence the name. We’ve witnessed it move from 20 percent of all malicious events in 2017 to over 80 percent by the end of 2018.
The urgency of this business risk compels engagement from the senior-most levels of the organisation. However, to date, that’s largely been easier said than done. There is a persistent communication chasm that exists amongst Boards, senior stakeholders and those responsible for implementing cybersecurity. Rightfully, senior-level executives have spent entire careers steeped in the culture, priorities and language of the financial services sector. Their technical understanding is largely given to complex topics: market movements, liquidity transformation, securitization, derivatives and the like.
Cyber speaks an entirely different technical language that senior financial executives don’t. Cyber professionals often can’t effectively explain or translate their concerns, in a language that the C-level will listen to, without sounding like the house is on fire. But given the risks, there must be top-level ownership for the entire business’ cyber wellbeing?such accountability needs to sit with at least one Board member and can no longer be delegated away.
This also requires a fundamental shift in mind set. Cyber resilience is not a project. It is not something delivered and finished to a pre-determined time frame. There is no point where it is complete. The cyber landscape is fluid, and absolutely will never conveniently follow behind your organisation’s objectives and goals.
Therefore it must be actively managed according to the highly dynamic nature of threats. This in turn requires understanding how to record, react and condense reporting cycles, effectively communicating something meaningful upwards, and then ensuring swift communication downwards through the command chain.
To affect that change, creating a direct reporting line from the CISO to the CEO would be a proper start; we see some of our global customers already doing this to good success. What’s more, the cyber resilience team cannot be self-policing. While it’s tempting to parse cyber as an IT issue in an IT domain, it’s really all about business risk.
IT organisations commonly engage in break-and-fix exercises against generic external benchmarks, then report success upwards. We’ve all been there?reporting that ‘x’ industry certification has been achieved to ensure compliance with ‘y’ regulation, but knowing there is still much work to do. While that may be well-intentioned, or perhaps even achieve political or career points, for cyber resilience it’s inadequate proof. It certainly is not enough for leadership to be fully confident; no other department would be allowed such sovereignty given the stakes.
Unfortunately this common disconnect can come back to the communication (and understanding) gap, and may be contributing to leaders’ reported over-confidence. It also reinforces the need to have a savvy and experienced senior-level stakeholder who can see the blind spots, and ensure that the independent third-party assessments needed to build effective cyber resilience are being done objectively and thoroughly.
Investing to protect
Investment is another inescapable reality. The Accenture data show that banking and wealth managers are considerably lagging in new technology adoption; only four in 10 say their organisation is investing in advanced technologies such as artificial intelligence and machine learning.
That would indicate fairly widespread neglect of cyber basics, like hardening the protection of core assets with technology that matches, rather than defeats, the tools attackers are using. If only four in 10 firms are using new technology and one in five attacks are successful, the mathematics show that this doesn’t add up to good cyber resilience, regardless of how optimistic some may feel.
Many will look to meeting standards like ISO 27001 and PCI DSS as proof of resilience. While there are various regulations around the world that help drive best practice, none of the standards commonly used by financial services is truly cutting edge and aligned to the tactics that bad actors increasingly use. You just need to look at PCI DSS Requirement 2 which states the need to change default manufacturer passwords, Requirement 7 which states the need to restrict access to cardholder data to only authorized personnel, and Requirement 11 which advises testing security systems and processes “regularly” – hardly new news.
Any savvy and well-informed Board member should regard these as the most basic standards, and push their cyber resilience agenda to achieve much, much more.
As business objectives and risks change, the threats an organisation faces will change along with them. Senior financial services leaders need to clearly and frequently communicate their firms’ business objectives, and highlight the associated business risks, so that CISOs can adaptively work towards proactively managing them.
Beyond worrying about one’s own back yard, a recent Harvard Business Review article explored the ways a cyberattack could cause the next big financial crisis. With cybercrime already imposing a greater than $1 trillion price tag, HBR sees cyber as the biggest threat facing today’s business world; financial services firms near the top of those being targeted. Even a single successful attack on a bank, fund or the SWIFT messaging system could trigger a chain of intended, or possibly unintended, consequences to infrastructure like ATM networks, payment systems or online banking. Think about the potential results – widespread fear, missed transactional opportunities, corrupted data, disrupted money flows or plain old theft. The system is only as strong as the weakest link.
These serious business risks necessitate preparation, agility, continual innovation and sound investment in forward-thinking technologies and skills by firms across the financial services sector. Today’s leaders must commit to motivating and arming their cyber resilience teams with the budget needed to acquire advanced tools and deploy the resources that will help ensure competitive survival?and protect the interconnected financial systems on which we all rely.
–How a cyber attack could cause the next financial crisis, Paul Mee and Til Schuermann, Harvard Business Review, Sept 14, 2018
–Cyber risks that hide in plain sight, Chris DeBrusk and Paul Mee, 2018