Cyber security is the most prevalent IT risk for banks
Cyber security is the most prevalent IT risk for banks
Cyber security issues rank highest among risks and facing G-SIFIs: how should banks handle this?
Recent attacks on banks
According to two recent KPMG surveys cyber security issues rank highest among risks and facing G-SIFIs.
These results reflect and confirm the trend over the past two years where three major cyber-attacks on banks became public. Two of the three attacks resulted in financial losses of around USD 100 million and raised discussions about the reliability and security of digital networks used by banks all over the world. The three breaches were committed by exploiting weaknesses of the digital infrastructure and systems that connect banks to the global SWIFT network.
The first attack, against the Ecuadorian Banco del Austro (BDA), was conducted in January 2015 and caused financial losses of USD 12 million. The attack was carried out over a period of 10 days. Investigations demonstrated that the transactions contained anomalies that should have raised suspicions among the bank’s employees for the following reasons: 1) the transfers took place after the bank’s working hours; 2) the trade beneficiaries were located in unusual locations; and 3) the size of the amounts transferred were large enough to raise flags. The general public learned about the attack only recently, 15 months after it occurred, suggesting that the bank hesitated to disclose this information about this cyber-attack in order to prevent reputation damage – and this would not be unique; it seems that banks generally avoid the prompt disclosure of cyber-attacks to preserve their reputations.
In December 2015, Vietnam’s Tien Phong Bank (TP Bank) succeeded in halting a cyber-attack in which hackers attempted to use fraudulent SWIFT messages to transfer more than EUR 1 million from TP Bank. The method for this attack differed from the BDA case, in that fraudulent messages to TP Bank were sent not through bank’s network but by using the infrastructure of an outside vendor who was hired by the Vietnamese bank to connect it to the SWIFT messaging system.
In February 2016, a fraudulent transfer of USD 850 million from Bangladesh Central Bank was blocked after SWIFT detected a spelling error in the name of the recipient. However, Bangladesh Central Bank was not able to prevent the entire transfer and the hackers successfully transferred USD 101 million (of the USD 850 million), of which USD 20 million was recovered by the central bank after identifying the heist. To conduct the attack, hackers created a malware that prevented the system responsible for checking monetary transactions from functioning properly. This type of malware is difficult to detect. According to some cyber-security companies, it takes around 146 days for an organization contaminated with such a malware to become aware of its compromised systems.
In these incidents, all three banks were targeted using similar hacking techniques: obtaining valid credentials of SWIFT operators unlawfully then initiating transactions by sending fraudulent SWIFT messages on behalf of these operators. With this information, the banking community should be able to prevent further attacks by uncovering new unforeseen attack patterns.
Among industry participants, including supervisors, banks, and cyber risk specialists, it is agreed that the following key initiatives could improve cyber resilience in the Eurozone:
Real-time alert database
The lack of a sophisticated threat intelligence scheme is one of the key reasons that banks are unaware of an eminent cyber-attack.
The ECB is now requiring banks to submit information on cyber threats on real-time basis and has been collecting data on significant cyber incidents at 18 of the Eurozone’s biggest banks since February 2016. The aim is to collect information on major cyber incidents that present serious security dangers, allowing the ECB to spot patterns and warn other banks of emerging threats. The ECB’s goal is to set up a database to register incidents aiming to create an early warning and analysis system for banks.
While the project is in a pilot phase, the cyber database is due to be rolled out to the 129 banks that the ECB directly supervises in 2017. The ECB plans also to share the data it collects with other central banks, such as the US Federal Reserve and the Bank of England (BoE), through its regular meetings with fellow regulators.
This measure resonates with KPMG member firms’ (RC)cyber security initiatives:
- The KPMG Cyber Trends Index is a public platform that provides a real-time view of the trends and threats in cyber security (cyber.kpmg.com a KPMG in the Netherlands initiative)
- KPMG in Italy is a member (RC) of the Security and IT Fraud Observatory managed by ABILAB (the technology R&D center for the Italian banking industry, supported by the Italian Banking Association)
- A current engagement that consists of helping a central bank in the Middle East, which is planning to build a similar alert database to support its banking sector.
Cyber Stress testing
Currently, many banks do not run test the cyber-risk of their systems by means of an advanced cyber-attack simulation.
ECB officials are taking a closer look into the BoE’s initiative of stress testing the cyber defenses of the country’s big banks by carrying out “ethical hacking” exercises. Working with US regulators, the BoE has also been carrying out transatlantic cyber exercises to simulate the impact of a large attack on the financial system.
In this respect, KPMG’s experts developed numerous intrusion tests, controls and framework that member firms use (RC) in information security audit engagements aimed at identifying security vulnerabilities in a bank’s infrastructure.
Guidelines and best practices
Even though many frameworks and standards, national and/or global requirements and guidelines exist and aim to improve cyber risk management, there are some overlaps, gaps or discrepancies between these requirements.
There is significant work being done in the market toward developing harmonization on existing guidelines, including:
- The US Federal Financial Institution Examination Council (FFIEC) issued several Information Security booklets to prescribe uniform principles, standards and to make recommendations.
- On 21 June 2013, the Monetary Authority of Singapore issued Technology Risk Management Guidelines (TRMG) to help financial institutions improve oversight of technology risk management and security practices.
- In June 2003, the Monetary Authority of Hong-Kong issued an additional module of the Supervisory Policy Manual, called “General Principles for Technology Risk Management”. It provides financial institutions with guidance on general principles that they are expected to consider in managing cyber-related risks.
The ECB appears to be working toward harmonizing, defining and publishing Guidelines and Best Practices to promote information security in the banking sector; a move that KPMG strongly promote and encourage; it is our view that a unique European requirement would improve the oversight and management of cyber-risk and security practices.