Cybersecurity needs to be a global and coordinated effort
Recent cyberattacks, such as the October 2017 Swift attack, show how vulnerable financial firms across the globe are to the machinations of hackers.
The attack saw Taiwan’s Far Eastern International Bank reportedly lose about $60 million after malware planted on the bank’s servers and a Swift terminal (used for international bank transfers), allowed money to be siphoned off to fraudulent accounts in the US and Asia.
Although most of the funds are now said to have been recovered, it demonstrates how bold hackers are becoming in the tactics they will use.
The very real problem that cybersecurity poses is only going to grow as our lives become increasingly dependent on technology, and systems become more interconnected. By 2020 the number of connected devices – from smartphones and tablets, to autonomous cars and smart home devices – is set to reach 20 billion across the globe, according to research from technology consultancy Gartner. Such an environment creates a plethora of opportunities for hackers to infiltrate and exploit weaknesses.
Financial firms, as operators of critical and global infrastructure, are not only exposed to some of the greatest cybersecurity risks this interconnected environment creates, they are (and must by necessity be) at the forefront of efforts to tackle them. They are key for ensuring financial stability.
Financial firms are taking the risk seriously – but is that enough?
Financial services are ahead of many sectors in terms of their cybersecurity efforts. For instance, PWC’s 2017 Global State of Information Security Survey showed that cybersecurity spending by financial firms has increased by 67% since 2013. Regulators across multiple jurisdictions are also taking an increasing interest in what preventative measures financial firms are taking.
Penetration testing and red team testing, where firms simulate cyberattacks on their own systems in order to identify vulnerabilities, are now standard practice across the industry. It’s a positive step that exercises like these are happening but these efforts can create new challenges.
For instance, how can firms ensure that these complex and costly tests don’t create their own security issues? Simulating an attack creates the risk of accidentally causing a system failure and, while tests are happening, it risks distracting firms from tackling genuine cyberattacks – especially if multiple regulators are asking firms to conduct different tests. In the wrong hands, the results are also effectively a blueprint for how to hack into a bank’s systems and highly sensitive data.
That is why firms and regulators must take a joined-up approach to this issue.
Global and cross sector co-operation is crucial for effectiveness
Firms must have robust and well-considered cyber policies and procedures that cover all aspects of their operations. Regulators must also take a global view on supervision.
Given the fact that financial firms typically operate across multiple jurisdictions, complying with different regulations can create quite a headache. We need to avoid a situation where firms are being pulled in multiple directions in order to fulfil different requirements – this can impact efforts to tackle real and emerging cybersecurity threats. Additionally, there is also a relatively limited pool of experts to help firms with these issues, so they need to be deployed in an effective way.
In 2016, members of the Global Financial Markets Association, an association of three of the world’s leading financial trade associations (including the Association for Financial Markets in Europe, AFME), worked together to create a global framework for how to conduct penetration testing, to help both firms and regulators tackle these issues. The framework establishes key principles and best practice standards, to guide firms on how to approach cybersecurity and also give regulators oversight of the process.
This is a good starting point and discussions are being held at global and at European level to get buy-in from industry, policymakers and regulators. But efforts to share best practice must also stretch beyond financial services.
As our world becomes more interconnected it is vital that knowledge and expertise is shared between different sectors. Taking a siloed approach leaves everyone more vulnerable – a cyberattack on one sector can easily be replicated elsewhere. A good example of a combined effort is the European Cybersecurity Organisation and the public-private partnership it signed last summer. This promising initiative brings together firms from across industries, research institutions as well as policymakers and administrators from European member states to work collectively on cybersecurity, and aims to generate €1.8 billion in cybersecurity investment.
Coordinated efforts like this must be encouraged, and expanded, as we go into the future. Cybersecurity is an issue that requires engagement and pressure from all of us in the industry to ensure best practice is shared and a coherent approach is taken. Cybersecurity is self-evidently a global threat and therefore requires a genuinely global response. It is also an issue that will require constant attention in order to tackle this ever-evolving threat.
By Emmanuel Le Marois, manager of technology and operations, AFME