Time to collaborate on cybersecurity
Bank robbers have been around since the invention of money, but these days they’ve swapped their masks and guns for a laptop and a bit of software.
But as the criminals have shifted to cyber crime, have banks been able to keep pace?
A spate of breaches and attacks highlight the mounting problems for financial institutions.
Russian security firm Kaspersky Labs recently uncovered an "unprecedented" cyber-attack on up to 100 banks, which could result in $1 billion of losses. Meanwhile, the Financial Conduct Authority was recently warned about a similar cyber security loophole at one of Britain’s biggest banks, the Financial Times reported.
The financial industry needs to face up to these growing threats or we face an “Armageddon-type” attack that would cripple the entire financial system, New York’s financial regulator has warned.
Benjamin Lawsky, New York State’s superintendent of financial services, believes the banking industry faces its very own “cyber 9/11” if more is not done.
“Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy,” he said during a speech at Columbia Law School.
Last year the British Bankers Association (BBA) warned that Financial Institutions (FIs) would face more problems if they failed to take tougher action.
A report from the body said nine in ten (93 per cent) large organisations suffered security breaches in the past year, while seven in ten banking chief executives see cybersecurity as a significant threat to growth.
And while banks are spending hundreds of millions on cyber security each year, the BBA thinks greater collaboration is needed.
“We think there’s a real need for an industry-wide intelligence sharing hub. The industry is fragmented in its response to this,” said Anthony Browne, the BBA’s chief executive. “It’s one of the biggest prudential threats to banking – a major concern at chief executive and chairman level. They are getting attacks regularly.”
In the US, banks are joining forces with leading firms in other sectors to press for legislation that provides legal protection for sharing cyber risks. JPMorgan Chase & Co, Bank of America and American Express were among 32 signatories to a letter urging lawmakers to push ahead with proposals to give companies legal safeguards for sharing threat information.
“Cyber-attacks have accelerated in frequency and sophistication and present a significant risk to our national and economic security,” the letter said. “There is an urgent need for action to help bolster our country’s cybersecurity defences.”
President Obama has urged companies to do more to share information with the government and each other on cyber security, saying "we have to work together like never before".
“Government leaders, industry and cybersecurity experts all agree that neither the government nor industry can solve this problem alone,” the letter states. “Rather, a collaborative approach is required to facilitate the real-time identification, detection and mitigation of emerging cyber threats.”
At the heart of the issues around collaboration and legislation are third-party vendors.
Banks rely on third-party vendors for a broad-range of services and these firms often have access to a financial institution’s information technology systems.
According to Lawsky, this can “provide a backdoor entrance for hackers”.
He adds: “In many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.
“As such, we are considering mandating that our FIs receive robust representations and warranties from third-party vendors that those vendors have critical cyber security protections in place.”
In other words, it means that third-party vendors will have to strengthen their own cyber security. Clearly collaboration on cyber security means all organisations doing their bit, not just the banks.