Barriers to information sharing impact cyber security measures
Sharing of information that could prevent cyber-attacks is being impeded by strict privacy rules and concerns over reputational damage.
Defending against cybercrime continues to be one of the greatest concerns of banks and treasurers alike, but there is much more the industry could be doing in cooperation to reduce the risks.
However, sharing information risks putting banks and corporations on the wrong side of privacy laws.
Stephen Scharf, managing director and chief security officer at DTCC, says: “There is a need to continue working on maintaining the right balance between privacy and sharing information, especially internationally. A number of countries are focused on the privacy of the individual, which is a good thing, but this can sometimes inhibit the ability to share important threat intelligence.”
The issues can be compounded by some countries being particularly reluctant to share data outside their borders. Banks find these rules can sometimes be exploited by hackers to their benefit.
|Nadya Hijazi, HSBC
Nadya Hijazi, global head of GTB e-channels delivery and operations at HSBC, says: “From a cybercrime perspective, the level of secrecy can often be frustrating where there is a need to chase and recover financial loss. Funds are often moved through countries where there are language barriers or higher rules on privacy. In these circumstances there can be resistance to sharing information, and we can lose the trail of the funds.”
She adds that the current method of relying on the known partners of a bank will only work to a certain level before becoming stuck.
“From a regulatory perspective, we are starting to see early movement towards targeted regulation on how banks need to take action," says Hijazi.
"Certainly, the recovery of financial loss at the moment is largely based on the correspondent banking relationship between the banks for information to be passed on and there is a real need to evolve this further to make it harder for these attacks to be successful. We are on the cusp of this change being made, but it is not resolved yet.”
There has been some intervention at a regulatory level. To test for vulnerabilities in the UK, the Bank of England (BoE) developed the CBEST test. It is the BoE that carries out assessments against known threats to spot potential weaknesses, without the banks having to divulge information outside of their own institution.
Hijazi explains: “The CBEST test offers a great way of having an independent review any vulnerabilities. It is based on intelligence that is available to them and is used to test against the type of attacks they know have happened, and helps determine vulnerability in certain aspects of the bank.”
Companies and banks that have been the victim of attacks are also reluctant to share any details. The fears stem from the risk of oversharing key details of attacks, such as how the hack took place and the extent of damage to customers. Worries over reputational risk and the loss of customer trust is a stumbling block for some companies.
Hijazi says that withholding information is making it easier for the same attacks to happen again.
“The more that is understood of the details of a cyber-attack, the better other organizations can ensure they are not vulnerable to the same attack vector," she says. "However, due to the fear of further damage to brand value there is a reluctance to share this level of information.”
Lessons to be learned
To overcome this, shared platforms for providing information have emerged, much like those used to combat regulatory issues in other parts of the industry.
Hijazi says there are lessons to be learned from how information has been shared, adding: “If we look at how the anti-money laundering landscape has progressed over the past 20 years, it gives an insight into what we could achieve for cyber security.”
Andrew Davies, vice-president of global market strategy, financial crime risk management at Fiserv, says this approach is working effectively.
“In several jurisdictions, financial institutions are collaborating and sharing information to prevent cybercrime at the industry level," he says. "Vendors are also working collaboratively with financial institutions to create consortium-based detection approaches and models.
"Such models are proving effective in detecting cybercrime and also in managing the operational impact of analyzing criminal activity, particularly related to transaction monitoring. The success of these models is in large part a consequence of the quantity of the combined data being analyzed.”
HSBC's Hijazi adds that keeping the level of detail on the attack private will help to give some comfort to companies.
“There is a reluctance to share the exact details of an attack and how it happened beyond the high-level details and the nature of the loss whether data or financial," she says. "By sharing information anonymously, it is not going to damage the reputation of an organization.”
|Stephen Scharf, DTCC
And DTCC's Scharf explains there is often no need for in-depth information to be shared to help with preventing further attacks.
“The majority of the benefits comes from the metadata," he says. "The signature of the attack is what is needed, not the full details of its nature or what the results of the attack were.”
Davies at Fiserv adds: “We can share effective information and derived inferences based on the data without compromising customer information. For example, tags that are indicative of cybercrime techniques can be shared, known typologies of cybercrime can be shared, and the best way to do this is through national and international repositories.”
Although information sharing would be a notable step forward, this practice is still lagging behind the real-time technology that is already in place. As banking and transactions move to become real-time, the risks are greater if information is only being shared hours or even days after a hack.
Scharf says: “In a perfect world, everyone would share, digest and use the information in real time. We are moving along that curve, but there are still a lot of manual processes in place which need to be automated.”
Davies adds that the industry needs to recognize this change as real-time processes become international.
“The counter-cybercrime technology needs to identify attacks in real-time," he says. "With the introduction of more real-time payment infrastructures and the ever-increasing pace of global trade, it is imperative that the industry realizes that time is of the essence in detecting cybercrime.
"Fraud attacks leading to funds being stolen from financial institutions may not be recoverable. If an attack is of a sufficient size then there is potential for cybercrime incidents to affect global financial markets.”