Cyber crime: The next systemic risk
For the second time in a little under two months, an audacious hack of major institutions spanning vast geographies was executed by cyber criminals. Companies operating in around 64 markets were breached as a result of malware, causing enormous cost and delays to their operations.
Global Head of Securities Services
Recent attacks have been indiscriminate, sophisticated and diverse. A very timely Standard Chartered white paper – “Strengthening responses to cyber crime in Financial Services” cited figures from Cybersecurity Ventures, which said global annual cyber-crime costs would increase from $3 trillion in 2015 to around $6 trillion by 2021.1
Financial institutions look after trillions of dollars in retail and institutional assets, making them ideal targets for cyber criminals. In such a heightened risk environment, cyber security measures must be effective, and implemented rigorously. One of the biggest cyber breaches in history occurred in February 2016, when $81 million was stolen from the Bangladesh Central Bank by cyber criminals, who successfully obtained unauthorized access to Swift and set up fraudulent bank accounts to which funds stolen from the Central Bank were wired. These attacks are not confined to lone hackers, but extend to highly sophisticated criminal, quasi-corporate enterprises who have acquired the technical knowledge and tools inexpensively on the dark net.
Cyber risk in securities services: Be alert
The securities services industry needs to be on top of cyber security otherwise it could face severe consequences, and it is something the delegates at the inaugural Network Forum Annual Meeting in Warsaw were under no illusions about. The Standard Chartered white paper highlighted core cyber risks to securities services including the theft of assets, misappropriation of customer data, data corruption or manipulation, disruption to clearing and settlement, or a DDoS attack on corporate actions which could cause significant delays to transactions. Depositaries are held liable by the Undertakings for Collective Investment in Transferable Securities V (UCITS V) and the Alternative Investment Fund Managers Directive (AIFMD) for assets that go missing in custody, so the cyber security risks associated with asset safety must be prioritized by providers of custody.
The consequences of failing to implement a robust cyber security regime are major, and often lead to monumental losses. For example, a bank could face huge claims from clients in the aftermath of a significant hack or cyber security incident, and it would be practically a mission impossible for organizations to prevent the misuse of leaked information. Recovering stolen files would be an unenviable problem, and it would involve equally massive reputational risk. Even if a firm recovered from the breach and the associated PR fall-out, regulators would scrutinize what went wrong, and this could precipitate civil or criminal proceedings.
With the stakes being so high, an organization’s cyber protection framework has to be excellent. The securities services industry faces several issues which may make it harder to adequately confront cyber risks. The most obvious is that much of the industry still uses legacy technology, which is infused with structural flaws that may prove vulnerable to hackers. But it is not simply ageing infrastructure which is susceptible to attacks. Technologies like blockchain or Artificial Intelligence (AI) are still in the trial stages of their development. The paradox is that while these technologies could be used to mitigate cyber risks, overly hasty adoption of such disruptors could render such organizations more vulnerable to cyber risks, particularly if they do not fully understand the technology.
In the selection of a new service provider, or in their due diligence assessment of their current provider, network managers undertake careful scrutiny of that provider’s risk culture and framework. The lack of a proper cyber security framework, inadequate investment in a robust cyber security infrastructure or complacency on a firm-wide level will not be looked upon kindly. Indeed, cyber health checks are now a constant in network managers’ sub-custodian due diligence questionnaires (DDQs). The Association for Financial Markets in Europe (AFME) DDQ contains an excellent section on cyber security, where it asks about company policy, governance, business continuity, testing, past incidents and track record on prevention. It is crucial banks are up to speed with this. A failure to demonstrate a strong risk culture and up-to-date, frequently tested cyber protection will likely mean any supplier will struggle to win clients.
Effective cyber security infrastructure is only part of the solution. Humans are ultimately the first and last line of defence against cyber crime. Financial institutions – and not just securities services – need to rethink how they engage with staff on cyber matters. Simply sending an email or circular to employees advising them against clicking on unsolicited or suspicious links is hardly sufficient.
A deep-rooted cultural change needs to be executed in the short-term. Standard Chartered’s white paper emphasised how important it is that C-level executives engage and communicate regularly with staff on cyber security issues to drive awareness and compliance, and embedding the risk culture from the top down. This comes following a paper by Accenture, which found two thirds of banking executives did not believe their business unit and cyber security strategies were aligned with the leadership and across the organization. 2 If the C-level is taking the threat seriously, enterprise-wide training that is consistent and meaningful will usually follow. This may see staff undergo simulated hacking exercises, for example. As the white paper articulated, such testing must not be ad hoc or reactive, but regular and documented, and made readily available for future reference.
Hiring practices also need to be revised at banks. Cognitive diversity is an asset – indeed, it should be a requirement – in every field and every industry, whereby individuals with different skillsets, experiences and backgrounds provide their own unique insight and consultation towards solving a problem. The cyber world is no exception. However, it remains un-diverse insofar as the individuals in such roles are overwhelmingly male. In Asia-Pacific, just 10% of cyber-roles are carried out by women3, and this is something that urgently needs to change.
The absence of gender diversity in cyber roles is a problem as it makes it harder to recruit talented, younger or millennial women to those roles. Cognitive diversity will enable cyber security experts to engage better with board directors and senior managers, and this will ultimately help organizations deal with new challenges holistically. It is imperative that further work be done to encourage women to contemplate working in the burgeoning cyber security industry, a point made in the Standard Chartered paper.
Addressing the problem
Securities services is changing, but so are the threats and risks. Cyber crime is a continuously evolving challenge, to the extent that regulators are reluctant to impose prescriptive legislation for fear that it will be out-of-date by the time it is formally introduced. Adhering to industry-wide standards such as the ISO 27000, NIST or CPMI-IOSCO provisions is a positive starting point, as is building excellent cyber security protections and regularly testing them. The human factor, though oft overlooked, remains key. Financial institutions would do well to make concerted efforts to address this, and a good way to start is by expanding the cyber talent pool with a view to achieving cognitive diversity.
(1) Morgan, Steve. “2016 Cybercrime Report.” Cybersecurity Ventures, 2016. [Online]
(2) Geyres, Stéphane and Michael Orozco. “Think banking cybersecurity is just a technology issue? Think again.” Accenture, 2016. [Online]
(3) 2017 Global Information Security Workforce Study
About the Author
Margaret is responsible for the strategic leadership of the Securities Services business globally, managing all the business unit functions including Operations, Technology, Client Management, Business Development and Product Management. She also leads the business agenda with Financial Institution clients on a worldwide basis, across cash management, securities services and trade finance.
Euromoney and Standard Chartered will be running a series of webinars on debt capital markets. The next will be ‘India states’ finances and borrowings: The other half of the story’ on July 19. Find out more.
This material has been prepared by Standard Chartered Bank (SCB), a firm authorised by the United Kingdom’s Prudential Regulation Authority and regulated by the United Kingdom’s Financial Conduct Authority and Prudential Regulation Authority. It is not independent research material. This material has been produced for information and discussion purposes only and does not constitute advice or an invitation or recommendation to enter into any transaction.
Some of the information appearing herein may have been obtained from public sources and while SCB believes such information to be reliable, it has not been independently verified by SCB. Information contained herein is subject to change without notice. Any opinions or views of third parties expressed in this material are those of the third parties identified, and not of SCB or its affiliates.
SCB does not provide accounting, legal, regulatory or tax advice. This material does not provide any investment advice. While all reasonable care has been taken in preparing this material, SCB and its affiliates make no representation or warranty as to its accuracy or completeness, and no responsibility or liability is accepted for any errors of fact, omission or for any opinion expressed herein. You are advised to exercise your own independent judgment (with the advice of your professional advisers as necessary) with respect to the risks and consequences of any matter contained herein. SCB and its affiliates expressly disclaim any liability and responsibility for any damage or losses you may suffer from your use of or reliance on this material.
SCB or its affiliates may not have the necessary licenses to provide services or offer products in all countries or such provision of services or offering of products may be subject to the regulatory requirements of each jurisdiction. This material is not for distribution to any person to which, or any jurisdiction in which, its distribution would be prohibited.
You may wish to refer to the incorporation details of Standard Chartered PLC, Standard Chartered Bank and their subsidiaries at http://www.standardchartered.com/en/incorporation-details.html.
© Copyright 2017 Standard Chartered Bank. All rights reserved. All copyrights subsisting and arising out of these materials belong to Standard Chartered Bank and may not be reproduced, distributed, amended, modified, adapted, transmitted in any form, or translated in any way without the prior written consent of Standard Chartered Bank