On the frontline against cyber crime

Regulations, standards, technology development and the implementation of best practices all help mitigate cyber breaches, but they can never eliminate the risk totally. This constantly evolving threat requires new thinking and a new approach. 

The proliferation of tools and expertise is giving rise to new professional, corporate-style cyber-criminal organizations that pose a different threat to anything we have seen before, and to which financial institutions have to be increasingly alert. 

“We have seen an increase in gangs or small criminal cells exchanging cyber attack tools and malware over the dark net. These tools are widely available

and can be acquired cheaply. Historically, criminals viewed cyber attacks as being too hard to perpetrate, but this has changed now that they are able to obtain tools and technical know-how easily and inexpensively. The acumen required to launch cyber attacks today is not that sophisticated,” said Cheri McGuire, Group Chief Information Security Officer at Standard Chartered.

In such an environment, it is inevitable that attacks are on the rise. The Cyber Security Breaches Survey 2016 found that 65% of large UK firms detected a cyber security breach or attack in the previous year. ⁽¹⁾

In the last few months, ransomware and malware has caused enormous business disruption. In May 2017, the UK National Health Service (NHS) was severely disrupted by cyber criminals, while in June 2017 hackers targeted institutions across 64 markets. 

Industry and infrastructure in every sector is affected, and the systemic importance of banks and their fundamental role of being entrusted with customer and institutional assets makes them a primary target for hackers. 

Financial institutions reported just five incidents to the Financial Conduct Authority (FCA) during the whole of 2014, compared to 75 in the first nine months of 2016. ⁽²⁾

Within the industry, the securities services sector received a huge shock following the breach at Bangladesh Central Bank when $81 million was stolen by criminals using the Bank’s credentials to obtain Swift access and established fraudulent bank accounts to receive and transfer misappropriated funds. ⁽³⁾ 

The theft of assets is extremely serious, but a sustained and powerful attack on securities services could bring even greater disruption to capital markets, through data corruption or manipulation; disruption to clearing and settlement; or by flooding the network with spurious instructions preventing clients from instructing their agents. 

Protecting the industry requires close collaboration between financial policy makers, regulators, standards organizations and industry participants.

Cyber threats are fluid and are becoming increasingly advanced and sophisticated. Recognizing this, regulators are wary of introducing prescriptive legislation which will become obsolete within a few years or even in a few months’ time. “Prescriptive regulation will solve yesterday’s problem, but it will not solve tomorrow’s problem,” said Nick Seaver, partner at Deloitte’s UK Information and Technology Risk Group.

Where regulations do apply, they are unlikely to be the same across jurisdictions. Inconsistent or divergent applications of cyber regulation create other problems for global organizations as they must implement different solutions on a per market basis creating complexity and therefore risk. It can also exacerbate the likelihood of criminals identifying weak spots to wreak harm on businesses. 

Many believe that a better approach is the adoption of global standards such as the ISO 27000 series; the National Institute of Standards and Technology (NIST) principles and CPMI IOSCO guidance, with more industry collaboration and sharing of best practices. 

Together with the industry responses, financial firms are building stronger security cultures, developing closer collaboration between in-house information security teams and senior management, to help develop security policies that are both expert and authoritative.  

As part of building a strong cyber awareness, firms have been educating technical and non-technical staff about the risks of phishing and other forms of social engineering for the past few years, and many have a disciplinary framework in place for those who are casual about the risks. 

However, the lack of diversity in cyber teams has given rise to much discussion.  Diversity drives at least two key benefits; helping to improve the quality of our thinking and helping to bring more people into the fight against cyber crime.

With regards to better performing teams, Patrick Wheeler, a leading cyber security consultant, makes the case for more diverse groups as follows: “The cyber realm is usually occupied by males over a certain age with a similar technical background. There is a low degree of diversity and with it, cognitive diversity. Hiring more women with the same background as those males is not necessarily going to change things. It is critical not only more women, but also ethnic minorities and persons with different skill sets and personal backgrounds, are introduced into the world of cyber to grow our cognitive diversity,” 

Diversity is also key to plugging the enormous talent gap in the cyber security industry.Cybersecurity Ventures said there were an estimated one million cyber job openings in 2016 pointing out that 209,000 cyber roles lay unfilled in the US.⁽⁴⁾ Cyber roles at organizations globally are overwhelmingly occupied by males. In APAC, women comprise just 10% of cyber roles, for example. ⁽⁵⁾  The training and recruitment of women who are already working into those roles would open up a new talent pool to help meet urgent demand.

“The cyber security industry is at negative employment and global leaders in the US, UK, India and other nations have talked about the shortages of expertise in this domain. If institutions want to be able to protect and defend their infrastructure, they need to find the right talent. This is a priority agenda item for many CEOs and government leaders,” commented McGuire. 

Educating children at an earlier age about cyber and encouraging interest in science, technology, engineering and mathematics (Stem) subjects is another way to attract more people into cyber roles, and this could help redress the talent dearth both now and in the future.

The rising threat of cyber crime requires organizations to reconsider their operational processes. In the short-term, this will oblige them to improve intra-business unit communications, accelerate industry-wide collaboration and implement diverse hiring practices. A longer-term objective will be to widen the talent pool available for cyber roles by supporting cyber education initiatives to bring diverse new talent into the industry now and in the future. 

^{(1) Klahr, Rebecca, Sophie Amili, Jayesh Navin Shah, Mark Button and Victoria Wang. “Cyber Security Breaches Survey 2016.” GOV.UK, May 2016. [Online]
(2)Cyber attacks against UK financial industry on the rise – FCA.” Financial Times, 21 September 2016. [Online]
(3)“SWIFT action: Preventing the next $100 million bank robbery.” PwC, June 2016. [Online]
(4) Morgan, Steve. “Cybersecurity jobs report.” Cybersecurity Ventures, 2017. [Online]
(5)2017 Global Information Security Workforce Study}  

About the Author 

Margaret Harwood-Jones, Global Head of Securities Services, Standard Chartered. Margaret is responsible for the strategic leadership of the securities services business globally, managing all the business unit functions including operations, technology, client management, business development and product management. She also leads the business agenda with financial institution clients on a worldwide basis, across cash management, securities services and trade finance.