Regulators: cybersecurity poses biggest risk to global financial system

Last week, the chair of the Securities and Exchange Commission called cybersecurity the biggest risk facing the global financial industry

Last week, the chair of the Securities and Exchange Commission called cybersecurity the biggest risk facing the global financial industry.

"Cyber risks can produce far-reaching impacts," said SEC chair Mary Jo White.

For example, cybercriminals recently stole $81 million from a bank in Bangladesh by using Swift, the global money transfer network.

The SEC promises to step up regulation and Swift itself is expected to launch a new cyber security initiative this week that includes independent security audits of its customers. Meanwhile, top finance officials from G-7 nations met in Japan to discuss plans to improve global cybersecurity coordination.

It's a historic moment for global financial cybersecurity, said Tom Kellermann, CEO at Washington, DC-based Strategic Cyber Ventures and former member of the World Bank's security team. A decade ago, he wrote a prescient report for the World Bank outlying potential cyber risks that was ignored by many financial companies.

"They pooh-poohed the reality, that this would never be a wide-spread problem," he said. "But the criminals have caught up to the worst-case scenario espoused in that report and have operationalized them."

But three aspects of the financial system will make improving security more difficult, experts say. One is that the security of the system as a whole depends on its weakest member, who may be located anywhere in the world. Second, some victims might not even be aware they were hacked. And, finally, the move to real-time processing reduces some of the checks and balances that used to be in place.

Who's the weakest link?

The global financial system is highly interconnected but the level of security varies significantly among the member organizations, said Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyber Risk Services at Deloitte & Touche LLP.

"The bad actors work through the weakest link in that ecosystem," he said. "The institutions that don't have cyber programs up to the level that they should be need to be shored up."

And it's not just financial organizations that are potential targets. These organizations use outside vendors for everything from legal and marketing services to trade processing.

"They often outsource all kinds of activities by giving outside parties a real-time way to access internal systems," said Gary Roboff, senior adviser at Santa Fe Group. "If systems aren't properly segregated, once somebody is in the system, they can access all kinds of data."

Banks, particularly large global banks, typically have the strongest cybersecurity.

But according to a KPMG survey released today, 12 percent of CEOs of large banks didn't know whether they were hacked in the past two years, and neither did 47 percent of vice president and managing directors, and 72 percent of senior vice president and directors.

This awareness gap makes security less of a priority for the bank as a whole, and creates vulnerabilities, wrote Jitendra Sharma, KPMG’s Advisory Line of Business Leader for Financial Services.

Hacked? Who, me?

For some cybercriminals, a few million dollars is chump change. They've figured out how to make a lot more and not even be noticed.

"If you had the capacity to transfer 10 million out of an account that's one thing," said Keillermann. "But if you understand the position a major brokerage house will take in the market is much more lucrative."

The recent financial recession left many financial experts unemployed, and some of them found a new calling educating cybercriminals about front running and market manipulation.

A criminal who gets into a firm's system and finds trades that are scheduled to occur at a certain time, for example, can get to the market early and make a killing.

The cybercriminals pass the information to investors, who are often overseas. Regulators don't notice, or put the results down to luck, especially because there's no visible connection between the investors and the financial company.

And the victimized firm might never know it was hit, since the only thing that happens is they make less money than they hoped.

"They expected to make a multiple of five, and they only make a multiple of three," he said.

It's hard for a company to make big investments in cybersecurity when there are no visible losses.

"There's an awareness in the criminal community that these private equity firms and hedge funds have weak technology infrastructure," said Kellermann. "And with straight-through processing and transactions happening in real time, it's very difficult to stop yourself from being front-run if you've already allocated the transaction, so this has become a systemic risk issue."

Who's watching the numbers?

Algorithmic trading is another tool that allows Wall Street firms to eke out every penny that they can from every transactions. And those pennies, or even fractions of pennies, add up quickly, so firms are in a race to be the first to make the trade.

Clearing houses and other intermediaries do their best to reduce the processing time to a minimum in order to attract and keep customers, who are also increasingly price sensitive.

"They've been trying to cut costs and automate as much as possible," said Justin Harvey, chief security officer at Fidelis Cybersecurity.

That doesn't leave much time to examine individual transactions, and it might be time to take a step back, he said.

"It doesn't have to be every single transaction, but you'd think that for an $81 million transaction someone would be looking at it," he said. "I know it costs more money, but I don't know of any other institution that would process that large amount of money without a second or third level of scrutiny."

Join the CSO newsletter!

Error: Please check your email address.

More about CSODeloitteDeloitte & ToucheKPMGLeaderSECSecurities and Exchange CommissionWall StreetWorld Bank

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place