Laughing All The Way To The Bank: Cybercriminals Targeting U.S. Financial Institutions
The risk of cyberattack on financial services firms cannot be overstated. Cyberattacks cost financial services firms more to address than firms in any other industry at $18 million per firm (vs. $12 million for firms across industries). Financial services firms also fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries. In other words, while the typical American business is attacked 4 million times per year, the typical American financial services firm is attacked a staggering 1 billion times per year.
Although 1 billion times per year is significantly less frequent than the 4 billion times that the U.S. Postal Service was attacked in 2016 (primarily as a backdoor for cybercriminals into the rest of government), 1 billion times per year is still nearly 2,000 attacks per minute or over 30 attacks per second. The rate of breaches, or theft of sensitive data, in the financial services industry has tripled over the past five years.
Among financial services firms, banks lost $16.8 billion to cybercriminals in 2017. Attacks on SWIFT—the leading global network for money and security transfers—alone cost $1.8 billion year-to-date. Costs of cybercrime also include regulatory fines, litigation, additional cybersecurity following the breach, the need to respond to negative media coverage, identity theft protection and credit monitoring services to customers affected by breach and lost business due to reputational damage. According to Ponemon Institute’s consumer sentiment study, data breaches are in the top three of incidents that affect reputation, along with poor customer service and environmental incidents.
It should come as no surprise that the U.S. Treasury views cyberattacks as one of the key threats to U.S. financial stability and that cybersecurity (including data security and consumer protection) is one of the most important sustainability issues for the financial services sector according to multiple environmental, social and governance (ESG) standards-setting, research and ratings organizations. These organizations range from the Sustainability Accounting Standards Board (SASB) to Sustainalytics, and their work affects the allocation of the $23 trillion in AUM being professionally managed under sustainable strategies.
Safeguarding data requires strong cybersecurity. As Sun Tzu explains in Art of War, security implies defensive tactics.
Gauging The Ramparts
Given the value that breaches destroy, financial institutions are bolstering cybersecurity as executives seek to mitigate the risk of cyberattack. A study of 400 global bank executives found that 71% focus digital investments on cybersecurity. At the same time, cybercriminals are becoming increasingly sophisticated and use a range of tactics. Denial of services and phishing and social engineering are the two most costly attack types for financial services firms. A denial of service attack renders a service unusable by overloading its underlying systems. Phishing and social engineering are cyberattacks that manipulate people into giving up confidential information; they are also the most common delivery mechanisms for ransomware, or malicious software that denies access to or threatens to publish data unless a ransom is paid. Security awareness training reduces the percentage of employees who are prone to phishing. 90% of financial institutions reported being targeted by ransomware. Understanding how financial institutions mitigate the risk of denial of services and social engineering attacks, including through employee training, would help investors better gauge risks.
All Guns Blazing: Protecting Critical Data And Infrastructure of Financial Services Firms Through Law Enforcement And Military Relationships And Tactics
Financial institutions would benefit from stronger relationships with specialists in deterring and responding to cyberattacks—those with the authority to hack back, like the military. These relationships are critical because it is illegal in the U.S. for private companies to hack back against their attackers in cyberspace. Gauging the strength of the relationships of particular financial institutions with both law enforcement and the military would help potential investors better assess the risk and potential cost of cyberattack. The former government cyberspies, soldiers and counterintelligence officials that financial services firms have hired to their security teams have brought to their new jobs relationships with law enforcement and the military and the tools and techniques used for national defense. These tools and techniques include intelligence hubs called fusion units, which coordinate both intelligence-gathering and incident response. Payments firms Visa and Mastercard; large banks Citigroup, Morgan Stanley and Wells Fargo; and regional banks Fifth Third Bank and Bank of the West, inter alia, all have fusion centers to help them better collect, analyze and share data on threats. Citigroup draws from the military best practices with its War Games cyber-security simulation exercise to help the bank prepare for cyber threats.
Be On Guard: Systemic Solutions For Cybersecurity
More broadly than solutions for specific financial services firms, the private, public and nonprofit sectors across the U.S. would benefit from Arizona Representative Ruben Gallego’s proposal of a cybersecurity reservist system. The proposal would allow cybersecurity experts to work for the National Security Agency (NSA) or Department of Defense for a few weeks per year, like a National Guard for digital security. Similarly, House Information Technology Subcommittee GOP Chairman Will Hurd envisioned the cyber national guard offering scholarships for students pursuing cybersecurity-related degrees who would then work in civilian federal agencies for the same duration as their schooling. In addition, the federal government should create more opportunities for seasoned cybersecurity specialists from industry to do a tour of duty in Washington.
Cold Comfort For The Financial Services Stakeholder
Financial services stakeholders can take some solace in the high proportion (80%+) of cyberattacks that are driven by hacktivists, which have a less than 1% success rate, versus the approximately 20% success rate of cybercriminals and the 98% success rate of state-sponsored actors. Nevertheless, cybercriminals’ 20% success rate is high, particularly given their 15%+ of cyberattacks. As cybercrime is one of the fastest growing and most lucrative industries globally, prudent risk management means financial services bolstering cybersecurity and investors increasing their ability to assess cybersecurity equally quickly. As Sun Tzu writes, “to secure ourselves against defeat lies in our own hands.”
[/et_pb_text][et_pb_text admin_label=”Link/Source” background_layout=”light” use_border_color=”off” background_position=”top_left” background_repeat=”repeat” background_size=”initial” _builder_version=”3.0.98″]
Author: Bhakti Mirchandani