Strengthening responses to cyber crime in financial services

From personal identity theft to attacks on national infrastructure, cyber crime is a threat to our society. As US bank robber Willie Sutton Jr., said in 1934, “That’s where the money is,”1 and this fact makes the financial services industry a prime target.

To highlight this point, in February 2017, Symantec2 reported that banks and other financial institutions in more than 30 countries were targeted in a spate of attacks, potentially by the Lazarus Group, the organisation credited with the attack on the Bangladesh Central Bank in February 2016.

 

Lazarus illustrates to us that cyber crime is not only perpetrated by lone hackers taking opportunities where they can, but it is often a business, seeking to maximise value for its stakeholders, either carrying out attacks directly or selling its expertise to third parties.

Faced with an industry which is developing at pace, law and regulations around cyber crime lack the harmonisation and coherence to provide deterrence at scale. Organisations which have been hacked are often punishe

d for failing to meet the required standard of care, and the perpetrators frequently escape justice.

However, because there is no one single legal standard of care, firms that operate across different markets face significant difficulties in building systems and processes that conform to the rules. Finance is a connected and global business and the internet is a borderless tool for attackers. One academic paper even goes so far as to say the current piecemeal local state laws and regulations governing data theft plays directly into the hands of cyber criminals.3

Nonetheless, the industry is not helpless and firms can do a lot internally to find solutions to cyber crime. Historically, corporate technology departments have carried the heavy burden of protecting our industry, but this is a business problem. It must move from an IT issue to become an enterprise-wide risk management concern involving all personnel throughout organisations from the board and down. Every employee has an important role to play in protecting their organisation and preventing cyber crime.

Firms need to get the basics right as these are the checks which will help protect organisations against most of the threats. Employees are the first line of defence, and this should be inclusive across all branches of the business at every level.

In particular, governance at organisations must become more comfortable and adept at dealing with cyber risk and information security professionals. Across enterprises, we need to promote a healthy security culture, supported b

y the right tools, policies and procedures in which we get the basics right to protect our information.

Finally, our approach to cyber team building must adapt, becoming far more diverse, inclusive and multidisciplinary if we are to remain secure through the onslaught of cyber attacks that we all face.

By Margaret Harwood-Jones, Global Head, Securities Services, Transaction Banking, Standard Chartered