A regulation to fight cyber risks?

in Advisory, 14.07.2016

Beyond the regulatory requirements for banks, which position shall be adopted when facing cyber risks?

The revision of the FINMA Operational Risk Circular 2008/21 will bindingly and explicitly include cyber Risk in the IT operational risks for banks. As part of this evolution, the banks will have to develop a cyber risk management concept focusing especially around the identification of cyber attacks risks, measures to protect their IT infrastructure and the recovery back to normal course of business after a cyber-incident. This new regulation confronts banks with both a challenge and an opportunity to review and update their defence strategy to tackle these threats.

Nature and origin of cyber-attacks

What embodies cyber-attacks nowadays makes daily headlines in the press. Phishing, denial of service, spoofing, data theft or digital blackmail are everyday concerns for actors in the world of IT security. Despite of a recent increase in the awareness of this type of risk among decision makers and the general public, it seems however that a wide gap still remains between the awareness of stakeholders and the preparedness level of their institutions to deal with such incidents.

Cyber-attacks originate from various backgrounds and differ very little in their genuine causes from traditional offenses. Besides criminal or mafia organizations, we now have to face the terrorist ones which specifically target SCADA systems, hacker activists such as Anonymous, intelligence services of foreign powers and utmost opportunists of all kinds willing to sell or monetize stolen data.

Unsuspected insider threats

In an increasingly globalized and ever-changing environment, knowledge of employees and their backgrounds, both private and professional, proves as crucial as that of its customers or prospects. cybercrime in its current evolution is no longer limited to external threats, which can be adequately contained by strengthening the scope of technical controls and perimeter protection. It extends now to the internal premises of banks by many other means. The image of the medieval castle is essential here to draw a parallel. What is the point of building a rampart and strengthening the gates if felonious guards lower the drawbridge before the attackers?

The increasingly tenuous distinction between private and professional environment for employees increases the risk. The collusion of a disgruntled employee with external players often leads to data exfiltration with unpredictable consequences for the victimized organization. In terms of risks, cybercrime does not belong to the exclusive context of technology and spreads to human resource management or legal framework. In fact, representatives of the different service lines within the financial institution barely communicate among each other and the risk represented by the career life cycle of a malicious employee, role within the bank or his private situation is rarely if ever measured in the long term.

It should be noted here that a human risk, initially discarded when hiring a new employee by a strict process of background checks or security interview, can materialize later during the whole time of his employment with the institution.

Finally, negligence, ingenuity and employee mistakes often contribute to create breaches which cyber attacks perpetrators will be eager to exploit. Only targeted and repeated awareness campaigns will efficiently overcome this latter type of risk related to the human factor.

Challenges for the banking industry in the future

The risks associated with the insider threat frequently correspond to various recent developments in technology which often provide better ergonomics for employees and customers of financial institutions. These include teleworking, intensification in the use of external service providers, Bring Your Own Device (BYOD) policies, data transfer to the cloud or the generalization of e-banking for customers.

In each of these cases, we are witnessing an actual transfer of risk from institutions to external service providers and to devices or infrastructures privately owned by employees or clients. In fact, an infected client’s computer connected to the bank’s infrastructure through an e-banking session, a consultant hired by a third-party institution or an unsecured employee Smartphone now represent so many internalized threats, which can be exploitable in the context of a cyber-attack. The main difference with external threats is that they easily avoid technological and human screening radars put in place by the organization.

Towards a proactive management of cyber risks

As far as planning is concerned, the six dimensions of the standard strategic incident response workflow diagram shown below allows to protect effectively against intrusions and their impact on business performance.

The 6 steps of an incident response process

We value an approach based on a proactive and holistic stance to face cyber risk. The experience actually shows that a reactive defence strategy cannot inherently mitigate a hazardous or adverse event which already occurred.

We consider that this particular risk is now part of IT risk management and an effective solution to cyber risk response shall involve a cross-service and collaborative approach not only within the concerned institutions but also with other financial sector or government stakeholders.

Finally, since the current level of maturity of some institutions is not necessarily in line with cyber risk, it is advisable to put more care when facing the risk of internal threat resulting from the various factors mentioned above. A policy aimed at increasing employee awareness towards cyber risk, rigorous and stringent regular controls of the adequacy between their rights and function as well as the promotion of a strong corporate culture are in our view the best guarantee of a proactive cyber risk management by financial institutions.

 

 

Further information: