At the 2019 edition of Sibos, I joined a panel to talk about cyber security and how to protect customers and society from fraud and cyber crime in a market demanding real-time money flows and greater third-party collaboration.
It was a very interesting discussion with Microsoft's Siân John, J.P.Morgan's JF Legault, Standard Chartered Bank's Cheri McGuire and Jason Oxman from the Information Technology Industry Council, so I thought I'd share a few of my thoughts from it.
I was heartened to see so much collaboration happening and to have two banks speak of the importance of the role played by threat intelligence in helping to target bank activity in this space and bring the industry closer together in data-sharing platforms. An open banking environment and the rise of financial ecosystems make the secure design of such arrangements more complex, but some banks are clearly meeting the challenge head-on and with significant levels of innovation.
This is certainly a very dynamic area of risk for the industry, although in many respects the threat actors have not changed their playbook much. They are still using traditional malware to steal banking details for onward sale for the use of fraud. The illegal acquisition and exploitation of personal data is still what's driving the bulk of cyber criminal activity, albeit on a larger scale these days and with more elaborate phishing scams.
What has changed in the last few years is that at the top-end of that criminal economy, we have seen more advanced and aggressive activity, using bespoke malware and advanced social engineering to directly target bank transfer payment systems and the networks of other industries as well. The lines between different types of attackers are also blurring. Malicious state actors have increasingly targeted commerce and commercial organisations. We're also seeing threat actors collaborate with state actors as contractors in somewhat of a supply chain.
The good news is that most financial services organisations are very mature in their security control framework. But it's important to continually update those controls to work around new technologies. Siân warned that 'castle and moat' approaches don't always work in modern times and trying to fit the new ways of working into traditional security frameworks can cause issues.
An ever-increasingly connected digital ecosystem with various collaborators and third-party partners is also making it more challenging to ensure security in financial operations. Greater collaboration and ecosystems offer great promise but also a challenge for financial institutions to ensure systems are secure and speak to one another in a safe way. Cheri explained how Standard Chartered are working with business owners to ensure they are across the various security risks facing their business and the right questions to be asking and pointed financial organisations to the 'Cyber resilience capacity-building tool box'.
A good example of this is the creation of APIs, which have the potential to offer a back-door into the organisations using them if not done correctly. The panel agreed that third party security risk assessments need to ensure they can be real-time and monitor APIs and your own third (and fourth and fifth) party collaborators' activities.
We agreed on the panel that information and cyber security is no longer just a tech risk but must be seen as a business risk. So it's also crucial security is built into any new technology and product development. That said, it's also vital for security teams to understand the business as well - it's a two way street. JF spoke about how J.P.Morgan Chase's cyber security team hire personnel from across the bank to bring knowledge about the front-line and the business into their work.
The industry is making many strides forward on cyber security. It is good to see the increasing sharing of intelligence and best practice through bodies such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Financial Systemic Analysis and Resilience Center (FSARC) in the USA. However public-private information sharing needs to go further I believe. What I term an 'architecture of cooperation' needs to be further developed. Privacy legislation such as the GDPR is often held up as a barrier to sharing intelligence, but that should not be the case, given the purpose and reach of most privacy legislation models.
It's no doubt that things are getting increasingly complex, but Cheri also pointed out the risk of spending all resources focusing on the sophisticated threats to the detriment of getting the foundational controls right. Siân backed this up, pointing out that approximately 90% of attacks could be stopped by multi-factor authentication, yet few organisations are using it. It's important to also check the activity that has been blocked, as much can be learnt and identified from that as the things that get through.
Jason touched on AI and it was interesting to hear from Siân about how Microsoft are using machine learning to identify an attack and stop it within seconds and allow people to spend more time on the more complex investigative work. J.P.Morgan also use technology to learn the traits of attackers and identify when new phishing emails arrive. Police forces are using machine learning for similar purposes to identify non-obvious connections between various adversaries as the convergence of cyber fraud and similar criminal activity increases. That means that financial institutions' cyber security teams need to increasingly align with money laundering and fraud teams. Let's also not forget that we need to protect the machine learning and AI from attacks as well.
So, plenty to act on! From a company perspective, I maintain we are all likely to get caught at some point, so being ready to respond is vital. And from an industry perspective, I do think more crisis-simulation and planning is needed, along with further use of data to fight cyber crime. If you are interested in discussing this further, I'd be happy to connect with you.
If you want to watch the panel in full, you can do so on SibosTV.